DETAILED ACTION
This is in response to the application filed on 07/31/2019 in which claims 1-20 are preserved for examination; of which claims 1, 12, and 13 are in independent forms.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 07/31/2019 and 08/20/2019 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Specification
The abstract of the disclosure is objected to because it contains more than 150 words. Correction is required.  See MPEP § 608.01(b).

	Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-20 are rejected on the ground of nonstatutory double patenting over claims 1-11 of U.S. Patent No. 10,628,278 since the claims, if allowed, would improperly extend the “right to exclude” already granted in the patent.
anticipated by the U.S. Patent No. 10,628,278 and is covered by the patent. In claims 1, 8, and 9 of the U. S. Patent No. US 10,628,278 the limitations of “grouping, based upon the differentiating, the event types representing end-user events into user sessions wherein the differentiating comprises calculating a correlation similarity measure between the potential end-user events and the known end-user events, wherein the calculating a correlation similarity measure comprises: inspecting the time stamps associated with each message within an event type; identifying a login event and a time stamp associated with the login event; and computing a login waiting time distribution for the login event” implies that the temporal correlation between a seed set of events and other remaining events which corresponds to the limitation of “based upon a time correlation between the known end-user event and the event within the message template of interest, thereby identifying message templates that were initiated by a user based upon a relationship between a time of the known end-user event and the event within the message template of interest” recited in claims 1, 12, and 13 of the instant application. See table below for details. 
U.S. Patent No. 10,628,278
Instant Application 
grouping, based upon the differentiating, the event types representing end-user events into user sessions wherein the differentiating comprises calculating a correlation similarity measure between the potential end-user events and the known end-user events, wherein the calculating a correlation similarity measure comprises: inspecting the time stamps associated with each message within an event type; identifying a login event and a time stamp associated with the login event; and computing a login waiting time distribution for the login event. 
   
1. A method, comprising: collecting system log files comprising a plurality of log messages representing activity within the system, wherein the activity within the system corresponds to one of: system activity and end-user activity; generating a plurality of message templates by (i) clustering, using a clustering algorithm, the plurality of messages into groups having similar activity patterns and (ii) generating a message template for each of the groups, wherein each of the plurality of message templates represent an event type corresponding to an activity type within the system; identifying, from the plurality of message templates, message templates of interest, wherein a message template of interest comprises a template that potentially represents end-user events; and determining, within the message templates of interest, the message templates representing actual end-user events as opposed to system events, wherein the determining comprises (i) identifying a seed set of event types that represent known end-user events based upon identifying the event as being known to be initiated by a user and (ii) for the message templates of interest remaining after identifying the seed set of event types, correlating the event within the message template of interest to the known end-user event based upon a time correlation between the known end-user event and the event within the message template of interest, thereby identifying message templates that were initiated by a user based upon a relationship between a time of the known end-user event and the event within the message template of interest.

 groups, based upon the differentiating, the event types representing end-user events into user sessions wherein the differentiating comprises calculating a correlation similarity measure between the potential end-user events and the known end-user events, wherein the calculating a correlation similarity measure comprises: inspecting the time stamps associated with each message within an event type; identifying a login event and a time stamp associated with the login event; and computing a login waiting time distribution for the login event.
the known end-user event and the event within the message template of interest, thereby identifying message templates that were initiated by a user based upon a relationship between a time of the known end-user event and the event within the message template of interest.
 groups, based upon the differentiating, the event types representing end-user events into user sessions; wherein the differentiating comprises calculating a correlation similarity measure between the potential end-user events and the known end-user events, wherein the calculating a correlation similarity measure comprises: inspecting the time stamps associated with each message within an event type; identifying a login event and a time stamp associated with the login event and computing a login waiting time distribution for the login event. 

based upon a time correlation between the known end-user event and the event within the message template of interest, thereby identifying message templates that were initiated by a user based upon a relationship between a time of the known end-user event and the event within the message template of interest.


The claims of the patent "anticipate" the claims of the application. Accordingly, the application claims are not patentably distinct from the patent claims. Here, the more specific patent claims encompass the broader application claim. Following the rationale in In re Goodman cited in the preceding paragraph, where applicant has once been granted a patent containing a claim for the specific or narrower invention, applicant may not then obtain a second patent with a claim for the generic or broader invention without first submitting an appropriate terminal disclaimer.

	Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


	Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter of abstract ideas. 
Step 1:
Claims 1-20 are directed to a server (article of manufacture) which is one of the statutory categories of invention.
Step 2A:
Prong 1:
Claims 1, 12, and 13 directed to an abstract idea without significantly more. The claim recites generating a template representing an event type by clustering log messages into groups based on similarity, identifying a message template of interest, and determining the message templates representing user events by identifying a seed event type and for the remaining message templates correlating the events based on time correlation between the seed/known user even and other events, identifying the message templates initiated by a user based on time relationship. 
Above method steps are consider to be steps such observation, evaluation, judgement, and/or opinion which are concepts performed in human minds. As such, the steps of current claimed invention could be performed in human mind that falls within at least one groupings of abstract ideas enumerated in the 2019 PEG because the claim did not include any limitations requiring computer implementation. Other than a “processor” and/or “storage medium” recited in claim 12-13, nothing in the claim preclude the steps from practically being performed in human mind. Thus, the claimed invention is directed to an abstract idea of mental process. 
Prong 2:
This judicial exception is not integrated into a practical application. Claims 1 and 12-13 recite collecting log information representing activity within a system, a “processor” and/or “storage medium.” 
The limitation of collecting log information representing activity within a system is considered to be an extra-solution activity of mere data gathering. See MPEP 2106.05(g). The processor and storage medium are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component. Accordingly, this additional elements does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. 
Step 2B:
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above limitation of collecting log information representing activity within a system is considered to be a generic and well-understood routine in computing technology. The processor and storage medium are recited at a high-level of generality such that it amounts no more than mere instructions to apply the exception using a generic computer component and cannot provide an inventive concept. The claim is not patent eligible.
Regarding dependent claims 2-11 and 14-20,
the dependent claims also lack additional elements that sufficient to amount to significantly more than abstract idea found in the independent claims. The dependent claims additional limitations such that are considered be observation, evaluation, and/or judgement that do not amount significantly to more than abstract idea.


		
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-8, and 12-16 are rejected under 35 U.S.C. 103 as being unpatentable over Sumani et al., US 2017/0013003 (Sumani, hereafter) in view of Rinehart et al., US 2017/0251072 (Rinehart, hereafter).
Regarding claim 1,
Sumani discloses a method, comprising: 
collecting system log files comprising a plurality of log messages representing activity within the system, wherein the activity within the system corresponds to one of: system activity and end-user activity (See Sumani: at least Fig. 3, para 25 and 33, collecting log data from different sources comprising log messages representing activities of a user or system); 
generating a plurality of message templates by (i) clustering, using a clustering algorithm, the plurality of messages into groups having similar activity patterns and (ii) generating a message template for each of the groups, wherein each of the plurality of message templates represent an event type corresponding to an activity type within the system (See Sumani: at least Fig. 4-5, para 13, 25, 31, 33, and 39, clustering log messages based on similar activity and generating or 
; 
 identifying, from the plurality of message templates, message templates of interest, wherein a message template of interest comprises a template that potentially represents end-user events (See Sumani: at least Fig. 4-5, para 13, 31, 33, and 40, identifying message templates/patterns showing unusual user activities); and 
determining, within the message templates of interest, the message templates representing actual end-user events as opposed to system events, wherein the determining comprises (i) identifying a seed set of event types that represent known end-user events based upon identifying the event as being known to be initiated by a user (See Sumani: at least Fig. 4-5, para 13-14 and 32-33, identifying message templates/patterns representing a known user event (i.e. login activity) that is used as a seed or baseline).
Although, Sumani discloses determining log message patterns/ template associated with a user known activity such login activity and creating a baseline graph or seed patterns and correlating other log messages with baseline graph , Sumani does not expressly teach (ii) for the message templates of interest remaining after identifying the seed set of event types, correlating the event within the message template of interest to the known end-user event based upon a time correlation between the known end-user event and the event within the message template of interest, thereby identifying message templates that were initiated by a user based upon a relationship between a time of the known end-user event and the event within the message template of interest. 
On the other hand, Rinehart discloses identifying a first cluster of transactional data associated with a user activity such as ‘login action” and for the remaining transactional data other than the login activity, determining the cluster of transactional data that are closely correlated in time with the first cluster of transactional data that identify cluster of transactional data that is initiated by the user activity (e.g. “remove file action”) based on time relationship (See Rinehart: at least Fig. 3 and para 58-65). 
Samuni and Rinehart are from the same field of endeavor of log data processing. Therefore, it would have been obvious to one of ordinary skill in the art before the time the invention was effectively filed to modify the teachings of Samuni with Rinehart’s teaching in order to implement above function with reasonable expectation of success. The motivation for doing so would have been to improve functionality and utility of the method by meaningfully interpreting log file activities to detect corresponding user actions and providing an ability to determine and label actions of the user and detect anomalous behavior that might compromise the security of system or service.
Regarding claim 2,
the combination of Samuni and Rinehart discloses wherein the identifying message templates of interest comprises labelling a subset of the message templates as potential end-user events (See Sumani: at least Fig. 5, para 15, 31, and 41 and Rinehart: at least Fig. 3 and para 50 and 58, labels such “login”). 

Regarding claim 4,
 tagging each of the subset of message templates representing potential end-user events with an event type (See Sumani: at least Fig. 5, para 15, 31, and 41 and Rinehart: at least Fig. 3 and para 50 and 58-59).  
Regarding claim 5,
the combination of Samuni and Rinehart discloses wherein the determining comprises calculating a correlation similarity measure based upon time between the potential end-user events and the known end-user events (See Sumani: at least 31-33 and Rinehart: at least Fig. 3 and para 50 and 58-59).  
Regarding claim 6,
the combination of Samuni and Rinehart discloses wherein the calculating a correlation similarity measure comprises calculating a correlation similarity measure for event types corresponding to a predetermined user (See Sumani: at least Fig. 5, para 15, 31, and 41 and Rinehart: at least Fig. 3 and para 50 and 58-59).  
Regarding claim 7,
the combination of Samuni and Rinehart discloses wherein the calculating a correlation similarity measure comprises inspecting the time stamps associated with each message within an event type (See Sumani: at least Fig. 5, para 15, 31, and 41 and Rinehart: at least Fig. 3 and para 50 and 58-59).  
Regarding claim 8,
wherein the calculating a correlation similarity measure comprises identifying a login event and a time stamp associated with the login event (See Sumani: at least Fig. 5, para 15, 31, and 41 and Rinehart: at least Fig. 3 and para 50 and 58-59).
Regarding claim 12,
the scope of the claim  is substantially the same as claim 1, and is rejected on the same basis as set forth for the rejection of claim 1.
Regarding claims 13-16,
the scopes of the claims are substantially the same as claims 1, 5, and 7-8, respectively, and are rejected on the same basis as set forth for the rejections of claims 1, 5, and 7-8, respectively.

Claims 3 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sumani et al., US 2017/0013003 (Sumani, hereafter) in view of Rinehart et al., US 2017/0251072 and further in view of Raskutti et al, US 2006/0089924 (Raskutti, hereafter).
Regarding claim 3,
the combination of Samuni and Rinehart discloses the limitations as stated above including labelled subset of message templates, however, it does not expressly teach generating a message filter by using the subset of message to train the message filter. 
On other hand, Raskutti discloses training a message filter and generating a message filter (See Raskutti: at least Fig. 3 and para 72-75). Therefore, it would have generate a message filter by using the labelled subset of message templates to train the message filter, with reasonable expectation of success. The motivation for doing so would have been to improve functionality of the method by determining categories of log message utilizing message filtering.
Regarding claim 20,
the scope of the claim is substantially the same as claims 2-3, and are rejected on the same basis as set forth for the rejections of claims 2-3.

 
Claims 9-11 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Sumani et al., US 2017/0013003 (Sumani, hereafter) in view of Rinehart et al., US 2017/0251072 and further in view of Chkodrov et al, US 2006/0265406 (Chkodrov, hereafter).
Regarding claim 9,
the combination of Samuni and Rinehart discloses the limitations as stated above including the calculating a correlation similarity measure, however, it does not expressly teach computing a login waiting time distribution for the login event. 
On other hand, Chkodrov discloses determining a login waiting time for a login event (See Chkodrov: at least para 33, 37, 39, 57, and 67). Therefore, it would have the calculating a correlation similarity measure comprises computing a login waiting time distribution for the login event, with reasonable expectation of success. The motivation for doing so would have been to improve functionality of the method by determining a wait time for a login event to correlate data from the events for determining whether a pattern has occurred.
Regarding claim 10,
the combination of Samuni, Rinehart, and Chkodrov discloses wherein the calculating a correlation similarity measure comprises computing an event waiting time distribution for each of the event types occurring after the login event  (See Rinehart: at least Fig. 3 and para 50 and 58-59 and Chkodrov: at least para 33, 37, 39, 46, and 50). 
Regarding claim 11,
the combination of Samuni and Rinehart discloses wherein the determining event types comprises comparing, using a temporal correlation method, the event waiting time distribution to the login waiting time distribution (See Rinehart: at least Fig. 3 and para 50 and 58-59 and Chkodrov: at least para 33, 37, 39, 57, and 67).
Regarding claims 17-19,
.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Yoon et al., US 2018/0102938 disclosing assigning individual log messages to clusters. An initial cluster assignment may be performed by applying a hash function to one or more non-variable components of the message to generate an initial cluster identifier. Subsequently, clustering may be further refined (e.g., by determining whether to merge clusters based on similarity values). An interface can present a representative message of each cluster and indicate which portions of the message correspond to a variable component.
Alon et al., US 2018/0091359 disclosing generating a log message template for each of the log messages and classify the log messages with associated log message templates. 
Huang et al., US 2014/0344622 disclosing a log analytics module reduces both the volume and level of detail of log by first classifying log messages into message types based on their content similarity. The log analytics module may then further reduce data by grouping bursts of log messages into log events. Patterns within these log events, such as the collection and number of different 

Points of Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARES JAMI whose telephone number is (571)270-1291.  The examiner can normally be reached on M-F 9:00a-5:00p.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre Vital can be reached on 571-272-4215.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 

/Hares Jami/Primary Examiner, Art Unit 2162                                                                                                                                                                                                        07/24/2021