DETAILED ACTION
A request for continued examination under 37 CFR 1.114 was filed in this application after a decision by the Patent Trial and Appeal Board, but before the filing of a Notice of Appeal to the Court of Appeals for the Federal Circuit or the commencement of a civil action. Since this application is eligible for continued examination under 37 CFR  1.114 and the fee set forth in 37 CFR 1.17(e) has been timely paid, the appeal has been withdrawn pursuant to 37 CFR 1.114 and prosecution in this application has been reopened pursuant to 37 CFR 1.114. Applicant’s submission filed on 8/13/2021 has been entered.
Claims 1-17 are pending. Claims 1, 2, 6, 11 and 13 have been amended and 18-20 newly added. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 10/29/2018 have been fully considered.
Applicant’s arguments with respect to the 101 rejection have been fully considered and are persuasive.  The 101 of rejection of claim 1, 5, 6, 9 and 11 has been withdrawn. 
Applicant’s arguments with respect to the rejection(s) of the newly amended claim(s) 1, 6 and 11 under 103 have been fully considered and are persuasive.  

Claim Rejections - 35 USC § 112
Claim 19 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 19 is recites the limitation "baseline graph" in line 2.  There is insufficient antecedent basis for this limitation in the claim.
Claim 19 is recites the limitation "actual log graph" in line 3.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6, 9, 11 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ayyagari et al (US 2013/0305357) in view of Hohndel et al (2014/0298461).

a processor (see Ayyagari paragraph 0004 and 0078); and
a memory to store instructions (see Ayyagari paragraph 0078) that, when executed by the processor, cause the processor to:
monitor user activity of a computer system to determine historical log activity (see Ayyagari figure 2 step 2200 and paragraph 0130 i.e. at least one processor monitors the behavior of at least one node, associated with at least one user, in a network to generate a behavior profile for the user); 
monitor user activity of the computer system to determine a user activity volume (see Ayyagari figure 17 and paragraph 0196 i.e. graph 400 illustrating the detection of an anomaly 440 in network behavior, in accordance with at least one embodiment of the present disclosure. In particular, an example graph of data gathered from a smart agent download monitoring the network traffic through a specific node is shown)
generate an expected baseline of a log based on the historical log activity (see Ayyagari paragraph 0078 i.e. baselining (i.e. monitoring user behavior on the node to create a baseline profile), 0081, 0088 and 0097); 
compare the log to the expected baseline to identify an abnormality (see Ayyagari figure 2 step 2300-2400 and paragraph 0130 i.e. Then, at least one processor compares the behavior profile for at least one user with a baseline behavior profile for the user and paragraph 0125); 
compare the abnormality to a user activity volume based on a correlation between the user activity volume and the log activity (see figure 17 and paragraph 0196); and 


Ayyagari does not teach monitor user activity of the computer system to determine a user activity volume by determining a number of multiple real users interacting with the computer system; or wherein the log comprises event messages describing states experienced by the computer system.
Hohndel teaches monitor user activity of the computer system to determine a user activity volume by determining a number of multiple real users interacting with the computer system (see Hohndel paragraph 0038-0039, paragraph 0049 i.e. At 302, network traffic is generated by PAS 230, and is observed by backend system 220 as it traverses network 215 to a destination. The destination may be another computing device within network 215 or another computing device external to network 215. At 304, incoming network traffic to PAS 230, across network 215, is observed by backend system 220. The incoming network traffic may have originated from another computing device in network 215 or from another computing device external to network 215 and paragraph 0061 i.e. At 410, a backend system observes network traffic associated with a potentially affected system (PAS). The network traffic may be outgoing traffic generated by PAS, incoming traffic being received by PAS, or both); 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ayyagari in view of Hohndel to the backend system may also receive, from the PAS, context information related to the PAS. Context information could include, for example, time, location, applications running, user presence, etc., all related to the PAS and using the received context information for both creating or updating the genetic program, and running the genetic program to compare predicted normal traffic to actual network traffic as a way to compare the predicted normal traffic to actual network traffic based on the current context information (see Hohndel paragraph 0049 and 0061). Therefore one would have been motivated to have also receive, from the PAS, context information related to the PAS. Context information could include, including time, location, applications running, user presence, etc. as a way to update the predicted normal traffic to compare to the actual network traffic to detect deviation. 

With respect to claim 2 Ayyagari teaches the log analysis system of claim 1, but does not disclose wherein the instructions, when executed by the processor, cause the processor to: adjust the expected baseline based on the user activity volume; and comparing the log to the adjusted expected baseline.  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ayyagari in view of Hohndel to the backend system may also receive, from the PAS, context information related to the PAS. Context information could include, for example, time, location, applications running, user presence, etc., all related to the PAS and using the received context information for both creating or updating the genetic program, and running the genetic program to compare predicted normal traffic to actual network traffic as a way to compare the predicted normal traffic to actual network traffic based on the current context information (see Hohndel paragraph 0049 and 0061). Therefore one would have been motivated to have also receive, from the PAS, context information related to the PAS. Context information could include, including time, location, applications running, user presence, etc. as a 

	
Ayyagari teaches with respect to claim 6. A computer readable storage medium comprising a set of instructions executable by a processor resource to: 
generate a first graph, the first graph to represent an expected baseline of log activity of a computer system based on a log template of the log activity and a seasonal effect of the log activity (see Ayyagari figure 17 line 430 and paragraph 0196); 
generate a second graph, the second graph to represent a user activity volume of the computer system (see Ayyagari figure 17 line 440 and paragraph 0196); 
compare the first graph to the second graph to identify a correlation between the expected baseline and the user activity volume (see Ayyagari paragraph 0196 i.e. At time zero (0) up until time T, the traffic activity levels of the node stay closely about a normal traffic activity level for the node 430. However, at time T, the traffic activity of the node spikes up to a significantly higher level. From time T and on, the nodal traffic activity levels for the node are shown to be much higher than the normal nodal traffic activity level, and thus, by analyzing this data, the smart agent download will determine that a nodal anomaly 440 has occurred for the node (e.g., a nodal attack is occurring); and 
score the log activity based on the expected baseline, the correlation, and the user activity volume (see Ayyagari figure 2 step 2500-2600 and paragraph 0130 Then, at least one processor flags an event associated with the difference when the difference: exceeds a baseline threshold level, does not exceed a baseline threshold 

Ayyagari does not wherein the user activity volume is determined by a number of multiple real users interacting with the computer system; or wherein the log comprises event messages describing states experienced by a computer system and the log template represents a type of event message of the log.
Hohndel teaches wherein the user activity volume is determined by a number of multiple real users interacting with the computer system (see Hohndel paragraph 0038-0039, paragraph 0049 i.e. At 302, network traffic is generated by PAS 230, and is observed by backend system 220 as it traverses network 215 to a destination. The destination may be another computing device within network 215 or another computing device external to network 215. At 304, incoming network traffic to PAS 230, across network 215, is observed by backend system 220. The incoming network traffic may have originated from another computing device in network 215 or from another computing device external to network 215 and paragraph 0061 i.e. At 410, a backend system observes network traffic associated with a potentially affected system (PAS). The network traffic may be outgoing traffic generated by PAS, incoming traffic being received by PAS, or both); 
wherein the log comprises event messages describing states experienced by a computer system and the log template represents a type of event message of the log (see Hohndel paragraph 0061 i.e. At 412, the backend system may also receive, from 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ayyagari in view of Hohndel to the backend system may also receive, from the PAS, context information related to the PAS. Context information could include, for example, time, location, applications running, user presence, etc., all related to the PAS and using the received context information for both creating or updating the genetic program, and running the genetic program to compare predicted normal traffic to actual network traffic as a way to compare the predicted normal traffic to actual network traffic based on the current context information (see Hohndel paragraph 0049 and 0061). Therefore one would have been motivated to have also receive, from the PAS, context information related to the PAS. Context information could include, including time, location, applications running, user presence, etc. as a way to update the predicted normal traffic to compare to the actual network traffic to detect deviation. 

Ayyagari teaches with respect to claim 9, the medium of claim 6, wherein the set of instructions is executable by the processor to: cause a display of the log activity with an identifier associated with an abnormality of the log activity and the score of the log activity; wherein the set of instructions executable to compare the first graph and the second graph comprise instructions executable by the processor to: identify the 

Ayyagari teaches with respect to claim 11, a method comprising: 
identifying a log template based on a set of entries of a log system (see Ayyagari figure 2 and paragraph 0078, 0081, 0088 and 0097); 
generating a baseline graph associated with expected log activity based on the log template (see Ayyagari figure 17 normal nodal operation 430 paragraph 0196); 
generating a user activity graph associated with a volume of user activity (see Ayyagari figure 17 normal nodal operation 440 paragraph 0196); 
comparing the user activity graph to the baseline graph to identify a correlation between the log template and the volume of user activity (see Ayyagari figure 17 paragraph 0196): 
comparing a potential abnormality of the log to the volume of user activity associated with the log, the potential abnormality being a difference between the log and the baseline (see Ayyagari figure 17 nodal anomaly paragraph 0196); and 
visually indicating a status of the log based on the correlation between the potential abnormality and the volume of user activity (see Ayyagari figure 17 paragraph 0196 and paragraph 0130 and 0139-0140)). 

Ayyagari does not wherein the user activity volume is determined by a number of multiple real users interacting with the computer system; or wherein the log comprises 
Hohndel teaches wherein the user activity volume is determined by a number of multiple real users interacting with the computer system (see Hohndel paragraph 0038-0039, paragraph 0049 i.e. At 302, network traffic is generated by PAS 230, and is observed by backend system 220 as it traverses network 215 to a destination. The destination may be another computing device within network 215 or another computing device external to network 215. At 304, incoming network traffic to PAS 230, across network 215, is observed by backend system 220. The incoming network traffic may have originated from another computing device in network 215 or from another computing device external to network 215 and paragraph 0061 i.e. At 410, a backend system observes network traffic associated with a potentially affected system (PAS). The network traffic may be outgoing traffic generated by PAS, incoming traffic being received by PAS, or both); 
wherein the log comprises event messages describing states experienced by a computer system and the log template represents a type of event message of the log (see Hohndel paragraph 0061 i.e. At 412, the backend system may also receive, from the PAS, context information related to the PAS. Context information could include, for example, time, location, applications running, user presence, etc., all related to the PAS)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ayyagari in view of Hohndel to the backend system may also receive, from the PAS, context information related to the PAS. Context 

With respect to claim 18, Ayyagari teaches the log analysis system of claim 1, but does not disclose wherein the instructions, when executed by the processor, cause the processor to determine a number of the multiple real users interacting with the computer system by tracking at least one of requests and sources of the requests.
Hohndel teaches wherein the instructions, when executed by the processor, cause the processor to determine a number of the multiple real users interacting with the computer system by tracking at least one of requests and sources of the requests (see Hohndel paragraph 0038-0039, paragraph 0049 i.e. At 302, network traffic is generated by PAS 230, and is observed by backend system 220 as it traverses network 215 to a destination. The destination may be another computing device within network 215 or another computing device external to network 215. At 304, incoming network traffic to PAS 230, across network 215, is observed by backend system 220. The 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ayyagari in view of Hohndel to monitor incoming network traffic to PAS 230, across network 215, is observed by backend system 220. The incoming network traffic may have originated from another computing device in network 215 or from another computing device external to network (see Hohndel paragraph 0049). Therefore one would have been motivated to have monitored incoming network traffic to PAS, across network. 

With respect to claim 19 Ayyagari teaches the log analysis system of claim 1, wherein the instructions, when executed by the processor, cause the processor to determine a first difference between the baseline graph and the actual log graph and to determine a second difference based on the user activity volume, wherein one of the first difference and the second difference is smaller than the other of the first difference and the second difference (see Ayyagari paragraph 0196 i.e. At time zero (0) up until time T, the traffic activity levels of the node stay closely about a normal traffic activity level for the node 430. However, at time T, the traffic activity of the node spikes up to a significantly higher level. From time T and on, the nodal traffic activity levels for the node are shown to be much higher than the normal nodal traffic activity level, and thus, 

With respect to claim 20 Ayyagari teaches the log analysis system of claim 1, wherein an effect of the user activity volume is removed after the abnormality is identified (see Ayyagari figure 17 and paragraph 0196). 

Claims 3-5, 7, 8, 10, 12 and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Ayyagari et al (US 2013/0305357) in view of Hohndel et al (2014/0298461) in view of Cohen et al (US 2012/0016886).
With respect to claim 3 Ayyagari teaches the log analysis system of claim 1, but does not disclose wherein the instructions, when executed by the processor, cause the processor to identify a log template based on a log entry of the log, wherein the expected baseline is based on a seasonal effect of the log and the log template. Cohen teaches comprising a template engine to identify a log template based on a log entry of the log, wherein the expected baseline is based on a seasonal effect of the log and the log template (See Cohen figure 7 and paragraph 0011-0014 and 0037-0039). It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent pattern in the temporal data collected over time where the pattern tends to repeat every season (or cycle) of a certain length of the temporal data and update the baseline based on the seasonal effects since user volume often shows daily and weekly cycles, corresponding 

Ayyagari teaches with respect to claim 4, the log analysis system of claim 3, wherein the instructions, when executed by the processor, cause the processor to: create a graph based on the log template, the graph to represent a number of log entries associated with the log template; and compare the graph to the expected baseline, the abnormality being the difference between the graph and the expected baseline (see Ayyagari paragraph 0196). 

Ayyagari teaches with respect to claim 5, the log analysis system of claim 1, wherein the instructions, when executed by the processor, cause the processor to cause a display of the abnormality and a classification of the log (see Ayyagari figure 2 step 2500-2600 and paragraph 0130 and 0139-0140). 

With respect to claim 7 Ayyagari teaches the medium of claim 6, wherein the expected baseline comprises: a degree of relatedness among log activity based on a text template (see Ayyagari paragraph 0125-0126). 
Ayyagari does not teach wherein the seasonal effect is based on a time-dependent pattern of the log template. Cohen teaches wherein the seasonal effect is based on a time-dependent pattern of the log template (See Cohen figure 7 and paragraph 0011-0014 and 0037-0039). 


With respect to claim 8 Ayyagari teaches the medium of claim 6, wherein the set of instructions executable to generate a second graph comprise instructions executable by the processor to: monitor the user activity volume of the computer system (see Ayyagari figure 17 paragraph 0196).
Ayyagari does not teach wherein the set of instructions executable to generate a first graph comprise instructions executable by the processor to: normalize the seasonal effect of the expected baseline based on the user activity volume; and wherein the set of instructions to compare the first graph to the second graph includes using data provided by a real user monitor to determine the correlation between the user activity. 
Cohen teaches wherein the set of instructions executable to generate a first graph comprise instructions executable by the processor to: normalize the seasonal effect of the expected baseline based on the user activity volume; and wherein the set of instructions to compare the first graph to the second graph includes using data 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent pattern in the temporal data collected over time where the pattern tends to repeat every season (or cycle) of a certain length of the temporal data and update the baseline based on the seasonal effects since user volume often shows daily and weekly cycles, corresponding to typical access patterns to the system (See Cohen paragraph 0011-0014). Therefore one would have been motivated to have update the baseline based on the seasonal effects. 

With respect to claim 10 Ayyagari teaches the medium of claim 9, but does not disclose wherein the identifier indicates the degree of abnormality based on a context of the log and a severity of the abnormality, the context of the log to include the correlation of the log based on a degree of user activity volume on the log.  Cohen teaches wherein the identifier indicates the degree of abnormality based on a context of the log and a severity of the abnormality, the context of the log to include the correlation of the log based on a degree of user activity volume on the log (See Cohen figure 7 and paragraph 0011-0014 and 0037-0039). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent 

With respect to claim 12 Ayyagari teaches the method of claim 11 but does not disclose, comprising: clustering a set of entries of the log based on a text template to identify the log template; identifying a seasonal effect of the log activity; and identifying a number of the set of entries associated with the log template. Cohen teaches clustering a set of entries of the log based on a text template to identify the log template; identifying a seasonal effect of the log activity; and identifying a number of the set of entries associated with the log template (See Cohen figure 7 and paragraph 0011-0014 and 0037-0039). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent pattern in the temporal data collected over time where the pattern tends to repeat every season (or cycle) of a certain length of the temporal data and update the baseline based on the seasonal effects since user volume often shows daily and weekly cycles, corresponding to typical access patterns to the system (See Cohen paragraph 0011-

With respect to claim 14 Ayyagari teaches the method of claim 11 but does not disclose, comprising at least one of: identifying the log is impacted by the volume of user activity; and identifying the user activity to impact the log. Cohen teaches comprising at least one of: identifying the log is impacted by the volume of user activity; and identifying the user activity to impact the log (See Cohen figure 7 and paragraph 0011-0014 and 0037-0039). 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent pattern in the temporal data collected over time where the pattern tends to repeat every season (or cycle) of a certain length of the temporal data and update the baseline based on the seasonal effects since user volume often shows daily and weekly cycles, corresponding to typical access patterns to the system (See Cohen paragraph 0011-0014). Therefore one would have been motivated to have update the baseline based on the seasonal effects. 
With respect to claim 15 Ayyagari teaches the method of claim 11, but does not disclose comprising: estimating the volume of log activity based on a degree of granularity; and providing a degree of abnormality of the log based on the volume of user activity. Cohen teaches estimating the volume of log activity based on a degree of 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent pattern in the temporal data collected over time where the pattern tends to repeat every season (or cycle) of a certain length of the temporal data and update the baseline based on the seasonal effects since user volume often shows daily and weekly cycles, corresponding to typical access patterns to the system (See Cohen paragraph 0011-0014). Therefore one would have been motivated to have update the baseline based on the seasonal effects. 

With respect to claim 16 Ayyagari teaches the log analysis system of claim 1, but does not disclose wherein the instructions, when executed by the processor, cause the processor to classify the log as having a relatively smaller degree of abnormality based on the user activity volume having a relatively larger correlation to the log activity and classify the log as having a relatively larger degree of abnormality in response to the user activity volume having a relatively smaller correlation to the log activity. Cohen teaches wherein the instructions, when executed by the processor, cause the processor to classify the log as having a relatively smaller degree of abnormality based on the user activity volume having a relatively larger correlation to the log activity and classify the log as having a relatively larger degree of abnormality in response to the user 
It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have identified seasonal effects (or seasonality) of temporal data. Where the seasonal effects time-dependent pattern in the temporal data collected over time where the pattern tends to repeat every season (or cycle) of a certain length of the temporal data and update the baseline based on the seasonal effects since user volume often shows daily and weekly cycles, corresponding to typical

With respect to claim 17 Ayyagari teaches the medium of claim 6, but does not disclose wherein the instructions are executable by the processor resource to cause the processor resource to score the log activity to represent the log activity having a relatively smaller degree of abnormality based on the user activity volume having a relatively larger correlation to the log activity and represent the log activity having a relatively larger degree of abnormality in response to the user activity volume having a relatively smaller correlation to the log activity. Cohen teaches wherein the instructions are executable by the processor resource to cause the processor resource to score the log activity to represent the log activity having a relatively smaller degree of abnormality based on the user activity volume having a relatively larger correlation to the log activity and represent the log activity having a relatively larger degree of abnormality in response to the user activity volume having a relatively smaller correlation to the log activity (See Cohen paragraph 0014 i.e. error score). 


Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Ayyagari et al (US 2013/0305357) in view of Hohndel et al (2014/0298461) in view of Cohen et al (US 2012/0016886) in view of Dai et al (US 2011/0023120).
With respect to claim 13 Ayyagari teaches comprising: mapping a log template count of the log to a log graph based on a number of the set of entries associated with the log template; comparing the log graph to the baseline to identify the potential abnormality (see Ayyagari figure 17 paragraph 0196).
Ayyagari does not teach causing to present the log as a node in a map, the map to contain nodes having a color based on the abnormality associated with the log template and the correlation. Dai teaches causing to present the log as a node in a map, the map to contain nodes having a color based on the abnormality associated with the log template and the correlation between the log template and the volume of user activity (see Dai paragraph 0042).  It would have been obvious at the time the invention was filed to a person having ordinary skill in the art to which said subject matter pertains to have marked malicious log node with a color on the graph to indicate that they are . 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEVIN E ALMEIDA whose telephone number is (571)270-1018.  The examiner can normally be reached on Monday-Thursday from 7:30 A.M. to 5:00 P.M.  The examiner can also be reached on alternate Fridays from 7:30 A.M. to 4:00 P.M. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Saleh Najjar, can be reached on 571-272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/DEVIN E ALMEIDA/Examiner, Art Unit 2492                                                                                                                                                                                                        

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492