DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 08/11/2021 has been entered. Claims 1, 5-9, 11-12, 14-17 are currently amended claims. Claims 2-4 are currently cancelled. Claims 18-20 are originally cancelled claims. Claims 21-23 are newly added claims. Claims 1, 5-17, 21-23 are pending and being considered.
The objection of claims 1, 14-17 due to informalities has been withdrawn in light of applicant’s amendment to the claims. 
Response to Arguments
Applicant’s arguments, see pg. 10-12 of the Remarks filed 8/11/2021 regarding claim rejection over prior arts has been fully considered and are not persuasive due to following reason. 
Examiner acknowledges that applicant has amended independent claims 1, 16-17 by including features from previous claim 2 (or claim 3) and claim 4 (now respectively cancelled). 
Applicant argued “The 10 and 20 moving average line disclosed in Cai does not have a constant value. Therefore, the 10 and 20 moving average line in Cai differs from the claimed ‘criterion data.’ In this way, Cai fails to disclose or suggest the foregoing feature of claim 1”. See page 11 of the Remarks. 
Examiner acknowledges applicant’s prospective however respectively disagrees. Examiner notes reference Cai is used to reject claims 2-4 in the non-final Office Action mailed 
Applicant further argued Cai is non-analogous art. See pages 11-12 of the Remarks. Examiner respectively disagrees. According MPEP 2141.01(a), The examiner must determine what is "analogous prior art" for the purpose of analyzing the obviousness of the subject matter at issue… This does not require that the reference be from the same field of endeavor as the claimed invention, in light of the Supreme Court's instruction that "[w]hen a work is available in one field of endeavor, design incentives and other market forces can prompt variations of it, either in the same field or a different one." Id. at 417, 82 USPQ2d 1396. Rather, a reference is analogous art to the claimed invention if: (1) … or (2) the reference is reasonably pertinent to the problem faced by the inventor (even if it is not in the same field of endeavor as the claimed invention). See Bigio, 381 F.3d at 1325, 72 USPQ2d at 1212. In this case, reference Cai is applied to the teachings of determining data trend based on moving averages to determine whether the appearance tendency of the phrase information has changed. The determination of data trend is a mathematical problem reasonably pertinent to the problem faced by the inventor, as 
Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 5, 7-8, 12-17, 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Howes et al (US20140283048A1-IDS provided by applicant, hereinafter, “Howes”), in view of Chernin et al (US20160366174A1, hereinafter, "Chernin"), further in view of Apreleva et al (US9892168B1, hereinafter, "Apreleva") and Cai (US20150066725A1, hereinafter, Cai").
Regarding claim 1, Howes teaches:
An cyber threat analysis system (Howes, Fig. 1, [0003] an architecture of a data trend analysis system. And [0020] According to a further example, a method for forecasting cyber security threat risks is disclosed) comprising: 
a database configured to store reference information acquired from an information source (Howes, [Abstract] a method for data trend analysis may include retrieving data from data sources (i.e. information source), associating the data with a time, and identifying co-occurrences of terms (i.e. reference information) and concepts within the data. And database 107 shown in Fig. 1); 
a memory configured to store instructions; and a processor configured to execute the instructions (Howes, [0018] The data trend analysis system may further include a processor to implement the machine readable instructions) to: 
analyze an appearance tendency of first phrase information that is included in the reference information acquired at chronologically different timings (Howes, [Abstract] The method may include logging occurrences of terms in the ontology within the data with respect to associated data times, identifying a plurality of time periods, and for one of the plurality of time periods and for the logged terms, determining a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period,…) [and the appearance tendency represents a phrase related to a malicious program that provides malicious instructions to an information processing device] (see Chernin for limitation(s) in bracket below); 
by analyzing a time series of a number of appearances of the first phrase information included in the reference information [using a technical analysis method], calculate data representing the appearance tendency of the first phrase information at least at two different timings (Howes, [0018] For one of the plurality of time periods and for the logged terms, the machine readable instructions may determine a first score indicative of a weighted term frequency metric for a logged term within the data during the one time period, and determine a second score indicative of a commonality of a presence of the logged term within the data among the plurality of time periods (i.e. at least at two different timings)); (see Cai below for teaching of a technical analysis method)
extract the reference information including the first phrase information, [the appearance tendency of which has changed], from the database (Howes, Fig. 1, Database 107, and [0046] data may be retrieved from one or more data sources. And [0056] additional cyber security threat information may be extracted from the retrieved cyber security threat related information. For example, referring to FIG. 1, the information extraction module 103 may identify and extract additional cyber security threat information from the unstructured and semi-structured data sources 104, 105. The additional cyber security threat information may be identified and extracted based on the predetermined list of terms 106); (See Apreleva for limitation in bracket below)
and generate a user interface screen including at least some of the reference information or at least some of the first phase information (Howes, See Fig. 7, and [0009] FIG. 7 illustrates a user interface display for an application of the data trend analysis system to threat trend analysis).
While Howes teaches analyzing appearance tendency based on logged terms for forecasting cyber security threat risks, but does not expressly teach the security phrase is related to a malicious program that provides malicious instructions to an information processing device, however in the same field of endeavor Chernin teaches:
the appearance tendency represents a phrase related to a phrase related to a malicious program that provides malicious instructions to an information processing device (Chernin, [0075] Information contained within a TTP (Tactics, Techniques and Procedures) construct includes (but is not limited to) the specific adversary behavior exhibited (e.g., attack patterns, malware, exploits), … the intended effects of the behavior, relevant "kill chain" phases,… and [0076] an example of a TTP includes using malware to steal credit card credentials by sending targeted emails to potential victims with attached documents (i.e. malicious program) containing malicious code (i.e. instructions) which executes upon opening, capturing credit card information from keystrokes using that code… Examiner notes victim’s computing device is an information processing device). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chernin in the 
While the combination of Howes-Chernin teaches extract the reference information including the first phrase information from data base, but does not expressly teach the appearance tendency of which has changed, however in the same field of endeavor Apreleva teaches:
extract the reference information including the first phrase information, the appearance tendency of which has changed (Apreleva, [Title] Tracking and prediction of societal event trends using amplified signals extracted from social media. And Col. 13 lines 26-30, The keyword-based detection algorithm was used to identify tweets that announced future civil unrest or protest events. Tweets relevant to civil unrest were obtained by applying multiple textual and geographic filters to a real-time high-volume Twitter.TM. data feed. Also referring to Fig. 8, and Col. 15 lines 18-20, FIGS. 8A and 8B depict prediction of the activity level in Argentina with (FIG. 8A) and without (FIG. 8B) GDELT switching between periods of high and low activity (i.e. appearance tendency has changed)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Apreleva in the data trend analysis of Howes-Chernin by extracting event from social media source for tracking and prediction of social event by identifying trend change. This would have been obvious 
While the combination of Howes-Chernin-Apreleva does not expressly teach the following limitation(s), however in the similar field of endeavor Cai teaches:
[by analyzing a time series of a number of appearances of the first phrase information included in the reference information] (Limitation in bracket taught by Howes as shown above) using a technical analysis method (Cai, discloses using moving average techniques to analyze stock price movement and detects moving direction using a technical tool, see [Abstract]. And [0060] the trend stick chart of the present invention is more adapted to today's fast-moving market by providing a technical analysis that updates dynamically in real-time).
based on a result of comparison between at least some data out of the calculated data and criterion data, determine whether the appearance tendency of the first phrase information has changed (Cai, referring to Fig. 9, and [0071] In particular, when the volume difference ratio is positive and is higher than a predetermined threshold (i.e. criterion data, also see Howes for predetermined criterion data), … When the volume difference ratio is negative and is higher than a predetermined threshold, … And [0074] When the power volume line starts to move upward at the turning point and the current trade price is above 10 and 20 moving average line will indicate that the "market-makers" likely desire to enter into the market, as shown in FIG. 9 at point 1.  In other words, the market is trending up or starts to trend up);


Regarding claim 16, Howes-Chernin-Apreleva-Cai combination teaches:
An cyber threat analysis method comprising: the method steps substantially similar to the method steps of claim 1 therefore is rejected with same reason set forth as rejection of claim 1 above.

Regarding claim 17, Howes-Chernin-Apreleva-Cai combination teaches:
A non-transitory computer-readable medium storing a cyber threat analysis program that, when executed by a processor (Apreleva, Fig. 1 Processor 104. And Col. 3 lines 24-26, the system comprises one or more processors and a memory having instructions such that when the instructions are executed), cause the processor to: 
store reference information acquired from an information source (Apreleva, [Abstract] The system filters a time series of data obtained from a social media source. Fig. 1 Storage Device, Col. 9 lines 43-44, The storage device 116 is configured to store information); and 

Regarding claim 5, Howes-Chernin-Apreleva-Cai combination further teaches:
The cyber threat analysis system according to claim 1, 
wherein processor is further configured to: using any of moving average convergence divergences (MACDs), MACD signals, and MACD histograms of a time series of the number of appearances of the first phrase information, calculate data representing the appearance tendency of the first phrase information at least at the two different timings (Cai, [0082] The MACD or Moving Average Convergence/Divergence, which was created by Gerald Appel, is a technical analysis indicator that is used to spot changes in strength, direction, momentum, and duration of the price trend. See Fig. 9-11, point 1, 2 etc. i.e. at least two different timings).  

Regarding claim 7, Howes-Chernin-Apreleva-Cai combination further teaches:
The cyber threat analysis system according claim 1, wherein the processor is further configured to: with respect to the first phrase information, calculate two or more different types of data representing the appearance tendency of the first phrase information (Apreleva, Col. 16 lines 30-41, The prediction was made based on regression for a long section of EFS (e.g., 5 months, or 150 days) on statistics of CU from GSR or GDELT. It is possible to further refine prediction in the case of ILI, where changes in morbidity trends are slow and one can employ regression with a long (e.g., from 25 to 52 weeks) sliding time window (STW) and a short one (e.g., from 4 weeks to 16 weeks) (i.e. two different types of data). The difference between the two is that the short sliding time window works better if one has to make a prediction for a relatively short period of time (e.g., one to two weeks) or, for example, when a substantial change of ILI counts is not expected); 
Cai further teaches: and based on the result of comparison between the at least some data out of the calculated data and the criterion data, determine whether the appearance tendency of the first phrase information has changed (Cai, discloses using moving average techniques to analyze stock price movement and detects moving direction, e.g. referring to Fig. 9, and [0074] When the power volume line starts to move upward at the turning point and the current trade price is above 10 and 20 moving average line will indicate that the "market-makers" likely desire to enter into the market, as shown in FIG. 9 at point 1.  In other words, the market is trending up or starts to trend up).  

Regarding claim 8, Howes-Chernin-Apreleva-Cai combination further teaches:
The cyber threat analysis system according to claim 7, wherein the processor is further configured to: by obtaining a standard deviation of a rate of change in the number of appearances of the first phrase information over a predetermined period of time, calculate the data representing the appearance tendency of the first phrase information (Apreleva, Col. 15 lines 24-29, The threshold of N.sub.a+2.sigma., where .sigma. is a standard deviation for the number of events for the low activity period and N.sub.a represents the average number of events per week, showed good performance for switching parameters between two states of high and low activity).  

Regarding claim 12, Howes-Chernin-Apreleva-Cai combination further teaches:
The cyber threat analysis system according to claim 1, wherein the processor is further configured to: generate the user interface screen including at least either a first display area in which the first phrase information, the appearance tendency of which is determined to have changed, can be displayed or a second display area in which at least some of the reference information including at least some of the first phrase information displayed in the first display area can be displayed (Howes, e.g. Fig. 7, and [0032] the user interface 114 may display the trends 112 in descending order based on the corresponding adjusted TF-IPF values).7 Docket No. J-18-0033  

Regarding claim 13, Howes-Chernin-Apreleva-Cai combination further teaches:
The cyber threat analysis system according to claim 12, wherein the processor is further configured to: generate the user interface screen including at least one of a third display area in which an analysis result on a time-series appearance tendency of the first phrase information that is analyzed using the technical analysis method can be displayed, the first display area, and the second display area (Cai, see e.g. Fig. 13 and 14 as at least any one of the first, second, third display area).  

Regarding claim 14, Howes-Chernin-Apreleva-Cai combination further teaches:
The cyber threat analysis system according to claim 1, 
wherein the processor is further configured to: using data that are extracted from the reference information including the first phrase information the appearance tendency of which (Apreleva, Col. 13 lines 26-30, The keyword-based detection algorithm was used to identify tweets that announced future civil unrest or protest events.  Tweets relevant to civil unrest were obtained by applying multiple textual and geographic filters to a real-time high-volume Twitter.TM. data feed. Also referring to Fig. 8, and Col. 15 lines 18-20, FIGS. 8A and 8B depict prediction of the activity level in Argentina with (FIG. 8A) and without (FIG. 8B) GDELT switching between periods of high and low activity (i.e. appearance tendency has changed)), 
Chernin further teaches: and the data conform to a predetermined format, generate threat description data that describe a threat in security related to the first phrase information and a countermeasure against the threat using a predetermined structured form (Chernin, [0068] the common language used by the plurality of repositories for storing and distributing threat information is the Structured Threat Information eXpression (STIX) language.  And [0073] Another construct in the STIX language is the "Indicator." An Indicator conveys information about specific patterns of Observables, combined with contextual information, which is intended to represent behaviors of interest within the cybersecurity context …suggested courses of action, related Indicators, and the Indicator's source).  

Regarding claim 15, Howes-Chernin-Apreleva-Cai further teaches:
The cyber threat analysis system according to claim 14, 
wherein the processor is further configured to: extract data capable of specifying a resource in a communication network as data conforming to the predetermined format from the reference information; and generate the threat description data describing the (Chernin, [0052] FIG. 2 illustrates a second exemplary embodiment 200 of the "hub & spoke system" that incorporates an "access control" or "trust" group 212, and local repositories 204a, 204b, and 204c. And [0057] the threat information-sharing systems of the present invention may include one or more "communities" of entities and/or repositories, wherein each community may contain one or more access control groups 212).8 Docket No. J-18-0033  

Regarding claim 21, similarly claim 22, claim 23, Howes-Chernin-Apreleva-Cai further teaches:
The cyber threat analysis system according to claim 1, the cyber threat analysis method according to claim 16, the non-transitory computer-readable medium 17, wherein the criterion data is a predetermined criterion value (Cai, [0071] In particular, when the volume difference ratio is positive and is higher than a predetermined threshold (i.e. criterion data), it indicates that the "market-makers-like" are likely desire to enter into the market).  

Claims 6, 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Howes-Chernin-Apreleva-Cai combination as applied above, further in view Farnham et al (US20140324966A1, hereinafter, “Farnham”).
Regarding claim 6, Howes-Chernin-Apreleva-Cai combination teaches:
 	The cyber threat analysis system according to claim 5, 

wherein the processor is further configured to: individually calculate MACD histograms of the first phrase information at least at the two different timings; and when a sign of a product of the calculated MACD histograms is negative, determine that the appearance tendency of the first phrase information has changed (Farnham, [0034] to spot changes in the momentum of F, one may compute the MACD statistics which is defined as the difference between the n.sub.1- and n.sub.2-hour EMA for S(F), where n.sub.1 and n.sub.2 are time lags.  Finally, to identify whether and when F is trending, one may quantify the rate of change of its momentum. Therefore, one may calculate the MACD histogram, defined as the difference between F's MACD and its signal line (the n-day EMA of MACD). As this measures the rate of change, the result at a given time period can be either positive (indicating F is trending up) or vice versa).5 Docket No. J-18-0033  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Farnham in the data trend analysis of Howes-Chernin-Apreleva-Cai by using MACD histogram as calculated indicator for measuring the momentum of data movement from social media analysis. This would have been obvious because the person having ordinary skill in the art would have been motivated to further use calculated MACD histogram at different timings to predict the rate of change and determine data trend change direction (Farnham, [0034]).

Regarding claim 9, Howes-Chernin-Apreleva-Cai combination teaches:
The cyber threat analysis system according to claim 1, 
While Howes-Chernin-Apreleva-Cai combination does not explicitly teach the following limitation(s), however in the similar field of endeavor Farnham teaches:
wherein the processor is further configured to: extract second phrase information representing another phrase that is included in the reference information including the first phrase information and that has a relationship with the first phrase information (Farnham, [0040] each trending feature is a node of the graph and each node is linked to another by an edge if it belongs to the k neighbor list of the second object.  Here, one may define feature F1 is the neighbor of feature F2 only if F1 and F2 are topically-related (e.g., "Gas" can be a neighbor to "leak" but may not be a neighbor to "party")), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Farnham in the data trend analysis of Howes-Chernin-Apreleva-Cai by obtaining hyperlocal content from social media analysis. This would have been obvious because the person having ordinary skill in the art would have been motivated to group the trending features into topically related event-clusters by using shared nearest neighborhood clustering algorithm (Farnham, [Abstract], [0039-0040]).
Apreleva further teaches: and analyze the appearance tendency of the first phrase information using the second phrase information as a new first phrase information (Apreleva, Col. 13, lines 26-30, The keyword-based detection algorithm was used to identify tweets that announced future civil unrest or protest events. Also referring to Fig. 8, and Col. 15 lines 18-20, FIGS. 8A and 8B depict prediction of the activity level in Argentina with (FIG. 8A) and without (FIG. 8B) GDELT switching between periods of high and low activity. Examiner notes that using the second phrase information as a new first phrase information suggests repeating the analyzing step).6 Docket No. J-18-0033  

Regarding claim 10, Howes-Chernin-Apreleva-Cai-Farnham combination further teaches:
The cyber threat analysis system according to claim 9, wherein the processor is further configured to: extract one or more information representing another phrase that is included in the reference information including the first phrase information; and based on a statistic relating to the information representing the another phrase, select at least some information representing the another phrase as the second phrase information (Farnham, [0041] The assignment of posts to clusters may be used as part of the presentation of locality-based information. For example, once a gas leak has been detected as an event in a locality (based on the trending occurrence of words associated with a gas leak), posts from that locality relating to the gas leak may be assigned to clusters). 

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Howes-Chernin-Apreleva-Cai-Farnham combination as applied above to claim 10, further in view Cohen et al (US20150356101A1, hereinafter, “Cohen”).
Regarding claim 11, Howes-Chernin-Apreleva-Cai-Farnham combination teaches:

While Howes-Chernin-Apreleva-Cai-Farnham combination does not explicitly teach the following limitation(s), however in the similar field of endeavor Cohen teaches:
decompose text data included in the reference information including the first phrase information into one or more words according to parts of speech (Cohen, [0090] Terms may be extracted from the text of the content of the web document (e.g., words found in an article, words appearing in an image by an image analysis program that identifies text and/or segments text in the image,… from the name of the web document, from sounds in the web document (e.g., converted from speech to text by a software module operating on a sound file and/or video file); and count a number of appearances of the one or more words; and extract a predetermined number of information representing the one or more words in descending order of the number of appearances as the second phrase information, or extract information representing the one or more words, the number of appearances of which is equal to or more than a criterion value as the second phrase information (Cohen, [0099] The sub-set of the ranked terms may be stored in the trend dataset in association with the trend according to a relevancy requirement, for example, the highest 5 terms may be stored, or the terms meeting the relevancy requirement may be stored).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Cohen in the data trend analysis of Howes-Chernin-Apreleva-Cai-Farnham by grouping of social media content with respective trend. This would have been obvious because the person having .
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Mason et al (US20130159505A1). Discloses methods to identify trending or temporally popular phrases based on aggregating user’s interactions with an aggregate of content. 
Benyamin et al (US 9,002,892B2). Discloses methods for trend detection using frequency analysis of the discrete time sequence of word counts to determine contributions of frequency components within different frequency ranges to the discrete time sequence of word counts.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436