DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-14 have been examined.
Response to Arguments
Applicant's arguments filed on 10/9/25 have been fully considered but they are not persuasive.
Regarding Applicant’s remarks, Applicant mainly argues that Moss does not explicitly disclose “noise condition” and “noise information.”
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
The central concept of present application is directed toward determining predicate associated with observed type of log data entries, and generate noise condition based on the observed type using conversion information. Based on broadest reasonable interpretation consistent with the Specification, the combination of references teaches or at least suggests the limitations as claimed for the following reason.
Specifically, Moss is relied upon for disclosure of receiving log files indicating various types of anomalies or event surges, and converting the log entries into standardized format prior to generating event noise/noise condition (Moss: Fig. 2: identify and select surge to generate event noise/noise condition; [0036] and [0093]: aggregate and normalize logs from a variety of software components in a converged software stack, i.e. standardization of the selected conversion target data; [0101]-[0105]: determine content of the log event, i.e. condition, and classify the event data into different categories, e.g. DDOS attack). Although Moss does not explicitly disclose generating noise information based on noise conditions, Porras discloses establishing or generating pre-filter criteria/noise condition for identifying event data that are considered to be noise (Porras: col. 3 lines. 10-20: pre-filtering module set conditions to remove known noises or log entries that arise from non-hostile activity or activity from which useful filters cannot be reliably derived… match criteria that have been empirically identified as commonly occurring non-useful input; col. 4 lines 1-15). Therefore, it would have been obvious to one having ordinary skill in the art to identify events that are noises based on conditions and event types associated with observed activities in event logs because they are analogous art involving analyzing log data to detect system anomalies. The motivation to combine would be to improve analytical efficiency based on specific data type.
Furthermore, the steps are recited at a high level of generality (i.e. converting using conversion method information included in conversion information) or for intended use (i.e. noise condition…for standardization, noise information configured for…), Applicant is advised to further clarify context and output result associated with the steps to distinguish from the prior art.
Accordingly, Applicant’s argument is not persuasive in light of above explanation.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 5-7 and 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Moss et al. U.S. Pub. No. 2021/0406106 (hereinafter Moss) in view of Porras et al. U.S. Pat. No. 9,083,712 (hereinafter Porras).
As per claim 1, 5 and 9, Moss discloses an attack analysis support apparatus/method/non-transitory computer readable medium comprising:
one or more memories storing instructions; and
one or more processors configured to execute the instructions to:
acquire a predicate indicating a type of an attack included in an observation indicating a trace of the attack, or an observation type indicating a type of the observation corresponding to the predicate (Moss: [0004]; [0035]: receive log files containing event history indicating different type of event surge or anomalies; [0043]-[0048]: classify review error events);
using selection information that is included in conversion information associated with the predicate or the observation type and is configured for selecting conversion target data included in log management information for managing a log that includes traces of the attack, select conversion target data from the log management information (Moss: Fig. 2: select surge/target data from the log data to generate event/noise condition), generate a noise condition by converting the selected conversion target data using conversion method information for standardization of the selected conversion target data included in the conversion information. (Moss: [0036] and [0093]: aggregate and normalize logs from a variety of software components in a converged software stack, i.e. standardization of the selected conversion target data); and
generate information to be used for determination of whether or not the observation is relevant, in accordance with the condition generated for the log management information (Moss: [0004]: event noises are used to remove data from log analysis; [0101]-[0105]: classify event logs based on different conditions to show different anomalies, e.g. error events, alert events, status events).
Moss discloses removing certain error-event in the log files by identifying event surges as event noise based on periodic patterns (Moss: Figs. 2 and 3; [0004]). Moss does not explicitly disclose generate noise condition for noise information to filter out information that is not pertinent to the analysis. However, Porras discloses identifying event data that are considered to be noise based on certain conditions or event type (Porras: col. 3 lines. 10-20: pre-filtering module set conditions to remove noises or log entries that arise from non-hostile activity or activity from which useful filters cannot be reliably derived…match criteria that have been empirically identified as commonly occurring non-useful input; col. 4 lines 1-15). It would have been obvious to one having ordinary skill in the art to identify events that are noises based on conditions and event types associated with observed activities in event logs because they are analogous art involving analyzing log data to detect system anomalies. The motivation to combine would be to improve analytical efficiency based on specific data type.
As per claim 2, 6 and 10, Moss as modified discloses the limitations according to claims 1, 5 and 9 respectively. Moss as modified further discloses wherein search, using a search condition that was set in advance and configured for searching for noise, for noise information that matches the search condition, from the generated noise information (Moss: Fig. 2; [0101]-[0105]: classify event logs based on different conditions to show different anomalies, e.g. error events, alert events, status events).
As per claim 3, 7 and 11, Moss as modified discloses the limitations according to claims 1, 5 and 9 respectively. Moss as modified further discloses wherein determine whether or not the observation is noise using the generated noise information, and delete the observation from a storage device in a case of determining that the observation is noise (Moss: [0038]-[0039]; Porras: col. 3 lines. 10-20). Same rationale applies here as above in rejecting claim 1.
Claims 4, 8 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Moss in view of Porras and further in view of Porat et al. U.S. Pub. No. 2016/0357966 (hereinafter Porat).
As per claim 4, 8 and 12, Moss as modified discloses the limitations according to claims 1, 5 and 9 respectively. Moss as modified does not explicitly disclose wherein generate output information for outputting the generated noise information to an output device; and acquire modification information, which is configured for modifying the conversion information and was generated by a user using the generated noise information, and modify the conversion information using the acquired modification information. However, Porat discloses detecting malicious threat based on deterministic algorithms and/or manually where new profiles are acknowledged by an administrator (Porat: [0131]). It would have been obvious to one having ordinary skill in the art to implement deterministic algorithm and user input to analyze and classify events in event log because they are analogous art involving monitoring and analyzing event data/log to detect system anomaly. The motivation to combine would be to further refine rules to filter out irrelevant data set.
Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Moss in view of Porras and further in view of Li et al. U.S. 2019/0050561 (hereinafter Li).
As per claim 13 and 14, Moss as modified discloses the apparatus of claim 1. Moss as modified does not explicitly disclose wherein the one or more processors are further configured to, using the preset rule, in a case where the noise condition comprises multiple noise conditions generated from different selection information related to the log management information, execute the instructions to: generate the noise information by connecting the multiple noise conditions with a logical product or logical sum. However, Li discloses using logical operations to establish filters in threat detection system (Li: [0049]: the constraints can be connected by logical operations for tracking data). It would have been obvious to one having ordinary skill in the art to use logical operations to filter out data based on combination of filtering conditions because Moss and Li are analogous art involving identifying and filtering specific data during data analysis. The motivation to combine would be to expand or narrow search result.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHIN-HON (ERIC) CHEN/Primary Examiner, Art Unit 2431