DETAILED ACTION
	Claims 1-19 are rejected under 35 USC § 103.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., U.S. PG-Publication No. 2017/0063888 A1, in view of Pande et al., U.S. PG-Publication No. 2018/0270261 A1.

Claim 1
	Muddu discloses a method for detecting anomalies in mission-critical environments. [FUNCTIONAL LANGUAGE: INTENDED USE] The preamble recites an intention for using the method with the intended use for detecting anomalies in mission-critical environments.  When the body of a claim sets forth all limitations of the claimed invention and the preamble in mission-critical environments recited in the preamble is not considered a limitation and is of no significance to claim construction.
	Muddu discloses a method "for anomalous activity detection in a networked environment." Muddu, ¶ 137.
	Muddu discloses parsing at least one received data set into a text structure. Figure 4 illustrates an exemplary security platform 300 comprising data sources 402 "that provide event data including machine data, to be analyzed for anomalies." Platform 300 further comprises a semantic processor 316 that "may perform parsing of the incoming event data" and "prepare the data for more efficient downstream utilization" (i.e. parses event data set into text structure for more efficient downstream utilization). Id. at ¶¶ 163-165.
	Muddu discloses isolating a protocol language of the at least one received data set, wherein the protocol language is a standardized pattern for communication over at least one protocol. The machine data "contains a record … of an event that takes place in the network environment," and can include "data from APIs" (i.e. data from a standardized pattern for communication). Id. at ¶ 189. Parsers 806 parse the event data (e.g. machine data) "to tokenize the event data into tokens." The initial parsing steps "can include using regular expression[s] to Id. at ¶¶ 209-210.
	Muddu discloses generating at least one document from the contents of the received at least one data set, wherein the at least one document includes at least one parsed text structure referencing a unique identifier. Muddu discloses a field mapper 808 that "map[s] extracted tokens to one or more corresponding fields with predetermined meanings." For example, mapper 808 can "identify and extract entities from the tokens, and more specifically, the data format can specify which of the extracted tokens represent entities." The entities are unique references to "a user, a device, an application, a session" or "a uniform resource locator (URL)." Id. at ¶ 211; See Also ¶ 232 (identify resolution module 812 obtains unique identifiers such as "machine identifier," MAC or IP address, "user login identifier," and "electronic mail address").
	Muddu discloses detecting insights in the generated documents. Muddu discloses that the entity extraction process "enables the security platform to gain potential insight on the environment in which the security platform is operating." Id. at ¶ 212.
	Muddu discloses extracting rules from the detected insights. Muddu discloses that "the behavior analytics leverage machine learning data processing procedures … do not require any preexisting knowledge such as known signatures and rules" (i.e. the machine learning learns rules). Id. at ¶ 137. An analysis module 330 receives data processed by the semantic processor 316 and "analyzes the data in real-time to detect anomalies." Id. at ¶ 169. The analysis is performed by a machine learning based "complex event processing (CEP) engine that provides a mechanism to process data from multiple sources … to derive anomaly-related … conclusions in real-time." Id. at ¶¶ 270-273. The ML-based CEP engine "can train a decision tree" that "can Id. at ¶ 277. A decision tree is analogous to a set of rules, because the decisions in the tree are made according to rules. See Id. ("the trained decision tree is superior to a user-specified rule").
	Muddu discloses detecting anomalies by applying the extracted rules. Analysis module 330 "analyzes the data in real-time to detect anomalies." Id. at ¶ 168. Further, Muddu discloses that "an anomaly detected by … the ML-based CEP engine can correspond to an event, a sequence of events, an entity, a group of entities, or any combination thereof" and the output of the engine "can be an anomaly" presented on a display. Id. at ¶ 278.
	Muddu does not expressly disclose wherein the at least one parsed text structure is organized within the at least one document according to a natural language scheme.
	Pande discloses wherein the at least one parsed text structure is organized within the at least one document according to a natural language scheme. Pande discloses a method "for applying a model to detect and classify anomalies in event logs." Pande, ¶ 3. The method is "a rapid approach … to detect fault in critical safety systems." The method applies "the concept of word embeddings to enterprise event logs … by applying word embeddings to millions of events in an event long, and enterprise thread detection system may rapidly identify potentially anomalous events." Id. at ¶ 20. Pande discloses an anomaly classification engine comprising a "vocabulary generator 312" that "parses all event logs to generate a vocabulary of size V," comprising "all unique features in all event logs." Id. at ¶ 56. A vocabulary is a "natural language scheme."
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the anomaly detection method of Muddu to incorporate using word embeddings to determine anomalies as taught by Pande. One of 

Claim 2
	Muddu discloses wherein isolating the protocol language of the at least one received data set further comprises: generating documents from the contents of the at least one received data set. Field mapper 808 maps extracted tokens to fields in order "to identify and extract entities from the tokens" and "the field mapper 808 can map a value extracted to a key to create a key-value pair, based on [a] predetermined data format." Muddu, ¶ 211. The generated key-value pair information are generated documents containing extracted entities.

Claim 3
	Pande discloses wherein detecting insights in the documents generated further comprises: applying a natural language processing (NLP) technique to the at least one generated document. The method applies "the concept of word embeddings to enterprise event logs … by applying word embeddings to millions of events in an event long, and enterprise thread detection system may rapidly identify potentially anomalous events." Pande, ¶ 20.

Claim 4
	Pande discloses wherein the natural language processing (NLP) technique includes at least statistical language modeling (SLM). Pande discloses "training a model to identify regularly Id. at ¶ 28.

Claim 5
	Pande discloses wherein the natural language processing (NLP) technique includes at least word embedding. The method applies "the concept of word embeddings to enterprise event logs … by applying word embeddings to millions of events in an event long, and enterprise thread detection system may rapidly identify potentially anomalous events." Pande, ¶ 20.

Claim 6
	Muddu discloses wherein the at least one received data set includes application programming interface (API) communications. The machine data "contains a record … of an event that takes place in the network environment," and can include "data from APIs" (i.e. data from a standardized pattern for communication). Muddu, ¶ 189.

Claim 7
	Muddu discloses wherein parsing the at least one received data set further comprises: parsing the records as any one of: sentences, words information elements, data units, and parsing procedures or sequences involving data packets or messages as paragraphs, wherein paragraphs contain sentences and sentences contain words. Muddu discloses using a parser to "tokenize the event data into tokens, which may be keys, values, or more commonly, key-value pairs," (i.e. words information elements and/or data units). Muddu, ¶ 209.

Claim 8
	Muddu discloses wherein isolating the protocol language of the at least one data set further comprises: identifying pre-defined messages, procedures, and sessions for a protocol. The machine data "contains a record … of an event that takes place in the network environment," and can include "data from APIs" (i.e. data from a standardized pattern for communication). Id. at ¶ 189. Parsers 806 parse the event data (e.g. machine data) "to tokenize the event data into tokens." The initial parsing steps "can include using regular expression[s] to perform extraction or stripping." For example, "if the data is a system log (syslog), then a syslog regular expression can be used to strip away the packet of syslog (i.e., the outer shell of syslog) to reveal the event message inside." Id. at ¶¶ 209-210. The "outer shell" is a pre-defined message portion of the system log; the outer shell is pre-defined because it is stripped using a regular expression.

Claim 9
	Muddu discloses wherein generating the at least one document further comprises: identifying unique identifiers in the at least one received data set; and creating separate documents containing records relating to each identified unique identifier. Muddu discloses a user interface that provides a document view providing "separate listings for each type of entity … that is associated with an anomaly." Muddu, ¶ 451; See Also ¶ 459 ("[f]or each entity … a link is included" when clicked "the user is taken to a separate view for that selected entity").

Claim 10


Claims 11-19
	Claims 11-19 recite a system configured to perform the steps of the method recited in claims 1-9. Accordingly, claims 11-19 are rejected as indicated in the rejection of claims 1-9.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANK D MILLS whose telephone number is (571)270-3172.  The examiner can normally be reached on M-F 10-6 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAVITA PADMANABHAN can be reached on (571)272-8352.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/FRANK D MILLS/Primary Examiner, Art Unit 2176                                                                                                                                                                                                        September 29, 2021