Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This communication is responsive to the application filed on October 30, 2018.
Information Disclosure Statement filed on October 30, 2018 has been considered by the examiner.
Claims 1-19 are pending.

Allowable Subject Matter
Claim 13 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. US Publication No. 2014/0344622 A1 in view of Mihelich et al. US Publication No. 2015/0281007 A1.


As per claim 1, Huang, discloses:
A web traffic logging system comprising: 
a log setting unit which performs setting for collecting log from at least one of a web server and a web server operating system; a log gathering unit which creates log information including the log collected in accordance with the setting, (Huang, [0027] and [0028]) where the stream of log data is received and where the log data is received from software and infrastructure component of the computing system
Huang does not specifically disclose:
a log transmitting unit which transmits the log information to a cloud server.
However, Mihelich discloses:
a log transmitting unit which transmits the log information to a cloud server, (Mihelich, [0031]) where the traffic collector collects traffic information from a cloud-based traffic log and network security devices store traffic logs in a cloud-based traffic log service. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by teaching of Mihelich to be able to transmit the log information on a cloud server.

As per claim 14, Huang discloses:
A web traffic logging method for detecting web hacking in real time in a web traffic logging system comprising: 
a step of performing setting for collecting log; a step of creating log information including the log collected in accordance with the setting, (Huang, [0027] and [0028]) where the stream of log data is received and where the log data is received from software and infrastructure component of the computing system. 
Huang does not specifically disclose:
a step of transmitting the log information to a cloud server.
However, Mihelich discloses:
a step of transmitting the log information to a cloud server, (Mihelich, [0031]) where the traffic collector collects traffic information from a cloud-based traffic log and network security devices store traffic logs in a cloud-based traffic log service. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by teaching of Mihelich to be able to transmit the log information on a cloud server.

As per claims 2 and 16, Huang further discloses:
wherein the cloud server includes a log decomposing unit which decomposes the log information by field, a fingerprint creating unit which creates fingerprints by field, and a detection unit which creates detection information including a source IP address when there is an attack fingerprint corresponding to a fingerprint included in a blacklist of the fingerprints, (Huang, [0029]-[0030] and [0055]).


As per claims 3 and 17, Huang further discloses:
wherein the fingerprint is information obtained by converting a word included in the log information into conversion characters predetermined in correspondence with the word and field including the word, and converting a numeric column included in the log information into conversion characters predetermined in correspondence with all numerals, (Huang, [0029]-[0030]).



As per claims 4 and 18, Huang further discloses:
wherein the detection unit detects attack corresponding to the log information through signature-based attack detecting when there is no attack fingerprint corresponding to a fingerprint included in a blacklist of the fingerprints. , (Huang, [0063]).

As per claims 5 and 15, Huang does not specifically disclose:
wherein the log setting unit performs setting for collecting log including data transmitted through Post- Body and Response-Body, and collecting log including one or more of program operation location, program execution information, program execution target type, program execution subject, program full path, and program information, 
However, Miheslich discloses:
wherein the log setting unit performs setting for collecting log including data transmitted through Post- Body and Response-Body, and collecting log including one or more of program operation location, program execution information, program execution target type, program execution subject, program full path, and program information,, (Mihelich, [0069], [0071], [0080], and [0258]) where it discloses analyzing identification of an HTTP IP destination by extracting an HTTP record from traffic log, which a script performs a PTR check that performs an HTTP request and response. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by adding features of Mihelich for collecting log of data transmitted through HTTP response header and body.



As per claim 6, Huang further discloses:
wherein the web traffic logging system is embedded in a web server program, performs log setting for creation of log generated in at least one of a web server or an operating system of the web server, creates and gathers log in accordance with the log setting, and transmits the created log information to the cloud server, (Huang, [0019] and [0027]).

As per claim 7, Huang does not specifically disclose:
wherein the web traffic logging system includes a module which collects a request and a response of HTTP/HTTPS protocol generated in communication between a client and the web server independently from the program of the web server, and transmits created Post-Body and Response-Body log information to the cloud server,
However, Mihelich discloses:
wherein the web traffic logging system includes a module which collects a request and a response of HTTP/HTTPS protocol generated in communication between a client and the web server independently from the program of the web server, and transmits created Post-Body and Response-Body log information to the cloud server, (Mihelich, [0031], [0069], [0071], [0080], and [0258]) where the traffic collector  collects network traffic information from a cloud-based traffic log, and network security devices storing traffic logs in a cloud-based traffic log service and where it discloses analyzing identification of an HTTP IP destination by extracting an HTTP record from traffic log, which a script performs a PTR check that performs an HTTP request and response. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by adding features of Mihelich for collecting log of data transmitted through HTTP response header and body.

As per claim 8, Huang does not specifically disclose:
wherein the web traffic logging system includes a reverse proxy server which is positioned at the middle in the course of transmitting traffic to the web server in response to a request of a client, first receives the request of the client, and then transmits the traffic to the web server again, and the web traffic logging system collects a request and a response of HTTP/HTTPS protocol generated in communication between a client and the web server, and transmits created Post-Body and Response-Body log information to the cloud server.
However, Mihelich discloses:
wherein the web traffic logging system includes a reverse proxy server which is positioned at the middle in the course of transmitting traffic to the web server in response to a request of a client, first receives the request of the client, and then transmits the traffic to the web server again, and the web traffic logging system collects a request and a response of HTTP/HTTPS protocol generated in communication between a client and the web server, and transmits created Post-Body and Response-Body log information to the cloud serve, (Mihelich, [0026], [0069], [0071], [0080], and [0258]) where the network security device performs network firewalling which can be the proxy as claimed and where the traffic collector  collects network traffic information from a cloud-based traffic log, and network security devices storing traffic logs in a cloud-based traffic log service and where it discloses analyzing identification of an HTTP IP destination by extracting an HTTP record from traffic log, which a script performs a PTR check that performs an HTTP request and response. 
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by adding features of Mihelich for collecting log of data transmitted through HTTP response header and body.

As per claim 9, Huang does not specifically discloses:
wherein the web traffic logging system gathers traffic between a client and the web server in a separate web traffic logging server by using port mirroring, collects a request and a response of HTTP/HTTPS protocol, and transmits created Post-Body and Response-Body log information to the cloud server.
However, Mihelich discloses:
wherein the web traffic logging system gathers traffic between a client and the web server in a separate web traffic logging server by using port mirroring, collects a request and a response of HTTP/HTTPS protocol, and transmits created Post-Body and Response-Body log information to the cloud server, (Mihelich, [0031] and [0080]) where the traffic collector  collects network traffic information from a cloud-based traffic log, and network security devices storing traffic logs in a cloud-based traffic log service.
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by teaching on Mihelich to gather traffic information between client and server and transmit them to a cloud-based server.

As per claim 10, Huang discloses:
wherein the log setting unit provides setting to convert sensitive data preset in accordance with security principles into special characters such as asterisk (*) or encrypt the data, and provides setting of monitoring the sensitive data in advance and detecting and recommending sensitive data in advance to prevent the sensitive data from being stored as plaintext, 
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by teaching of Mihelich, to convert, encrypt, or create a hash value of a sensitive data for security purposes.

As per claim 11, Huang does not specifically disclose:
wherein the log gathering unit converts sensitive data preset in accordance with security principles into special characters such as asterisk (*) or encrypts the data, selects sensitive data by a sensitive data recommendation system in accordance with the setting of the log setting unit, and records the data in a separate file.
However, Mihelich discloses:
wherein the log gathering unit converts sensitive data preset in accordance with security principles into special characters such as asterisk (*) or encrypts the data, selects sensitive data by a sensitive data recommendation system in accordance with the setting of the log setting unit, and records the data in a separate file, (Huang, [0030] and [0058]) where the sketch of the log message is generated using scoring function and a hash function and calculates a 32-bit integer of a word which the sketch includes a 32-bit fingerprint. The log index includes a hash table for mapping a fingerprint value to the sketch.
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by teaching of Mihelich, to convert, encrypt, or create a hash value of a sensitive data for security purposes.


As per claim 19, Huang does not specifically disclose:
the web traffic logging system includes a module which collects a request and a response of HTTP/HTTPS protocol generated in communication between a client and the web server independently from the program of the web server, includes a reverse proxy server which is positioned at the middle in the course of transmitting traffic to the web server in response to a request of a client, first receives the request of the client, and then transmits the traffic to the web server again, or includes a web traffic logging server which gathers traffic between a client and the web server in a separate web traffic logging server by using port mirroring, and the web traffic logging system collects a request and a response of HTTP/HTTPS protocol, and creates Post-Body and Response-Body log, , (Mihelich, [0026], [0069], [0071], [0080], and [0258]) where the network security device performs network firewalling which can be the proxy as claimed and where the traffic collector  collects network traffic information from a cloud-based traffic log, and network security devices storing traffic logs in a cloud-based traffic log service and where it discloses analyzing identification of an HTTP IP destination by extracting an HTTP record from traffic log, which a script performs a PTR check that performs an HTTP request and response and (Mihelich, [0031] and [0080]) where the traffic collector  collects network traffic information from a cloud-based traffic log, and network security devices storing traffic logs in a cloud-based traffic log service.
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang by adding features of Mihelich for collecting log of data transmitted through HTTP response header and body.




  
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Huang et al. US Publication No. 2014/0344622 A1 in view of Mihelich et al. US Publication No. 2015/0281007 A1 and in further view of Staats et al. US Publication No. 2011/0004937 A1.

A As per claim 12, neither Huang nor Mihelich specifically disclose:
wherein the log gathering unit supports normal plaintext analysis in case of HTTP, and the log gathering unit converts ciphertext into plaintext by using a web server certification and a private key (secret key) and stores log in case of HTTPS, in accordance with the setting of protocol of log setting unit.
However, Staats discloses:
wherein the log gathering unit supports normal plaintext analysis in case of HTTP, and the log gathering unit converts ciphertext into plaintext by using a web server certification and a private key (secret key) and stores log in case of HTTPS, in accordance with the setting of protocol of log setting unit, (Staats, [0083]) where the logger manager receives log information from the device which can be compressed and encrypted.
Therefore, it would have been obvious before the effective filing date of the claimed invention to modify the teaching of Huang and Mihelich with the teaching of Staats to convert data to different formats, encrypt data, or compress data for security purposes.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. see form 892.




Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARVIN ESKANDARNIA whose telephone number is (571)270-3205.  The examiner can normally be reached on 7:30am-5pm M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached on 571-272-7952.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ARVIN ESKANDARNIA/             Primary Patent Examiner, Art Unit 2446