MONITORING SERVER APPARATUS, SYSTEM, METHOD, AND PROGRAM

§101 §103 §112

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to communication (preliminary amendment) filed on 09/19/2024. Status of claims in the instant application: Claims 1-22 are pending. Claims 6, 9, 11, 12 and 13 have been amended. Claims 14-22 have been newly added. Election/Restrictions No claim restrictions warranted at the applicant’s initial time of filing for patent. Priority This application is a 371 of PCT/JP2022/013884 filed on 03/24/2022. Information Disclosure Statement Information Disclosure Statements (IDS) filed on 09/19/2024 have been considered, and a signed copies of the IDS forms have been attached to this office action. Drawings Drawings filed on 09/19/2024 have been inspected, and it’s in compliance with MPEP 608.02. Specification The abstract of the disclosure is objected to. The abstract of the disclosure says, “A monitoring server apparatus comprises an operation section configured to collect …” However, the word “comprises” is legal phraseology that should be avoided. Applicant is reminded of the proper language and format for an abstract of the disclosure. The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details. The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc. In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided. A corrected abstract of the disclosure is required and must be presented on a separate sheet, apart from any other text. See MPEP § 608.01(b). Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f): (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: Claims 1, 3, 3, 4, 5, 6, 7, 8, 9, 10 and 11 (this system claim contains all the elements of claim 1) recite: “… an operation section configured to collect …”; “… a log collection section configured to collect …”; “… a log analysis section configured to use …”; “… a kernel probe section configured to probe …”; “… the log analysis section is configured to extract … ”; “… the kernel probe section is configured to estimate …”; “… the kernel probe section is further configured to transmit …”; “… a model creation section configured to collect …”; “… a log collection section configured to collect …”; “… the log collection section is configured to transmit …”; “a model generation section configured to generate”; “… the model generation section is configured to extract …”; “… the model generation section is further configured to verify …”. Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Examiner has investigated the disclosure of the instant application (US 20250217482 A1) and finds references to the place holder terms identified above in the following sections/paragraphs: log collection section: Para [0037, 0038, 0048, 0049, 0051, 0061-0063]. However, all descriptions in the above mentioned sections of the specification describe only the function(s) of log collection section. None of it discloses any algorithm and related structure/hardware that implements the log collection section. log analysis section: Para [0050, 0075, 0076, 0099, 0104]. However, all descriptions in the above mentioned sections of the specification describe only the function(s) of log analysis section. None of it discloses any algorithm and related structure/hardware that implements the log analysis section. kernel probe section: Para [0051-0053, 0077-0079, 0081-0084, 0099, 0106, 0108]. However, all descriptions in the above mentioned sections of the specification describe only the function(s) of kernel probe section. None of it discloses any algorithm and related structure/hardware that implements the kernel probe section. model generation section: Para [0038-0040, 0047, 0049, 0064-0072, 0113, 0118, 0120]. However, all descriptions in the above mentioned sections of the specification describe only the function(s) of model generation section. None of it discloses any algorithm and related structure/hardware that implements the model generation section. If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may: (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f). Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. Claims 4-5 and 16-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Claims 4 and 16 recite, “contains the feature related to the anomaly score equal to or greater than the threshold” However, “the feature” lacks antecedent basis, as there is no previous recitation of ““a feature”. The lack of (insufficient) antecedent basis makes the claim language ambiguous/indefinite, and hence claims 4 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Dependent claims 5 and 17 do not rectify the issue identified in parent claims 4 and 16, hence they are also rejected for the same reason as claims 4 and 16. Appropriate corrections required. *** Note: For examination purposes the claim limitations are interpreted as, “”contains the extracted feature when the anomaly score is equal to or greater than the threshold" Claims 9-10 and 21-22 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Claims 9 and 21 recite, “logs related to the selected feature as explanatory variable” However “the selected feature” lacks antecedent basis, as there is no previous recitation of “a selected feature”. The lack of (insufficient) antecedent basis makes the claim language ambiguous/indefinite, and hence claims 9 and 21 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Dependent claims 10 and 22 do not rectify the issue identified in parent claims 9 and 21, hence they are also rejected for the same reason as claims 9 and 21. Appropriate corrections required. *** Note: For examination purposes the claim limitation “narrow down the features to feature strongly correlated” recited earlier in claims 9 and 21 as are interpreted as “narrow down the features to a selected feature strongly correlated" that will provide antecedent basis for the later recited term “the selected feature”. Claims 1-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Claim limitations in claims 1-11 invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Examiner has identified previously, in the claim interpretation section, that all the descriptions related to the nonce (place holder) terms recited in the claims describe the only for their function(s) only. None of it discloses any algorithm and related structure/hardware that implements those nonce terms and then positively link the structure/hardware to the claimed function(s). Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph. Applicant may: (a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph; (b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)). If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: (a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or (b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181. The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. Claims 1-11 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim limitations in claims 1-11 invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. Examiner has identified previously, in the claim interpretation section, that all the descriptions related to the nonce (place holder) terms recited in the claims describe the only for their function(s) only. None of it discloses any algorithm and related structure/hardware that implements those nonce terms and then positively link the structure/hardware to the claimed function(s). Therefore, claims 1-11 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Appropriate correction required. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-3, 6-15 and 18-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claim 1 recites, “A monitoring server apparatus, comprising an operation section configured to collect from monitored apparatuses predetermined logs excluding kernel trace information during operation, monitor an anomaly of the monitored apparatuses using a model created in advance, and perform dynamic monitoring by narrowing its focus to kernel space of a monitored apparatus having the anomaly when any anomaly has occurred”. The limitation “monitor an anomaly” can be considered collecting some kind of activity log/trace/data and comparing count/frequency of a certain activity to a threshold, and indicating an anomaly if the count/frequency exceeds the threshold. The broad recitation in the claim limitation can be considered a mental process (an abstract idea), as it can reasonably be performed in human mind with the aid of pencil and paper. The remaining feature/element/limitation of the claim is there to just collect data, which is considered an insignificant extra solution activity, as it’s an ordinary part of communication using a device/network. Therefore claim 1 neither has any additional limitation(s) that can be considered to integrate the previously identified abstract idea into a practical, nor it does have any limitation that can be considered significantly more than the abstract idea. Therefor claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Dependent claims 2, 3, 6, 7, 8, 9 and 10 also recites limitations similar to that of claim 1, and hence they are also similarly rejected as claim 1. Independent claims 11, 12 and 13 are also rejected for reasons similar to that of claim 1. Dependent claims 14,15 and 18-22 are also recites limitations similar to that of claim 12, and hence they are also similarly rejected as claim 12. Appropriate corrections required. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 11, 12, 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20220327219 A1 to CHOI et al. (hereinafter “CHOI”) in view of Pub. No.: US 20190205533 A1 to Diehl et al. (hereinafter “Diehl”). Regarding Claim 1. CHOI A monitoring server apparatus (CHOI, FIG. 1A-1B, Para [0026-0027, 0075]: … FIG. 1A illustrates an overview of multiple components of an exemplary system in which aspects of the present disclosure are implemented, including a cyber-physical system in the form of an industrial control system, and a cybersecurity system … FIG. 1B is a schematic diagram of a first exemplary industrial control system topology with which the cybersecurity system may be implemented … an attacker may access an industrial control system, which includes a desktop computer that serves as an operator terminal running the WINDOWS Operating System and a PLC device running a real-time operating system, which defines a kernel space and a user space … The remote server can be configured to incorporate the file permission change detected at the operator terminal and the file activity detected at the PLC device into a time-ordered event data stream. According to certain embodiments, the remote server may monitor the time-ordered event data stream to detect that the file activity of the operator terminal and the PLC device are anomalous …), comprising an operation section configured to collect from monitored apparatuses predetermined logs excluding kernel trace information during operation (CHOI, FIG. 3A, Para [0091]: … FIG. 3A illustrates an exemplary process 300 by which the logging agent provides a log entry on a first type of device, for example, a computing device running a MICROSOFT WINDOWS-based Operating System, on which the HMI 150 is implemented. In the first type of device, the logging agent may be configured to monitor user-level activity 302; more particularly, as a non-limiting example, user file activities such as ‘create’, ‘read’, ‘update’, and ‘delete’ (CRUD) types of actions …), [monitor an anomaly of the monitored apparatuses using a model created in advance], and perform dynamic monitoring by narrowing its focus to kernel space of a monitored apparatus having the anomaly when any anomaly has occurred ((CHOI, FIG. 3A, Para [0081, 0091]: … In the first type of device, the logging agent may be configured to monitor user-level activity 302; more particularly, as a non-limiting example, user file activities such as ‘create’, ‘read’, ‘update’, and ‘delete’ (CRUD) types of actions. These activities have associated system calls 304 (e.g., in the form of input/output requests) to access kernel-level processes. In a WINDOWS Operating System, system calls 304 linking to user file activities are transmitted to a device driver stack 306 that includes a plurality of drivers. The logging agent uses a predefined monitoring condition to detect certain file activity (e.g., events of interest) as the system calls 304 are processed by registering relevant drivers—for example, using a filter manager 308—to hook the system call. For example, in operating systems, the drivers that participate in I/O requests may be collectively referred to as the driver stack. The logging agent may evaluate the driver stack for any drivers that are associated with a detected kernel-level event. If one or more drivers are identified, then the logging agent collects attributes (e.g., metadata) associated with the kernel-level event, and then transmits the collected information for entry into a log. Advantageously, this hooking mechanism captures and logs system calls of the device at the kernel level, which provides a granular record of relevant events within the system. Again, tracing system calls at the kernel level also provides greater opportunities for detection and tracing of potential security threats …). However, CHOI does not explicitly teach, but Diehl from same or similar field of endeavor teaches: “monitor an anomaly of the monitored apparatuses using a model created in advance (Diehl, Para [0043-0045, 0176-0177]: … In general, the components 122, 128 of both the user-level security agent 116 and the kernel-level security agent 118 may be configured to observe events and determine actions to take based on those events, potentially with the assistance of a remote security system. In addition, the OS 114 may include hooks or filter drivers that allow other processes, such as the user-level security agent 116 and/or the kernel-level security agent 118 to receive notifications of the occurrence or non-occurrence of events … Example events can include, without limitation, file creates, reads and writes, launching of executables, or events that occur in the user mode of the computing device 102 … Other of the components 122, 128 may include “correlators” that note the fact of the occurrence of events, sometimes after filtering the semantically-interesting events down to a subset of events. Yet other of the components 122, 128 may include “actors” that may, among other things, gather forensic data associated with an event and update a situational model of the user-mode security agent 116 and/or the kernel-level security agent 118 with the forensic data. Such a situational model can represent chains of execution activities and genealogies of processes, tracking attributes, behaviors, or patterns of processes executing on the computing device 102, enabling an “event consumer” component 122, 128 to determine when an event is interesting from a security standpoint … In some examples, at block 1210, processor 106 can determine, in the kernel mode 204, that the event is associated with malicious activity. Examples are discussed herein, e.g., with reference to blocks 610 or 1010. The determination at block 1210 can be based at least in part on the security-relevant information in the information response on the kernel-level bus 126 … block 1210 can be followed by block 1110. In some examples, blocks 1010 and 1210 can be used together or in cooperation to determine, partly in user mode 202 and partly in kernel mode 204, that the event is associated with malicious activity …)” Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Diehl into the teachings of CHOI, because it discloses that, “Various examples permit kernel-level malware detection to make use of user-level services (e.g., FIG. 6), or permit user-level malware detection to make use of kernel-level services (e.g., FIG. 13). Various examples provide increased flexibility in determining whether to implement particular tests for malware in user mode 202 or kernel mode 204. Various examples of security agents 132 move operations into user mode 202 to reduce the probability that an exploit of the security agent 132 itself will compromise the computing device 102. Various examples of security agents 132 are used in implementing real-time or other anti-virus programs. Various examples permit developing user-level components 122 separately from kernel-level components 128, which can reduce the complexity of components 122, 128. Various examples offload long-running analysis tasks to user mode 202, and thereby permit handling hundreds of thousands of kernel-level events per second without degrading system responsiveness (Diehl, Para [0236])”. Regarding Claim 2. The combination of CHOI-Diehl discloses the monitoring server apparatus according to Claim 1, CHOI further discloses, “wherein the operation section comprises: a log collection section configured to collect from the monitored apparatuses the predetermined logs excluding the kernel trace information (CHOI, Para [0091]: … In the first type of device, the logging agent may be configured to monitor user-level activity 302; more particularly, as a non-limiting example, user file activities such as ‘create’, ‘read’, ‘update’, and ‘delete’ (CRUD) types of actions. These activities have associated system calls 304 (e.g., in the form of input/output requests) to access kernel-level processes. In a WINDOWS Operating System, system calls 304 linking to user file activities are transmitted to a device driver stack 306 that includes a plurality of drivers. The logging agent uses a predefined monitoring condition to detect certain file activity (e.g., events of interest) as the system calls 304 are processed …); a log analysis section configured to use the model to analyze whether or not there is an anomaly in the predetermined logs (CHOI, Para [0091, 0110]: … The logging agent uses a predefined monitoring condition to detect certain file activity (e.g., events of interest) as the system calls 304 are processed by registering relevant drivers … It is envisaged that the accumulated logs may be utilized for a range of security applications including, for example: near real-time situational awareness, anomaly detection, threat forecasting, and security attribution …); and a kernel probe section configured to probe a kernel of a source of the predetermined logs having an anomaly among the monitored apparatuses when any of the predetermined logs is determined to have an anomaly (CHOI, Para [0091, 0110]: The logging agent uses a predefined monitoring condition to detect certain file activity (e.g., events of interest) as the system calls 304 are processed by registering relevant drivers—for example, using a filter manager 308—to hook the system call. For example, in operating systems, the drivers that participate in I/O requests may be collectively referred to as the driver stack. The logging agent may evaluate the driver stack for any drivers that are associated with a detected kernel-level event. If one or more drivers are identified, then the logging agent collects attributes (e.g., metadata) associated with the kernel-level event, and then transmits the collected information for entry into a log. Advantageously, this hooking mechanism captures and logs system calls of the device at the kernel level, which provides a granular record of relevant events within the system. Again, tracing system calls at the kernel level also provides greater opportunities for detection and tracing of potential security threats…). Regarding Claim 11. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1. **** Note: CHOI also discloses “a system with monitored apparatuses and a management terminal (CHOI: FIG.1)”. Regarding Claim 12. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1. **** Note: CHOI also discloses “a monitoring method using hardware resources (CHOI: FIG. 3, FIG.1)”. Regarding Claim 13. This claim contains all the same or similar limitations as claim 1, and hence similarly rejected as claim 1. **** Note: CHOI also discloses “A non-transitory computer readable medium storing a program causing hardware resource to execute a process of monitoring an operation of a monitored apparatuses (CHOI: Para [0018])”. Regarding Claim 14. This claim contains all the same or similar limitations as claim 2, and hence similarly rejected as claim 2. Claims 3 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20220327219 A1 to CHOI et al. (hereinafter “CHOI”) in view of Pub. No.: US 20190205533 A1 to Diehl et al. (hereinafter “Diehl”), as applied to claim 2 above, and further in view of Pub. No.: US 20210037035 A1 to Graul (hereinafter “Graul”). Regarding Claim 3. The combination of CHOI-Diehl discloses the monitoring server apparatus according to Claim 2, however it does not explicitly teach but Graul from same or similar field of endeavor teaches, “wherein the log analysis section is configured to extract feature from the predetermined logs to calculate an anomaly score using a predetermined mathematical formula, and determine whether or not the anomaly score is equal to or greater than a threshold set in the model (Graul, Para [0032, 0048, 0054-0057, 0174]: … Components of kernel-level security agents running on a host 102 may enact network containment actions at the host 102 based on commands received over the secured connection from the computing system(s) 108 … According to example embodiments of the present disclosure, several aggregated events and/or detected trends occurring together may imply a jointly higher statistical significance than each occurring separately. For example, trends may represent a single aggregated event or any repeated sequence of events that indicates malicious behavior. The analysis component 112 may detect at least some of the plurality of events including any read and write operations, and other operations, as a trend. For example, detected trends may include execution of code exceeding a frequency threshold; reads and/or writes to particular memory addresses; communications from one host to another exceed over a frequency threshold and/or match a particular size; and the like … According to example embodiments of the present disclosure, the analysis component 112 may determine an incident score based on a sum of trend scores for trends detected in the plurality of events. The analysis component 112 may repeat determining the incident score by repeating the summation of trend scores during multiple instances of a predetermined time interval. For instance, if the predetermined time interval is one hour, then at 7 o'clock, the incident score may be a summation of all trend scores over host uptimes from 6:00-7:00. The incident score may or may not indicate that an incident is occurring. For instance, while the incident score is below a threshold score, the analysis component 112 may conclude that an incident is not ongoing, but upon the incident score reaching or exceeding a threshold score, the analysis component 112 may conclude that an incident is ongoing …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Graul into the combined teachings of CHOI-Diehl, because it discloses that, “The analysis module 208 may configure the computing system(s) 200 to further aggregate incident scores to improve summarization of analysis of monitoring information. The analysis module 208 may configure the computing system(s) 200 to determine a fidelity value for each host 102 based at least in part on filtered activity patterns from the detection module 206, a time interval of the observed activity pattern as described above, and a classification of severity level as described above. In the event that a fidelity value is above a predetermined fidelity threshold (which shall subsequently be described as a “positive fidelity value”), a notification may be generated by a visualization module 212 as described below, alerting a human operator to further review the determined fidelity value and basis therefor (Graul, Para [0078])”. Regarding Claim 15. This claim contains all the same or similar limitations as claim 3, and hence similarly rejected as claim 3. Claims 6, 7, 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20220327219 A1 to CHOI et al. (hereinafter “CHOI”) in view of Pub. No.: US 20190205533 A1 to Diehl et al. (hereinafter “Diehl”), as applied to claim 1 above, and further in view of Pub. No.: US 20220060490 A1 to FARSHTEINDIKER et al. (hereinafter “FARSHTEINDIKER”). Regarding Claim 6. The combination of CHOI-Diehl discloses the monitoring server apparatus according to claim 1, however it does not explicitly teach but FARSHTEINDIKER from same or similar field of endeavor teaches: further comprising: a model creation section configured to collect various logs including kernel trace information of the monitored apparatuses before an operation to create a model used to determine whether the monitored apparatuses are in a steady and stable state or experiencing an anomaly using a statistical analysis method, wherein the model created in advance is a model created by the model creation section (FARSHTEINDIKER, Para [0035, 0068]: … The cloud server 102 has security monitoring tools 132 that collect data on the usage of the various physical resources. The data collected from the security monitoring tools 132 is stored in various resource logs 134. The security monitoring tools may include Event Tracing For Windows (ETW) which is a kernel-level tracing facility that monitors kernel or application-defined events to a log file. The kernel-level tracing facility traces events, from a configured start time to an end time, for such events as TCP/UDP events, memory page faults, file I/O events, disk I/O events, thread events, virtual memory allocation, etc. In addition, the security monitoring tools 132 may include agents that collect data from security events, such as login events, process creation, file access, etc. For example, in Azure, there is a Microsoft Monitoring Agent and an OMS Linux agent that collects data from security events. In addition, Microsoft Defender Advanced Threat Protection collects file creation, file deletion, and network events … A system is disclosed having one or more processors; and a memory that stores one or more programs that are configured to be executed by the one or more processors, the one or more programs including instructions that: host an application as a Platform-as-a-Service (PaaS) web service in a virtual machine using virtual resources, the PaaS web service unaware of physical resources associated with the virtual resources; obtain an application usage profile for the PaaS web service, the application usage profile having one or more statistics, a statistic representing normal consumption of a physical resource used by the PaaS web service; monitor runtime usage of a first physical resource during execution of the PaaS web service; correlate the first physical resource to a corresponding virtual resource used during operation of the PaaS web service via a process identifier of the PaaS web service; compare the runtime usage of the first physical resource with a corresponding statistic; and upon the comparison indicating an anomaly, initiate a warning of the anomaly …).” Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of FARSHTEINDIKER into the combined teachings of CHOI-Diehl, because it discloses that, “In one aspect, an application security threat detection module is provided on each virtual machine to monitor the usage behavior of the application's resources in order to detect a security threat. The application security threat detection module resides in kernel space thereby having access to and visibility to the physical resource consumption of the application (FARSHTEINDIKER, Para [0018])”. Regarding Claim 7. The combination of CHOI-Diehl- FARSHTEINDIKER discloses the monitoring server apparatus according to Claim 6, FARSHTEINDIKER further discloses, “wherein the model creation section comprises: a log collection section configured to collect the various logs including the kernel trace information from the monitored apparatuses (FARSHTEINDIKER, Para [0035]: … The cloud server 102 has security monitoring tools 132 that collect data on the usage of the various physical resources. The data collected from the security monitoring tools 132 is stored in various resource logs 134. The security monitoring tools may include Event Tracing For Windows (ETW) which is a kernel-level tracing facility that monitors kernel or application-defined events to a log file. The kernel-level tracing facility traces events, from a configured start time to an end time, for such events as TCP/UDP events, memory page faults, file I/O events, disk I/O events, thread events, virtual memory allocation, etc …); and a model generation section configured to generate the model using a statistical analysis method on the basis of the various logs (FARSHTEINDIKER, Para [0039-0040]: … Turning to FIG. 2, in one aspect, the application threat detection module 120 generates an application usage profile 206 for a specific application from resource logs of the application. During an initial training period, the resource logs from execution of the application is analyzed to extract resource usage data 202. The resource usage data 202 is then used to generate statistics representing the application's normal resource usage which is stored in an application usage profile 206 … In a second aspect, the application threat detection module 120 extracts resource usage data from all of the customer's resources 204. The resource logs from execution of the various applications of the customer is analyzed to extract usage data of all of the customer's resources. The extracted data is then used to generate statistics representing a customer's typical resource usage which is stored in a customer usage profile 208 …).” The motivation to further combine FARSHTEINDIKER remains same as in claim 6. Regarding Claim 18. This claim contains all the same or similar limitations as claim 6, and hence similarly rejected as claim 6. Regarding Claim 19. This claim contains all the same or similar limitations as claim 7, and hence similarly rejected as claim 7. Claims 8, 9, 10, 20, 21, and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20220327219 A1 to CHOI et al. (hereinafter “CHOI”) in view of Pub. No.: US 20190205533 A1 to Diehl et al. (hereinafter “Diehl”) and further in view of Pub. No.: US 20220060490 A1 to FARSHTEINDIKER et al. (hereinafter “FARSHTEINDIKER”), as applied to claim 7 above, and further in view of Pub. No.: Pub. No.: US 20210037035 A1 to Graul (hereinafter “Graul”). Regarding Claim 8. The combination of CHOI-Diehl-FARSHTEINDIKER discloses the monitoring server apparatus according to Claim 7, however it does not explicitly teach but Graul from same or similar field of endeavor teaches, “wherein the log collection section is configured to transmit log setting information to the monitored apparatuses, collect the various logs including the kernel trace information from the monitored apparatuses that have received the log setting information, and determine whether or not the number of the various logs is equal to or greater than a predetermined number or whether or not a predetermined period of time has passed since a start of log collection (Graul, Para [0044, 0054-0057]: … the aggregation component 110 may be operative to, based on observed activity patterns received from kernel-level security agents of a host 102, aggregate a series of events over host uptime from the observed activity patterns. A plurality of aggregated events over host uptime may summarize the observed activity patterns as a time series of data, each event being a data entry which aggregates activity patterns over a discrete period of host uptime which may follow some number of preceding events and which may precede some number of subsequent events. Events aggregated in this manner may be equal in host uptime duration or may not be equal in host uptime duration; for example, an event may encompass a longer host uptime period in the event that activity patterns are low in activity over that period, and an event may encompass a shorter host uptime period in the event that observed activity patterns are high in activity over that period. In this manner, activity pattern information having less security interest may be condensed, and activity pattern information having greater security interest may be highlighted … According to example embodiments of the present disclosure, the analysis component 112 may determine an incident score based on a sum of trend scores for trends detected in the plurality of events. The analysis component 112 may repeat determining the incident score by repeating the summation of trend scores during multiple instances of a predetermined time interval. For instance, if the predetermined time interval is one hour, then at 7 o'clock, the incident score may be a summation of all trend scores over host uptimes from 6:00-7:00. The incident score may or may not indicate that an incident is occurring. For instance, while the incident score is below a threshold score, the analysis component 112 may conclude that an incident is not ongoing, but upon the incident score reaching or exceeding a threshold score, the analysis component 112 may conclude that an incident is ongoing. …).” Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Graul into the combined teachings of CHOI-Diehl-FARSHTEINDIKER, because it discloses that, “The analysis module 208 may configure the computing system(s) 200 to further aggregate incident scores to improve summarization of analysis of monitoring information. The analysis module 208 may configure the computing system(s) 200 to determine a fidelity value for each host 102 based at least in part on filtered activity patterns from the detection module 206, a time interval of the observed activity pattern as described above, and a classification of severity level as described above. In the event that a fidelity value is above a predetermined fidelity threshold (which shall subsequently be described as a “positive fidelity value”), a notification may be generated by a visualization module 212 as described below, alerting a human operator to further review the determined fidelity value and basis therefor (Graul, Para [0078])”. Regarding Claim 9. The combination of CHOI-Diehl-FARSHTEINDIKER discloses the monitoring server apparatus according to Claim 7, however it does not explicitly teach but Graul from same or similar field of endeavor teaches, “wherein the model generation section is configured to extract features on the basis of the various logs, perform correlation analysis to narrow down the features to feature strongly correlated with kernel operation, perform multivariate analysis to calculate anomaly scores using kernel trace information in the various logs as a target variable and logs related to the selected feature as explanatory variable, construct a model that shows how the anomaly scores change over time, and set a threshold for the anomaly scores in the model (Graul, Para [0044-0045, 0054-0057, 0096, 0159], FIG. 1: … The aggregation component 110 may be operative to, based on observed activity patterns received from kernel-level security agents of a host 102, aggregate a series of events over host uptime from the observed activity patterns. A plurality of aggregated events over host uptime may summarize the observed activity patterns as a time series of data, each event being a data entry which aggregates activity patterns over a discrete period of host uptime which may follow some number of preceding events and which may precede some number of subsequent events. Events aggregated in this manner may be equal in host uptime duration or may not be equal in host uptime duration; for example, an event may encompass a longer host uptime period in the event that activity patterns are low in activity over that period, and an event may encompass a shorter host uptime period in the event that observed activity patterns are high in activity over that period. In this manner, activity pattern information having less security interest may be condensed, and activity pattern information having greater security interest may be highlighted … Additionally, the aggregation component 110 may gather enrichment data from various sources as context to aggregate observed activity patterns as events. For example, enrichment data may include information regarding startup, shutdown, and restart times of a host 102. Based thereon, the aggregation component 110 may aggregate events separately based on observed activity patterns following a startup, observed activity patterns following a restart, observed activity patterns preceding a restart, observed activity patterns preceding a shutdown, and the like … The analysis component 112 may create an incident, where an incident may be represented by a data record including a start time and an end time for an incident timespan. A newly created incident may be in an open state from a start time onward while one or more incident scores of ongoing events reach or exceed a predetermined score threshold (which shall subsequently be referred to as a “positive incident score”), and the incident timespan may increase while the incident is in an open state. Upon one or more incident scores of ongoing events falling below the incident score falls below the predetermined score threshold (which shall subsequently be referred to as a “negative incident score”), an end time of the incident may be demarcated and the incident set to a closed state so that the incident timespan no longer increases. During an intervening time while the incident is in an open state, the analysis component 112 may update a data record representing an incident to include newly detected trends and changed incident scores … Moreover, the computing system may display the one or more notification(s) based on changes in a ranked incident scoring as described above. For example, a change in a ranked incident scoring may be an incident newly being ranked in a predetermined number of incidents having highest incident scores (e.g., top 10 or top 5) occurring within a predetermined time period (e.g., within 24 hours)…).” Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Graul into the combined teachings of CHOI-Diehl-FARSHTEINDIKER, because it discloses that, “The analysis module 208 may configure the computing system(s) 200 to further aggregate incident scores to improve summarization of analysis of monitoring information. The analysis module 208 may configure the computing system(s) 200 to determine a fidelity value for each host 102 based at least in part on filtered activity patterns from the detection module 206, a time interval of the observed activity pattern as described above, and a classification of severity level as described above. In the event that a fidelity value is above a predetermined fidelity threshold (which shall subsequently be described as a “positive fidelity value”), a notification may be generated by a visualization module 212 as described below, alerting a human operator to further review the determined fidelity value and basis therefor (Graul, Para [0078])”. Regarding Claim 10. The combination of CHOI-Diehl-FARSHTEINDIKER- Graul discloses the monitoring server apparatus according to Claim 9, Graul further discloses, “wherein the model generation section is further configured to verify the model in which the threshold has been set by preparing a dataset containing both normal and abnormal data in advance, evaluating whether the number of samples correctly determined to be the normal data or the abnormal data is equal to or greater than a preset number, and evaluating whether a difference between a maximum peak value of the model and the threshold is within a preset numerical range (Graul, Para [0047, 0050, 0060, 0082, 0101, 0159]: … The analysis component 112 may detect trends from events summarized in the plurality of events. Trends may be detected based on any one or more predetermined criteria to identify detected events that indicates that one or more events of the plurality of events may indicate suspicious and/or potentially malicious activity was occurring over a period of host uptime encompassed by the one or more events. The one or more predetermined criteria may include, but is not limited to, a predetermined number of repeated sequence(s) of events, any processes performed by detection module 206 and analysis component 112 to determine trends of detected events, trends of known malicious activity, and trends of statistical significance including incident scores graph and graph of mapping score to range as shall be described subsequently … The analysis component 112 may determine a trend distribution of the frequency of each trend, in which the trend frequencies are sorted from highest frequency to lowest frequency. For example, trends may be scored over individual hosts, across a networked system, across a geographic area, and the like. The analysis component 112 may score trends based on frequency distributions, which may be correlated with statistical significance of information conveyed by the occurrence of the trends. For instance, trends that occur frequently may correlate with information having lower security interest, while conversely trends that occur infrequently may correlate with information having higher security interest. In various examples, the base trend score for an associated trend type may be inversely correlated with its frequency. For instance, a first trend that occurs frequently may have a low trend score, while a second trend that occurs infrequently may have a high trend score … according to an example embodiment of the present disclosure, the visualization component 114 may generate a ranked incident scoring 116 and generate a visualization 118 thereof. The scoring 116 may present a predetermined number of incidents having highest incident scores (e.g., top 10 or top 5) occurring within a predetermined time period (e.g., within 24 hours). The visualization 118 may present a time series graph representing the scoring 116 to provide visual aid to permit a human operator to view incidents most likely indicating malicious behavior. The example time series graph may present additional information, including time interval of each incident and trends having high trend scores … Moreover, the visualization module 212 may configure the computing system(s) 200 to display the one or more notification(s) based on changes in a ranked incident scoring as described above. For example, a change in a ranked incident scoring may be an incident newly being ranked in a predetermined number of incidents having highest incident scores (e.g., top 10 or top 5) occurring within a predetermined time period (e.g., within 24 hours) …)”. The motivation to further combine Graul remains same as in claim 9. Regarding Claim 20. This claim contains all the same or similar limitations as claim 8, and hence similarly rejected as claim 8. Regarding Claim 21. This claim contains all the same or similar limitations as claim 9, and hence similarly rejected as claim 9. Regarding Claim 22. This claim contains all the same or similar limitations as claim 10, and hence similarly rejected as claim 10. Allowable Subject Matter Claims 4, 5, 16 and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. In addition, all the rejections of these claims must be overcome. As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with. See 37 CFR 1.111(b) and MPEP § 707.07(a). Reasons for allowance will be furnished upon allowance. Pertinent Prior Arts The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. US 20190303562 A1; MASPUTRA et al.: MASPUTRA discloses Methods and apparatus for efficient data transfer within a user space network stack. Unlike prior art monolithic networking stacks, the exemplary networking stack architecture described hereinafter includes various components that span multiple domains (both in-kernel, and non-kernel). For example, unlike traditional “socket” based communication, disclosed embodiments can transfer data directly between the kernel and user space domains. Direct transfer reduces the per-byte and per-packet costs relative to socket based communication. A user space networking stack is disclosed that enables extensible, cross-platform-capable, user space control of the networking protocol stack functionality. The user space networking stack facilitates tighter integration between the protocol layers (including TLS) and the application or daemon. Exemplary systems can support multiple networking protocol stack instances (including an in-kernel traditional network stack). US 20190042730 A1; Yamada et al.: Yamada discloses a heuristic event counter in a processor has triggered a performance monitoring interrupt (PMI) when the processor was executing a target program in user mode, and after the processor has switched to kernel mode in response to the PMI, a heuristic event handler automatically performs preliminary analysis in kernel mode, without switching back to user mode, to determine whether heavyweight code analysis is warranted. The preliminary analysis comprises (a) obtaining an instruction pointer (IP) for the target program from a last branch record (LBR) buffer in the processor, (b) using transaction hardware in the processor to determine whether the IP from LBR buffer points to a readable page in memory, and (c) determining that heavyweight code analysis is not warranted in response to a determination that the page pointed to by the IP from LBR buffer is not readable. Other embodiments are described and claimed. US 12375573 B1, Nanduri et al.: Nanduri discloses systems and methods monitor a cloud compute environment. An example method includes: opening, by an agent deployed in a cloud environment, a communication channel between the agent and a kernel of an operating system of a node within the cloud environment; determining, by the agent and via the communication channel, an event associated with a namespace of the operating system; determining, by the agent and based on the event, a status of a container associated with the node; and providing, by the agent to a data platform, a message indicative of the status of the container. US 20200396147 A1; Han et al.: Han discloses a computer may compare values of at least one performance metric for access points in appropriate contexts to determine one or more temporal anomalies and/or one or more spatial anomalies for one or more of the access points. Then, the computer may generate one or more temporal anomaly events based at least in part on the one or more temporal anomalies and one or more spatial anomaly events based at least in part on the one or more spatial anomalies. Next, the computer may calculate one or more complex events based at least in part on two or more of the different anomalies. Moreover, the computer may evaluate the different anomalies, anomaly event and/or complex events to determine one or more insights about a problem in the network. Furthermore, the computer may perform a remedial action. US 20230177152 A1; LEE et al.: LEE discloses a method for performing machine learning-based observation level measurement using a server system log and performing risk calculation using the same, including: a log preprocessing step; a log file linkage step of processing a log file to store the log file in a HDFS, and linking the processed log file to a big data storage; a feature value extraction step of requesting an inquiry of a raw log, and extracting a feature value for a normal behavior from the inquired raw log; a model training step of normalizing the extracted feature value to level a baseline value for the normal behavior, and training a machine learning model based on the leveled baseline value; and a risk calculation step of determining, when a log that violates the leveled baseline value is detected, that an abnormal behavior is detected so as to calculate a risk for the detected abnormal behavior. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364. The examiner can normally be reached on 9AM-5PM EST M-F. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached on 571-270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MAHABUB S AHMED/Examiner, Art Unit 2434 /NOURA ZOUBAIR/Primary Examiner, Art Unit 2434