INFORMATION PROCESSING DEVICE AND INFORMATION PROCESSING METHOD

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to Applicant’s communication filed on 11/12/2025. Claims 1-13 have been examined. Response to Arguments Applicant’s arguments with respect to claims 1, 13 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. With regards to claim interpretation , Applicant’s amendment overcome the claim interpretation ( 1126th ) . Therefore, the claim interpretation is withdrawn. With regards to 112 2nd rejection, Applicant’s amendment overcome the rejection , Therefore, the rejection is withdrawn. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3,6,8,9,11,13 are rejected under 35 U.S.C. 103 as being unpatentable over Compagna et al. Publication No. US 2017/0109534 A1 ( Compagna hereinafter) in view of Hiruta et al. Publication No. US 2025/0036764 A1 ( Hiruta hereinafter) Regarding claim 1, Compagna teaches an information processing device comprising: processing circuitry configured to execute processing based on trace information of a first attack acquired when an interaction/automated probing is executed on a first apparatus in a communication network and attack method information related to an attack method of a second attack on a second apparatus to generate pseudo trace information of the second attack (Fig.7, ¶ 0008 – A testing environment is configured to collect several varieties of HTTP traffic with the MPWA. (The terms HTTP traffic, traces, and HTTP traces used herein as synonyms). User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels – ¶ 0071 - interaction may result from manual interaction between a tester and the MPWA, and/or from automated probing activity of a penetration tool controlled by the tester- ¶ 0057 - The testing framework further comprises an engine 1308 that is configured to receive these traces. This engine performs certain processing tasks upon the traces in order to provide a security analysis – ¶ 0073 - the engine applies attack patterns to the labeled HTTP traces. These attack patterns may be stored in an underlying database, for example an in-memory database – ¶ 0066 – The attack patterns are developed based upon analysis of extant or foreseen attacks upon MPWAs. The attack patterns capture and express a general-purpose attacker strategy in executable programming logic that is not limited to a particular MPWA architecture – Abstract - Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters See ¶ 0109 – ¶ 0117, ¶ 0188); wherein the processing circuitry rewrites the acquired trace information based on one or more parameters included in the attack method information to generate the pseudo trace information of the second attack(¶ 0054 - The penetration tool exposes an Application Program Interface (API) that can serve multiple purposes. For example, HTTP requests and responses can be mutated by the engine via API calls that set proxy rules – ¶ 0177 - The API I set to Proxy rule setting. Proxy rules can be specified, as Zest scripts, to mutate HTTP requests and response passing through the built-in Proxy of ZAP. ¶ 0178. The API is invoked to Evaluate Flag. Execute regular expression-based pattern matching within the HTTP trace so to, e.g., evaluate whether the Flag is present in the HTTP trace - ¶ 0139 - . The attack pattern RA5 leverages this threat model by replaying all elements that the attacker can collect from the browser history of the victim. As seen below, use of this threat model allows detecting two attacks that could not be discovered otherwise – ¶ 0008 - A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi Party Web Applications (MPWAS). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, for example abuse of Security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters - This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed ); a communication circuitry configured to transmit the generated pseudo trace information of the second attack to an evaluation target device different from the information processing device and connected via the communication network, the pseudo trace information being transmitted to cause the evaluation target device to perform attack detection processing based on the transmitted pseudo trace information(¶ 0008 - This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed against the MPWA. Attacks are reported back to the tester for evaluation. Embodiments may be implemented with penetration testing tools, in order to automate execution of complex attacker strategies – ¶ 0068 - Based upon the result of this processing of labeled traces according to stored attack pattern(s), the engine is configured to identify an attack 1330, and provide a report 1332 of that attack to the tester (e.g., via the interface ). The report may identify various security protocols and/or parameters affected by the attack. Upon receipt of the report the tester can evaluate those aspects, with an eye toward developing effective countermeasures). However, Compagna does not explicitly teach processing based on trace information of a first attack acquired when the first attack is executed on a first apparatus in a communication network Hiruta teaches processing based on trace information of a first attack acquired when the first attack is executed on a first apparatus in a communication network and attack method information related to an attack method of a second attack on a second apparatus to generate pseudo trace information of the second attack ((Para 0014 - an acquiring means for acquiring a predicate indicating a type of an attack included in an observation indicating a trace of the attack, or an observation type indicating a type of the observation corresponding to the predicate – ¶ 0049 - An observation is information generated by analyzing a log. For example, in the case where process logs are analyzed and a trace of execution of the program "Mimikatz", which steals user authentication information, is detected, the observation that "Mimikatz" was executed is generated based the corresponding processing log – ¶ 0053 – ¶ 0057 The noise condition generation unit 12 generates a noise condition by, with use of selection information that is included in conversion information associated with the predicate or the observation type and is for selecting conversion target data included in log management information for managing a log, selecting conversion target data from the log management information. Conversion information is information used to convert conversion target data associated with a predicate or an observation type to generate a noise condition. The conversion information includes selection information for selecting conversion target data from log management information, and conversion method information indicating a method for converting the selected conversion target data for example. (0055] Log management information is information for managing logs that include traces of attacks. The log management information includes conversion target data); wherein the processing circuitry rewrites the acquired trace information based on one or more parameters included in the attack method information to generate the pseudo trace information of the second attack (¶ 0053 – ¶ 0057 The noise condition generation unit 12 generates a noise condition by, with use of selection information that is included in conversion information associated with the predicate or the observation type and is for selecting conversion target data included in log management information for managing a log, selecting conversion target data from the log management information. Conversion information is information used to convert conversion target data associated with a predicate or an observation type to generate a noise condition. The conversion information includes selection information for selecting conversion target data from log management information, and conversion method information indicating a method for converting the selected conversion target data for example. ¶ 0055- Log management information is information for managing logs that include traces of attacks. The log management information includes conversion target data – Note: the conversion information and the selection information are the parameters that determine how the trace/log data is converted (rewritten) to generate the noise (modified traces) ). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Hiruta. The motivation for doing so is to allow the system to obtain traces from attack observation in order to improve cyber-attack analysis (Abstract, ¶ 0002 – Hiruta). Regarding claim 2, Compagna in view of Hiruta further teaches wherein the attack method information related to the attack method of the second attack includes one or more parameters related to the second attack(Compagna - Fig.7, ¶ 0008 – A testing environment is configured to collect several varieties of HTTP traffic with the MPWA. (The terms HTTP traffic, traces, and HTTP traces used herein as synonyms). User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels –¶ 071 interaction may result from manual interaction between a tester and the MPWA, and/or from automated probing activity of a penetration tool controlled by the tester. ¶ 0057 - The testing framework further comprises an engine 1308 that is configured to receive these traces. This engine performs certain processing tasks upon the traces in order to provide a security analysis – ¶ 0073 - the engine applies attack patterns to the labeled HTTP traces. These attack patterns may be stored in an underlying database, for example an in-memory database – ¶ 0066 – The attack patterns are developed based upon analysis of extant or foreseen attacks upon MPWAs. The attack patterns capture and express a general-purpose attacker strategy in executable programming logic that is not limited to a particular MPWA architecture – Abstract - Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters -See Also Hiruta - Abstract, ¶ 0054); the processing circuitry is configured to rewrite the trace information of the first attack based on the one or more parameters to generate the pseudo trace information of the second attack ( Compagna - Para 0177 - The API is set to Proxy rule setting. Proxy rules can be specified, as Zest scripts, to mutate HTTP requests and response passing through the built-in Proxy of ZAP- A testing environment is configured to collect several varieties of HTTP traffic with the MPWA. (The terms HTTP traffic, traces, and HTTP traces used herein as synonyms). User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels –¶ 0071 interaction may result from manual interaction between a tester and the MPWA, and/or from automated probing activity of a penetration tool controlled by the tester – ¶ 0008 – A testing environment is configured to collect several varieties of HTTP traffic with the MPWA. (The terms HTTP traffic, traces, and HTTP traces used herein as synonyms). User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed -See Hiruta – ¶ 0053 – ¶ 0057). Regarding claim 3, Compagna in view of Hiruta further teaches wherein the second apparatus is an apparatus different from or identical to the first apparatus, the trace information of the first attack includes information related to the first apparatus, the one or more parameters includes information related to the second apparatus, and the processing circuitry is configured to rewrite the information related to the first apparatus included in the trace information of the first attack with the information related to the second apparatus based on the one or more parameters to generate the pseudo trace information of the second attack ( Compagna - ¶ 0076 - The MPWA's of FIGS. 1a-c feature (i) a user U, operating a browser B, who wants to consume a service from a service provider SP and (ii) a service provider SP that relies on a trusted-third-party TTP to deliver its services. TLS (and valid certificates at TTP and SP) are used to securely exchange messages: Para 0078 U. (attacker playing the role of a malicious user); ¶ 0079 SP (attacker playing the role of a malicious service provider); and ¶ 0080 SP (the target service provider which is also the SP under test – ¶ 0135 The preconditions in FIG. 8b determine how these elements are selected for each pattern. For instance, since RA1 is a replay attack that tries to reply an element from (USP) to (USP), it is reasonable to replay only those elements that flow from TTP to SP i.e., data flow label TTP-SP. Indeed, these are the ones that likely comprise specific values that TTP issues for the U. In addition, it would make little sense to replay elements whose values do not change over different traces. This is why that pattern select only elements in the trace that are tagged either as session unique (SU) or user unique (UU) (the users are different among the sessions where the reply takes place- ¶ 0110 - In attack strategy it 1 (and #2) the attacker runs a session with the victim user U- playing the role of the service provider SP and replays Auth Assert (Access Token, resp.) into a new session with a target service provider SP. The attacker tries thus to impersonate the victim (U) at SP- See Also Hiruta – ¶ 0003, ¶ 0014, ¶ 0015, ¶ 0053 – ¶ 0054 ). Regarding claim 6, Compagna further teaches wherein the processing circuitry is configured to select one of a plurality of attack scenarios including the attack method information related to the attack method of the second attack and attack identification information identifying the attack method of the second attack ( Abstract - A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi-Party Web Applications (MPWAS). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters) select attack trace data including attack identification information matching the attack identification information included in the selected attack scenario from among a plurality of pieces of attack trace data including the trace information of the first attack and attack identification information identifying an attack method of the first attack, (Abstract - This labeled HTTP traffic is referenced to determine particular attack patterns that are to. be applied, and corresponding specific attack test cases that O SSCO are to be executed against the MPWA – ¶ 0009 - receiving a trace of HTTP traffic with the MPWA resulting from the user action. The engine assigns a label to the trace to create a labeled trace, and the engine applies an attack pattern to the labeled trace to identify an attack. The engine reports the attack to a user interface See Also ¶ 0010); generate the pseudo trace information of the second attack based on the trace information of the first attack included in the selected attack trace data and the attack method information related to the attack method in the selected attack scenario ( ¶ 0008 - security testing framework leverages attack patterns to generate test cases for evaluating security of Multi Party Web Applications (MPWAS). This labeled HTTP traffic is referenced determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed – ¶ 0054 - The penetration tool exposes an Application Program Interface (API) that can serve multiple purposes. For example, HTTP requests and responses can be mutated by the engine via API calls that set proxy rules) . Regarding claim 8, Compagna further teaches wherein the trace information of the first attack is an operation log acquired by the first apparatus at the first attack, and the evaluation target device includes circuitry configured to detect an attack based on an operation log acquired at the attack as trace information of the attack by an apparatus targeted by the attack ( Abstract - The patterns recognizes commonalities between attacks, e.g., abuse of security (IT) critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. A testing environment is configured to collect several varieties of HTTP traffic. User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that O SSCO are to be executed against the MPWA. ¶ 0008 - Attacks are reported back to the tester for evaluation – See Also ¶ 0068 - Based upon the result of this processing of labeled traces according to stored attack pattern(s), the engine is configured to identify an attack 1330, and provide a report 1332 of that attack to the tester (e.g., via the interface). ¶ 0069. The report may identify various security protocols and/or parameters affected by the attack. Upon receipt of the report the tester can evaluate those aspects, with an eye toward developing effective countermeasures). Regarding claim 9, Compagna further teaches wherein the processing circuitry is configured to receive, from the evaluation target device, output information indicating a detection result of the second attack based on the pseudo trace information of the second attack and generate an analysis result indicating whether the second attack is detected by the evaluation target device based on the output information Abstract - The patterns recognizes commonalities between attacks, e.g., abuse of security (IT) critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. A testing environment is configured to collect several varieties of HTTP traffic. User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that O SSCO are to be executed against the MPWA. ¶ 0008 - Attacks are reported back to the tester for evaluation – See Also ¶ 0068 - Based upon the result of this processing of labeled traces according to stored attack pattern(s), the engine is configured to identify an attack 1330, and provide a report 1332 of that attack to the tester (e.g., via the interface). 0069. The report may identify various security protocols and/or parameters affected by the attack. Upon receipt of the report the tester can evaluate those aspects, with an eye toward developing effective countermeasures). Regarding claim 11, Compagna does not explicitly teach wherein trace information of the first attack is trace information acquired when the first attack is successful Hiruta teaches trace information of the first attack is trace information acquired when the first attack is successful ((¶ 0014 - an acquiring means for acquiring a predicate indicating a type of an attack included in an observation indicating a trace of the attack, or an observation type indicating a type of the observation corresponding to the predicate – ¶ 0049 - An observation is information generated by analyzing a log. For example, in the case where process logs are analyzed and a trace of execution of the program "Mimikatz", which steals user authentication information, is detected, the observation that "Mimikatz" was executed is generated based the corresponding processing log – ¶ 0053 – ¶ 0057 The noise condition generation unit 12 generates a noise condition by, with use of selection information that is included in conversion information associated with the predicate or the observation type and is for selecting conversion target data included in log management information for managing a log, selecting conversion target data from the log management information. Conversion information is information used to convert conversion target data associated with a predicate or an observation type to generate a noise condition. The conversion information includes selection information for selecting conversion target data from log management information, and conversion method information indicating a method for converting the selected conversion target data for example. (0055] Log management information is information for managing logs that include traces of attacks. The log management information includes conversion target data). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Hiruta. The motivation for doing so is to allow the system to obtain traces from attack observation in order to improve cyber-attack analysis (Abstract, ¶ 0002 – Hiruta). Regarding claim 13, Compagna teaches an information processing device comprising: executing processing based on trace information of a first attack acquired when an interaction/automated probing is executed on a first apparatus in a communication network and attack method information related to an attack method of a second attack on a second apparatus and generating pseudo trace information of the second attack (Fig.7, ¶ 0008 – A testing environment is configured to collect several varieties of HTTP traffic with the MPWA. (The terms HTTP traffic, traces, and HTTP traces used herein as synonyms). User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels – ¶ 0071 - interaction may result from manual interaction between a tester and the MPWA, and/or from automated probing activity of a penetration tool controlled by the tester- ¶ 0057 - The testing framework further comprises an engine 1308 that is configured to receive these traces. This engine performs certain processing tasks upon the traces in order to provide a security analysis – ¶ 0073 - the engine applies attack patterns to the labeled HTTP traces. These attack patterns may be stored in an underlying database, for example an in-memory database – ¶ 0066 – The attack patterns are developed based upon analysis of extant or foreseen attacks upon MPWAs. The attack patterns capture and express a general-purpose attacker strategy in executable programming logic that is not limited to a particular MPWA architecture – Abstract - Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. See Also ¶ 0109 –¶ 0117, ¶ 0188); wherein generating the pseudo trace information of the second attack includes rewriting the acquired trace information based on one or more parameters included in the attack method information to generate (Para 0054 - The penetration tool exposes an Application Program Interface (API) that can serve multiple purposes. For example, HTTP requests and responses can be mutated by the engine via API calls that set proxy rules – ¶ 0177 - The API I set to Proxy rule setting. Proxy rules can be specified, as Zest scripts, to mutate HTTP requests and response passing through the built-in Proxy of ZAP. ¶ 0178. The API is invoked to Evaluate Flag. Execute regular expression-based pattern matching within the HTTP trace so to, e.g., evaluate whether the Flag is present in the HTTP trace - ¶ 0139 - . The attack pattern RA5 leverages this threat model by replaying all elements that the attacker can collect from the browser history of the victim. As seen below, use of this threat model allows detecting two attacks that could not be discovered otherwise – ¶ 0008 - A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi Party Web Applications (MPWAS). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, for example abuse of Security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters - This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed ). transmitting the generated pseudo trace information of the second attack to an evaluation target device different from the information processing device and connected via the communication network, the pseudo trace information being transmitted to cause the evaluation target device to perform attack detection processing based on the transmitted pseudo trace information. (¶ 0008 - This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed against the MPWA. Attacks are reported back to the tester for evaluation. Embodiments may be implemented with penetration testing tools, in order to automate execution of complex attacker strategies – ¶ 0068 - Based upon the result of this processing of labeled traces according to stored attack pattern(s), the engine is configured to identify an attack 1330, and provide a report 1332 of that attack to the tester (e.g., via the interface ). The report may identify various security protocols and/or parameters affected by the attack. Upon receipt of the report the tester can evaluate those aspects, with an eye toward developing effective countermeasures). However, Compagna does not explicitly teach processing based on trace information of a first attack acquired when the first attack is executed on a first apparatus in a communication network Hiruta teaches processing based on trace information of a first attack acquired when the first attack is executed on a first apparatus in a communication network and attack method information related to an attack method of a second attack on a second apparatus and generate pseudo trace information of the second attack ((¶ 0014 - an acquiring means for acquiring a predicate indicating a type of an attack included in an observation indicating a trace of the attack, or an observation type indicating a type of the observation corresponding to the predicate – ¶ 0049 - An observation is information generated by analyzing a log. For example, in the case where process logs are analyzed and a trace of execution of the program "Mimikatz", which steals user authentication information, is detected, the observation that "Mimikatz" was executed is generated based the corresponding processing log – ¶ 0053 – ¶ 0057 The noise condition generation unit 12 generates a noise condition by, with use of selection information that is included in conversion information associated with the predicate or the observation type and is for selecting conversion target data included in log management information for managing a log, selecting conversion target data from the log management information. Conversion information is information used to convert conversion target data associated with a predicate or an observation type to generate a noise condition. The conversion information includes selection information for selecting conversion target data from log management information, and conversion method information indicating a method for converting the selected conversion target data for example. ¶ 0055- Log management information is information for managing logs that include traces of attacks. The log management information includes conversion target data); wherein generating the pseudo trace information of the second attack includes rewriting the acquired trace information based on one or more parameters included in the attack method information to generate (¶ 0053 – ¶ 0057 The noise condition generation unit 12 generates a noise condition by, with use of selection information that is included in conversion information associated with the predicate or the observation type and is for selecting conversion target data included in log management information for managing a log, selecting conversion target data from the log management information. Conversion information is information used to convert conversion target data associated with a predicate or an observation type to generate a noise condition. The conversion information includes selection information for selecting conversion target data from log management information, and conversion method information indicating a method for converting the selected conversion target data for example. (0055] Log management information is information for managing logs that include traces of attacks. The log management information includes conversion target data – Note: the conversion information and the selection information are the parameters that determine how the trace/log data is converted (rewritten) to generate the noise (modified traces) ). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Hiruta. The motivation for doing so is to allow the system to obtain traces from attack observation in order to improve cyber-attack analysis (Abstract, ¶ 0002 – Hiruta). Claims 4,7,10 are rejected under 35 U.S.C. 103 as being unpatentable over Compagna in view of Hiruta further in view of Sakakibara et al. Publication No. US 20150256554 A1 ( Sakakibara hereinafter) Regarding claim 4, Compagna does not explicitly teach wherein the trace information of the first attack further includes time information at the first attack, and the processing circuitry is configured to rewrite the time information included in the trace information of the first attack with time information at current time to generate the pseudo trace information of the second attack However, Sakakibara teaches trace information of the first attack further includes time information at the first attack, and the processing circuitry is configured to rewrite the time information included in the trace information of the first attack with time information at current time to generate the pseudo trace information of the second attack (¶ 0020 - an attack scenario information storage unit that stores attack scenario information in a storage device in advance, the attack scenario information including a plurality of attack identifiers for identifying a respective plurality of attacks predicted to occur on the network to be monitored and including an occurrence sequence of the plurality of attacks and an occurrence interval of every two of the plurality of attacks that are successive in the sequence; ¶ 0212 - The attack possibility determination unit 107 computes a time at which the attack scenario element 3 is predicted to subsequently occur, based on the "interval 2 of 1104_s2" in the related attack information 1105. ¶ 0514 - Further, a portion of the condition of "from an attack occurrence date and time" may also be rewritten to "from a current time", "from p hours from now", or "from subsequent 0 o'clock"). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Sakakibara. The motivation for doing so is to allow the system to efficiently discover from a log a trace of an attack that may occur in the future (Sakakibara – ¶ 0015). Regarding claim 7, Compagna does not explicitly teach wherein the evaluation target device includes a circuitry configured to acquire communication data flowing through the communication network at an attack and detect or prevent the attack based on the acquired communication data, and the trace information of the first attack is communication data flowing through the communication network at the first attack and acquired from the communication network However, Sakakibara teaches wherein the evaluation target device includes a circuitry configured to acquire communication data flowing through the communication network at an attack and detect or prevent the attack based on the acquired communication data, and the trace information of the first attack is communication data flowing through the communication network at the first attack and acquired from the communication network (Fgi.1, Fig.11, ¶ 0015 - The present invention has been made to solve the problems as mentioned above. It is an object of the present invention to make a log analysis system to cooperate with a SIEM system, based on an attack scenario with respect to an attack detected by the SIEM system to efficiently discover from a log a trace of an attack that may occur in the future- ¶0016 - attack analysis system according to the present invention including a log collection apparatus that collects a log of at least one device connected to a network to be monitored and stores the log in a storage device as log information, a detection apparatus that detects an attack on the network to be monitored, and an analysis apparatus that analyzes the log information collected by the log collection apparatus, the attack analysis system comprising . wherein, upon detection of the attack on the network to be monitored, the detection apparatus transmits to the cooperation apparatus warning information including an attack identifier for identifying the detected attack and an attack occurrence time at which the detected attack has occurred – ¶ 0480 - When an unauthorized access using a password hash is included in information on an attack that may occur in the future, the log analysis cooperation apparatus outputs to an authentication system an instruction to change execution of an asset with an administrator right to execution with a different right. -See ¶ 485). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Sakakibara. The motivation for doing so is to allow the system to efficiently discover from a log a trace of an attack that may occur in the future (Sakakibara – ¶ 0015). Regarding claim 10, Compagna further teaches generate the pseudo trace information of the second attack based on the trace information of the first attack included in the selected attack trace data and the parameter included in the attack scenario ¶ 0054 - The penetration tool exposes an Application Program Interface (API) that can serve multiple purposes. For example, HTTP requests and responses can be mutated by the engine via API calls that set proxy rules – ¶ 0177 - The API I set to Proxy rule setting. Proxy rules can be specified, as Zest scripts, to mutate HTTP requests and response passing through the built-in Proxy of ZAP. ¶ 0178. The API is invoked to Evaluate Flag. Execute regular expression-based pattern matching within the HTTP trace so to, e.g., evaluate whether the Flag is present in the HTTP trace - ¶ 0139 - . The attack pattern RA5 leverages this threat model by replaying all elements that the attacker can collect from the browser history of the victim. As seen below, use of this threat model allows detecting two attacks that could not be discovered otherwise – ¶ 0008 - A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi Party Web Applications (MPWAS). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, for example abuse of Security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters - This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed, However, Compagna does not explicitly teach wherein the processing circuity is configured to select one of a plurality of attack scenarios including a parameter related to the second attack and attack identification information identifying the attack method of the second attack and selects attack trace data including attack identification information matching the attack identification information included in the selected attack scenario from among a plurality of pieces of attack trace data including the trace information of the first attack and attack identification information identifying an attack method of the first attack; specify the attack identification information included in the attack scenario based on which the pseudo trace information of the second attack is generated, generates an evaluation result including a set of the analysis result, the output information, and the specified attack identification information and outputs the evaluation result Sakakibara teaches wherein the processing circuity is configured to select one of a plurality of attack scenarios including a parameter related to the second attack and attack identification information identifying the attack method of the second attack and selects attack trace data including attack identification information matching the attack identification information included in the selected attack scenario from among a plurality of pieces of attack trace data including the trace information of the first attack and attack identification information identifying an attack method of the first attack (Fig.3, 5, ¶ 0021 -a scheduled analysis request unit that, when the warning information is received from the detection apparatus, computes, by a processing device, a predicted occurrence at which an analysis target attack being a different attack from the detected attack is predicted to occur, based on the warning information received and the attack scenario information stored by the attack scenario information storage unit - ¶ 0054 -The log analysis cooperation apparatus 1 searches the DBs for an attack c ( subsequent attack) predicted to occur subsequent to the attack b. The log analysis cooperation apparatus 1 determines possibility of occurrence of the attack c predicted to occur subsequent to the attack b, using the attack scenario DB 1013, the asset DB 1015, and the security countermeasure DB 1014 - ¶ 0083 - The attack scenario DB search unit 103 inputs a scenario extraction condition 1202, and searches the attack scenario DB 1013, using attack identification information 1103. The attack scenario DB search unit 103 inputs the attack scenario 1104 that is a result of the search. The attack scenario DB search unit 103 outputs the input attack scenario 1104 to the related attack extraction unit 104. ¶ 0084 -The attack scenario DB 1013 stores a sequence of a plurality of attacks for executing an APT ( advanced and persistent threat) and information on a time interval of the sequence and so forth, as each scenario _ See Also ¶ 01-09 – ¶ 0132 - the log analysis cooperation apparatus 1 extracts from the attack scenario DB 1013 the attack scenario 1104 including the attack notified by the warning information 1201' received from the SIEM apparatus 902. (0131] The attack scenario DB search unit 103 outputs the attack scenario 1104 input from the attack scenario DB 1013 to the related attack extraction unit 104. (¶ 0132 The related attack extraction unit 104 inputs the attack scenario 1104 and analyzes the attack scenario 1104 using the processing device. The related attack extraction unit 104 extracts information related to the notified attack included in the attack scenario 1104.); specify the attack identification information included in the attack scenario based on which the pseudo trace information of the second attack is generated, generates an evaluation result including a set of the analysis result, the output information, and the specified attack identification information and outputs the evaluation result (¶ 0135 - When the related attack extraction condition 1203 specifies "the number of attacks predicted to occur subsequent to the notified attack is one", for example, the related attack extraction unit 104 extracts only information on the attack predicted to occur subsequent to the notified attack and an interval between the notified attack and the attack predicted to occur subsequent to the notified attack. When the related attack extraction condition 1203 specifies "the number of attacks predicted to occur subsequent to the notified attack is all", the related attack extraction unit 104 extracts information on the all attacks predicted to occur subsequent to the notified attack and intervals between the all attacks. – ¶ 0141 - the related attack extraction unit 104 inputs the related attack extraction condition 1203 specifying "the number of attacks predicted to occur subsequent to the notified attack is one", extracts from the attack scenario 1104 the "attack scenario element 3 of 1104_e3" as the attack subsequent to the attack scenario element 2 of 1104_e2 (notified attack), and then extracts the "interval 2 of 1104_s2" as the "interval". – Para 0144- Next, the related attack extraction unit 104 outputs the related attack information 1105 to the security countermeasure search unit 105. The security countermeasure search unit 105 searches the security countermeasure DB 1014 using the related attack information 1105 that has been input. Specifically, the security countermeasure search unit 105 searches the security countermeasure DB 1014, using the "attack scenario element 3 of1104_e3" and the "interval 2 of1104_s2" included in the input related attack information 1105. ¶ 0146] FIG. 6 is a diagram illustrating a configuration of the countermeasure information 1107 stored in the security countermeasure – See ¶ 0483- ¶ 0484). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Sakakibara. The motivation for doing so is to allow the system to efficiently discover from a log a trace of an attack that may occur in the future (Sakakibara – ¶ 0015). Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Compagna in view of Hiruta further in view of Li et al. Publication No. CN 112637175 A ( Li hereinafter) Regarding claim 5, Compagna does not explicitly teach wherein the information related to the first apparatus includes address information of the first apparatus, the parameter includes address information of the second apparatus as the information related to the second apparatus pseudo trace generator rewrites the address information of the first apparatus with the address information of the second apparatus. However, Li teaches information related to the first apparatus includes address information of the first apparatus, the parameter includes address information of the second apparatus as the information related to the second apparatus pseudo trace generator rewrites the address information of the first apparatus with the address information of the second apparatus. ( Page 3 - The embodiment of the invention by counting the attacker continuous several times of attack address. and according to whether there is a connection relationship between the node address of each attack, determining the attack strategy of the attacker. The embodiment of the invention obtains the attack strategy of the attacker, can provide the corresponding node address to replace the attacked address. and according to the feature of different attack strategy, selecting node address with higher reliability to replace, so as to induce the attacker to attack the replaced node address, effectively ensuring the safety of the target data in the industrial internet of things - selecting the node with the highest attack probability as the replacement node, so as to improve the reliability of the attacker after replacing the node address, enhancing the defense effect ). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Li. The motivation for doing so is to allow the system to effectively ensure the safety of the target data in the industrial internet of things (Li– Page 3). Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Compagna in view of Hiruta further in view of Yagyu et al. Publication No.US 2022/0237302 A1 (Yagyu hereinafter) . Regarding claim 12, Compagna does not explicitly teach wherein trace information of the first attack is trace information acquired when the first attack is unsuccessful. However, Yagyu teaches trace information of the first attack is trace information acquired when the first attack is unsuccessful (¶ 0082 - The establishment conditions are conditions such as, for example, (a) attack success conditions, (b) attack possible conditions, (c) attack failure conditions, (d) traces during attacks, (e) traces during successful attacks, (f) traces during failed attacks, (g) environmental changes due to successful attacks, and the like – ¶ 0084 - Traces during failed attacks are, for example, information indicating what traces are left behind when an attack scenario fails, for each environment – See ¶ 0069). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Compagna to include the teachings of Yagyu. The motivation for doing so is to allow the system to collect, from a simulation system simulating a system to be attacked, environment information expressing an environment in which the simulation system is constructed, history information recorded in the simulation system, and attack information expressing whether or not an attack has been carried out on the simulation system and whether the attack has succeeded or failed; (Yagyu – ¶ 0009). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached at (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /YOUNES NAJI/Primary Examiner, Art Unit 2445