DETAILED ACTION
This Office action is in response to a non-provisional utility patent application filed by Applicant on 9/5/2019.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Information Disclosure Statement PTO-1449
The Information Disclosure Statements submitted by applicant on 9/28/2020 and 5/26/2021 have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.

Claim Objections
Claims 1-2, 5-7, 10-12 and 15 objected to because of the following informalities: Applicant recites the term “web blog”, which appears to be referencing the HTTP web server log.  In the specification, Applicant appears to be using the term “web blog” and “web log” interchangeably.  While Examiner recognizes that, per regulations, Applicant can “be their own lexicographer”, both terms have distinctly different meanings in the art. To an ordinary practitioner, a web blog is user content, usually in narrative text form, published on a public facing web site for a general reading audience. However, a web log is a repository of network metadata used to facilitate the functioning and management of network devices. Examiner requests that Applicant amend all instances in the claims of “web blog” to read “web log”, since the recited “web blog” has a different meaning in the art than the one Examiner believes Applicant intends. Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6, 11 rejected under 35 U.S.C. 103 as being unpatentable over Smith (U.S. Pat. App. Pub. 2016/0129406 A1) in view of Prakash (U.S. Pat. 7,613,815 B1).
Regarding claim 1, Smith discloses: a method for analyzing a cyber attack, comprising: acquiring a web blog of a server (web server access log files are received containing a history of object requests. Smith para. 0017.), the web blog of the server comprising: a hypertext transfer protocol request received by the server (received access log files contain a history of object requests. Smith para. 0017.), and detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request (the log files are read and analyzed to determine if any of the requests are potentially related to an attack on the network. Smith para. 0018. Tests are run and a determination result is made as to whether the addresses associated with the requests are associated with bots. Smith para. 0026.), and storing the hypertext transfer protocol request (top requests are added to a request list for data analysis and compared with all other requests. Smith para. 0018.), the detection result of the hypertext transfer protocol request (addresses from requests that are determined to be associated with attacks can dynamically be added to a bad list. Smith para. 0058.)
Smith does not disclose: the web blog of the server comprising a data portion extracted from a response of hypertext transfer protocol corresponding to the hypertext transfer protocol request; storing the extracted data portion correspondingly.
However, Prakash does disclose: the web blog of the server comprising a data portion extracted from a response of hypertext transfer protocol corresponding to the hypertext transfer protocol request (information logged includes fields that are found in requests from clients and responses from servers. Prakash col. 3, ll. 17-21.); storing the extracted data portion correspondingly (field data is stored in memory with relative position and length information in each field. Prakash col. 3, ll. 41-47.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the identifying network attacks based upon patterns found in data collected in the network log files of Smith with the collection and storage of response data based upon the teachings of Prakash. The motivation being to customize logging of network flow data to validate for correctness of the appropriate log control structures. Prakash col. 3, ll. 17-47.
Regarding claim 6, Smith discloses: an apparatus for analyzing a cyber attack, comprising: at least one processor; and a memory storing instructions, wherein the instructions when executed by the at least one processor, cause the at least one processor to perform operations, the operations comprising: acquiring a web blog of a server (web server access log files are received containing a history of object requests. Smith para. 0017.), the web blog of the server comprising: a hypertext transfer protocol request received by the server (received access log files contain a history of object requests. Smith para. 0017.), and detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request (the log files are read and analyzed to determine if any of the requests are potentially related to an attack on the network. Smith para. 0018. Tests are run and a determination result is made as to whether the addresses associated with the requests are associated with bots. Smith para. 0026.), and storing the hypertext transfer protocol request (top requests are added to a request list for data analysis and compared with all other requests. Smith para. 0018.), the detection result of the hypertext transfer protocol request, and the extracted data portion correspondingly (addresses from requests that are determined to be associated with attacks can dynamically be added to a bad list. Smith para. 0058.).  
Smith does not disclose: the web blog of the server comprising a data portion extracted from a response of hypertext transfer protocol corresponding to the hypertext transfer protocol request; storing the extracted data portion correspondingly.
However, Prakash does disclose: the web blog of the server comprising a data portion extracted from a response of hypertext transfer protocol corresponding to the hypertext transfer protocol request (information logged includes fields that are found in requests from clients and responses from servers. Prakash col. 3, ll. 17-21.); storing the extracted data portion correspondingly (field data is stored in memory with relative position and length information in each field. Prakash col. 3, ll. 41-47.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the identifying network attacks based upon patterns found in data collected in the network log files of Smith with the collection and storage of response data based upon the teachings of Prakash. The motivation being to customize logging of network flow data to validate for correctness of the appropriate log control structures. Prakash col. 3, ll. 17-47.
Regarding claim 11, Smith discloses: a non-transitory computer readable medium, storing a computer program thereon, wherein the computer program, when executed by a processor, causes the processor to perform operations, the operations comprising: acquiring a web blog of a server (web server access log files are received containing a history of object requests. Smith para. 0017.), the web blog of the server comprising: a hypertext transfer protocol request received by the server (received access log files contain a history of object requests. Smith para. 0017.), and detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request (the log files are read and analyzed to determine if any of the requests are potentially related to an attack on the network. Smith para. 0018. Tests are run and a determination result is made as to whether the addresses associated with the requests are associated with bots. Smith para. 0026.), and storing the hypertext transfer protocol request (top requests are added to a request list for data analysis and compared with all other requests. Smith para. 0018.), the detection result of the hypertext transfer protocol request (addresses from requests that are determined to be associated with attacks can dynamically be added to a bad list. Smith para. 0058.).  
Smith does not disclose: the web blog of the server comprising a data portion extracted from a response of hypertext transfer protocol corresponding to the hypertext transfer protocol request; storing the extracted data portion correspondingly.
However, Prakash does disclose: the web blog of the server comprising a data portion extracted from a response of hypertext transfer protocol corresponding to the hypertext transfer protocol request (information logged includes fields that are found in requests from clients and responses from servers. Prakash col. 3, ll. 17-21.); storing the extracted data portion correspondingly (field data is stored in memory with relative position and length information in each field. Prakash col. 3, ll. 41-47.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the identifying network attacks based upon patterns found in data collected in the network log files of Smith with the collection and storage of response data based upon the teachings of Prakash. The motivation being to customize logging of network flow data to validate for correctness of the appropriate log control structures. Prakash col. 3, ll. 17-47.

Claims 2, 7, 12 rejected under 35 U.S.C. 103 as being unpatentable over Smith in view of Prakash in view of Bowen (U.S. Pat. 10,171,495 B1).
Regarding claim 2, Smith in view of Prakash disclose the limitations of claim 1. Smith in view of Prakash does not disclose: wherein the detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request comprises: calculating, in response to the hypertext transfer protocol request matching at least one attack rule template, a score corresponding to the hypertext transfer protocol request, the score corresponding to the hypertext transfer protocol request being a sum of a score corresponding to each attack rule template matching the hypertext transfer protocol request, the score corresponding to each attack rule template indicating a hazard level of an attack approach corresponding to the attack rule template on a system; and obtaining the detection result of the hypertext transfer protocol request based on the score corresponding to the hypertext transfer protocol request.
However, Bowen does disclose: wherein the detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request comprises: calculating, in response to the hypertext transfer protocol request matching at least one attack rule template (probability score is calculated for the matching of the request with a signature. Bowen col. 10, ll. 54-64.), a score corresponding to the hypertext transfer protocol request, the score corresponding to the hypertext transfer protocol request being a sum of a score corresponding to each attack rule template matching the hypertext transfer protocol request (for instances where the request matches, or partially matches signatures, an overall score can be determined based on the probability scores for the matching signature and the relative similarities. Bowen col. 10, ll. 58-67.), the score corresponding to each attack rule template indicating a hazard level of an attack approach corresponding to the attack rule template on a system; and obtaining the detection result of the hypertext transfer protocol request based on the score corresponding to the hypertext transfer protocol request (the score is compared against a probability threshold to determine whether the score meets or exceeds the threshold. Bowen col. 11, ll. 4-9. Appropriate action can be taken based upon the resulting probability score such that the request is flagged as suspicious or determined to likely be invalid. Bowen col. 11, ll. 4-26.).  
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the identifying network attacks based upon patterns found in data collected in the network log files of Smith with calculating a score based upon matching web requests with rule templates and combining scores with each matching template based upon the teachings of Bowen.  The motivation being to use request parameters to determine the security of received web requests and update model signatures based upon received data. Bowen col. 10, ll. 12-36.
Regarding claim 7, Smith in view of Prakash disclose the limitations of claim 6. Smith in view of Prakash does not disclose: wherein the detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request comprises: calculating, in response to the hypertext transfer protocol request matching at least one attack rule template, a score corresponding to the hypertext transfer protocol request, the score corresponding to the hypertext transfer protocol request being a sum of a score corresponding to each attack rule template matching the hypertext transfer protocol request, the score corresponding to each attack rule template indicating a hazard level of an attack approach corresponding to the attack rule template on a system; and obtain the detection result of the hypertext transfer protocol request based on the score corresponding to the hypertext transfer protocol request.
However, Bowen does disclose: wherein the detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request comprises: calculating, in response to the hypertext transfer protocol request matching at least one attack rule template (probability score is calculated for the matching of the request with a signature. Bowen col. 10, ll. 54-64.), a score corresponding to the hypertext transfer protocol request, the score corresponding to the hypertext transfer protocol request being a sum of a score corresponding to each attack rule template matching the hypertext transfer protocol request (for instances where the request matches, or partially matches signatures, an overall score can be determined based on the probability scores for the matching signature and the relative similarities. Bowen col. 10, ll. 58-67.), the score corresponding to each attack rule template indicating a hazard level of an attack approach corresponding to the attack rule template on a system; and obtain the detection result of the hypertext transfer protocol request based on the score corresponding to the hypertext transfer protocol request (the score is compared against a probability threshold to determine whether the score meets or exceeds the threshold. Bowen col. 11, ll. 4-9. Appropriate action can be taken based upon the resulting probability score such that the request is flagged as suspicious or determined to likely be invalid. Bowen col. 11, ll. 4-26.).  
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the identifying network attacks based upon patterns found in data collected in the network log files of Smith with calculating a score based upon matching web requests with rule templates and combining scores with each matching template based upon the teachings of Bowen.  The motivation being to use request parameters to determine the security of received web requests and update model signatures based upon received data. Bowen col. 10, ll. 12-36.
Regarding claim 12, Smith in view of Prakash disclose the limitations of claim 11. Smith in view of Prakash does not disclose: wherein the detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request comprises: calculating, in response to the hypertext transfer protocol request matching at least one attack rule template, a score corresponding to the hypertext transfer protocol request, the score corresponding to the hypertext transfer protocol request being a sum of a score corresponding to each attack rule template matching the hypertext transfer protocol request, the score corresponding to each attack rule template indicating a hazard level of an attack approach corresponding to the attack rule template on a system; and obtaining the detection result of the hypertext transfer protocol request based on the score corresponding to the hypertext transfer protocol request.
However, Bowen does disclose: wherein the detecting whether the hypertext transfer protocol request in the web blog is offensive, to obtain a detection result of the hypertext transfer protocol request comprises: calculating, in response to the hypertext transfer protocol request matching at least one attack rule template (probability score is calculated for the matching of the request with a signature. Bowen col. 10, ll. 54-64.), a score corresponding to the hypertext transfer protocol request, the score corresponding to the hypertext transfer protocol request being a sum of a score corresponding to each attack rule template matching the hypertext transfer protocol request (for instances where the request matches, or partially matches signatures, an overall score can be determined based on the probability scores for the matching signature and the relative similarities. Bowen col. 10, ll. 58-67.), the score corresponding to each attack rule template indicating a hazard level of an attack approach corresponding to the attack rule template on a system; and obtaining the detection result of the hypertext transfer protocol request based on the score corresponding to the hypertext transfer protocol request (the score is compared against a probability threshold to determine whether the score meets or exceeds the threshold. Bowen col. 11, ll. 4-9. Appropriate action can be taken based upon the resulting probability score such that the request is flagged as suspicious or determined to likely be invalid. Bowen col. 11, ll. 4-26.).  
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the identifying network attacks based upon patterns found in data collected in the network log files of Smith with calculating a score based upon matching web requests with rule templates and combining scores with each matching template based upon the teachings of Bowen.  The motivation being to use request parameters to determine the security of received web requests and update model signatures based upon received data. Bowen col. 10, ll. 12-36.  

Allowable Subject Matter
Claims 3-5, 8-10, 13-15 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Miyamoto (U.S. Pat. App. Pub. 2009/0055443 A1), collecting and logging received web requests in order to present the collected data in a user-accessible format; Porras (U.S. Pat. App. Pub. 2003/0101358 A1), sharing data regarding received data packets to security analysis processing; and Tsyganskiy (U.S. Pat. App. Pub. 2004/0088408 A1), evaluating web-based user requests using predetermined rules.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VANCE M LITTLE whose telephone number is (571) 270-0408.  The examiner can normally be reached on Monday - Friday 9:30am - 5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/VANCE M LITTLE/Examiner, Art Unit 2493