DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-4 and 6-9 are pending for examination.  Claim 5 was cancelled in claim amendments filed 03/22/2021.
This Office action is FINAL.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


	Claims 1-4 and 6-9 are rejected under 35 U.S.C. 101 because the claimed invention is directed to (an) abstract idea(s) without significantly more.

	Step 1: Is/are the claim(s) to a process, machine, manufacture, or composition of matter?
	Yes.

	Step 2A, Prong I: Is/are the claim(s) directed to a law of nature, a natural phenomenon, or an abstract idea?
	Yes.


receiving, from a network, an output of logs comprising a plurality of data formats and comprising one or more character strings;
dividing the output of logs based on the data formats and extracting the one or more character strings;
performing a first analysis to detect an anomaly based on the output of logs;
performing a second analysis to analyze the anomaly based on contents of the logs output within a time range including an occurrence time of the anomaly detected by the first analysis; and
outputting, based on a combination of the first analysis and the second analysis, a notification regarding a detection of the anomaly,
wherein performing the first analysis comprises detecting the anomaly based on determining whether a time-series change in an accumulated output number of the logs or an output frequency of the logs is greater than a predetermined threshold, and
wherein performing the second analysis comprises detecting one or more variable values from the extracted one or more character strings and determining whether the one or more variable values is repeated in the one or more character strings a greater number of times than a pre-stored average repetition of the one or more variable values from other logs from the network.

	The ‘dividing…and extracting’ limitation in # 2 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “a non-transitory storage medium” (per Claim 8), “a memory” (per Claim 9), and “at least one hardware processor” (per Claims 1 and 9), nothing in the claim element precludes the step from practically being performed in the mind.  For example, ‘dividing…and extracting’ merely describes a person of ordinary skill in the art manipulating simple data strings on paper.
	The ‘performing’ limitations in # 3 and # 4 above, as claimed, are processes that, under their broadest reasonable interpretation, cover performance of the limitations in the mind but for the recitation of generic computer components.  That is, other than reciting “a non-transitory storage medium” (per Claim 8), “a memory” (per Claim 9), and “at least one hardware processor” (per Claims 1 and 9), nothing in the claim elements preclude the steps from practically being performed in the mind.  For example, ‘performing’ merely describes the person studying data on paper and thinking about the results.

	The ‘detecting…determining’ limitations in # 6 and # 7 above, as claimed, are processes that, under their broadest reasonable interpretation, cover performance of the limitations in the mind but for the recitation of generic computer components.  That is, other than reciting “a non-transitory storage medium” (per Claim 8), “a memory” (per Claim 9), and “at least one hardware processor” (per Claims 1 and 9), nothing in the claim elements preclude the steps from practically being performed in the mind.  For example, ‘detecting…determining’ merely describes the person noticing a change in data behavior by thinking about the results.
	
	Claim 2 recites:
determining which of a plurality of predetermined forms the logs match, each of the forms including a variable part that varies and a constant part that does not vary, wherein performing the second analysis comprises analyzing the anomaly based on a value of the variable part included in the logs.
	The ‘determining’ limitation in # 8 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but 
	
	Claim 3 recites:
wherein performing the second analysis comprises analyzing the anomaly by generating a distribution of the logs for each value of the variable part included in the logs.
	The ‘generating’ limitation in # 9 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “at least one hardware processor” (per Claim 1), nothing in the claim element precludes the step from practically being performed in the mind.  For example, ‘generating’ merely describes the person drawing a simple distribution on paper.
	
	Claim 4 recites:
wherein performing the second analysis comprises analyzing the anomaly by generating a distribution of the logs for respective combinations of the forms of the logs and values of the variable part included in the logs.
	The ‘generating’ limitation in # 10 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “at least 
	
	Claim 6 recites:
wherein performing the first analysis further comprises detecting the anomaly when the logs that do not match any of the forms and values of the variable part that are pre-stored are output.
	The ‘detecting’ limitation in # 11 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “at least one hardware processor” (per Claim 1), nothing in the claim element precludes the step from practically being performed in the mind.  For example, ‘detecting’ merely describes the person noticing a change in data behavior by thinking about the results.  Additionally, the claimed ‘are output’ describes mere data outputting of the data such as printed on paper or displayed generically.  Mere data outputting has been determined by the courts to be insignificant extra-solution activity.  See MPEP 2106.05(g)(3).
	
	Claim 7 recites:
wherein performing the second analysis comprises: generating a time-series graph of a number of the logs or a frequency of the logs that do not match any of the forms and the values of the variable part that are pre-stored; and
analyzing the anomaly based on a change point in the graph.
	The ‘generating’ limitation in # 12 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “at least one hardware processor” (per Claim 1), nothing in the claim element precludes the step from practically being performed in the mind.  For example, ‘generating’ merely describes the person drawing a simple graph on paper.
	The ‘analyzing’ limitation in # 13 above, as claimed, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting “at least one hardware processor” (per Claim 1), nothing in the claim element precludes the step from practically being performed in the mind.  For example, ‘analyzing’ merely describes the person studying the simple graph and thinking about the results.

	As detailed above and evaluated in light of the Specification of the instant application, the Examiner asserts that Claims 1-4 and 6-9, overall, recite mental processes which may be performed in the mind and/or by pen and paper.  This type of activity includes longstanding conduct that existed well before the advent of computers and the Internet and that had long been carried out by a human with pen and paper. See CyberSource Corp., 654 F.3d at 1375 (“That purely mental processes can be unpatentable, even when performed by a computer, was precisely the holding of the Supreme Court in Gottschalk v. Benson.”).  See also Elec. Power Grp., LLC v. Alstom S.A., 830 F.3d 1350, 1351 (Fed. Cir. 2016) (“Though lengthy and numerous, the claims 

	Step 2A, Prong II: Do/does the claim(s) recite additional elements that integrate the judicial exception into a practical application?
	No.

	This judicial exception is not integrated into a practical application.  In particular, the claims only recite additional generic elements:
“a non-transitory storage medium” (per Claim 8),
“a memory” (per Claim 9), and
“at least one hardware processor” (per Claims 1 and 9)
	These elements are recited at a high-level of generality (i.e., as generic computer components performing generic computer functions) such that they amount to no more than mere hardware to apply the exception.  Accordingly, these additional elements do not integrate the abstract idea(s) into a practical application because they do not impose any meaningful limits on practicing the abstract idea(s).

	Step 2B: Do/does the claim(s) recite additional elements that amount to significantly more than the judicial exception?
	No.

	The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional aforementioned bulleted elements used to perform the steps of the claimed invention amount to no more than mere generic hardware to apply the exception.  Mere hardware / instructions to apply an exception using (a) generic computer component(s) cannot provide an inventive concept.

	As further evidence of the conventional nature of the aforementioned bulleted elements, the Specification of the instant application discloses these elements in conventional terms.  See Spec: ¶ 0031-0033 and ¶ 0061-0063.  Thus, because the Specification describes the additional elements in general terms, without describing the particulars, the claim limitations are broadly but reasonably construed as reciting conventional computer components and techniques, particularly in light of Applicant’s Specification, as cited above.

	Accordingly, Claims 1-4 and 6-9 are not patent eligible under 35 U.S.C. 101.


Allowable Subject Matter
Claims 1, 8, and 9 would be allowable if rewritten or amended to overcome the rejections under 35 U.S.C. 101, set forth in this Office action.

Claims 2-4, 6, and 7 would be allowable if rewritten to overcome the rejections under 35 U.S.C. 101, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.

The following is a statement of reasons for the indication of allowable subject matter under only 35 U.S.C. 102 and/or 35 U.S.C. 103:
The elements of independent Claims 1, 8, and 9 were neither found through a search of the prior art nor considered obvious by the Examiner.  In particular, the prior art of record does not teach or suggest, in combination with the remaining limitations and in the context of their claims as a whole:
Claims 1, 8, and 9: “…wherein performing the second analysis comprises detecting one or more variable values from the extracted one or more character strings and determining whether the one or more variable values is repeated in the one or more character strings a greater number of times than a pre-stored average repetition of the one or more variable values from other logs from the network.”


Response to Arguments
Applicant’s arguments, see page 7 of the Remarks paperwork, filed 10/27/2021, with respect to the 35 U.S.C. 112 rejections of Claims 1-4 and 6-9 have been fully 

Applicant's remaining arguments with regards to 35 U.S.C. 101 have been fully considered, but they are not persuasive.

With regards to the 35 U.S.C. 101 rejections of Claims 1-4 and 6-9, the Remarks argue that:
In response to previously presented comments that the claims are not directed to the rejection's alleged abstract idea, see page 21 of the Office Action (mailed 07/27/2021) where the rejection alleges that "[t]he Examiner is trying to prevent a scenario such as this example from accidentally becoming patent eligible because it is not patent eligible."  At pages 20-21 of the Office Action, the rejection explains "this example" with respect to various drawing and thinking done by the Examiner.  However, the rejection's "this example" is not representative of the pending claims.  As to "this example" not being representative of the pending claims, consider Claim 1.  Without acquiescing to the rejection's characterization of the claimed features, even viewing that consideration, the rejection fails to address, on this point, the specific tie to computer technology such as:
"A log analysis method, performed by at least one hardware processor, comprising: receiving, from a network…", and
"…from other logs from the network." 

The rejection acknowledged comments, see pages 23 and 24 of the Office Action (mailed 07/27/2021), but rather than addressing the merits of those comments, the rejection instead alleges that "separate analysis and rejections of the claims under 35 U.S.C. 101 and 102/103 are performed and are kept separate for at least this reason."  Respectfully, the rejection is inconsistent with current USPTO guidance.  Namely, not only is such analysis guided by the USPTO as not separate but instead that the analysis under 35 USC 101 is more factually demanding than 35 USC 103.  The USPTO's Berkheimer memo supports the Applicant's current contention that the rejection's failure to show obviousness of the specifically claimed features, not the rejection's characterization thereof, necessarily indicates that the USPTO has failed to show any of "well- understood, routine, and conventional" nature of the specifically claimed features.  And as such, it is again respectfully submitted that the pending claims are not any of "well-understood, routine, and conventional".  At the paragraph bridging pages 25 and 26 of the Office Action, the rejection alleges that "[r]epeatedly populating data points in a chart or graph is recognized by the courts to be well-understood, routine, and conventional."  Although Applicant does not acquiesce to such assertion, 
See also page 12-14 of Cosmokey.  At page 14, the court, in view of the relevant specification, noted: “Here, the claim limitations are more specific and recite an improved method for overcoming hacking by ensuring that the authentication function is normally inactive, activating only for a transaction, communicating the activation within a certain time window, and thereafter ensuring that the authentication function is automatically deactivated.”  However, taking the pending rejection's analysis as to such improvements needing to be recited "in the claim language," the claim in Cosmokey
At page 24 of the Office Action (mailed 07/27/2021), the rejection responds to the Applicant's previous comments that the claims should be found patent eligible for similar reasons to those of the USPTO example claim 40, but the pending rejection merely responds by noting that "the claimed invention of the instant application doesn't limit collection of additional Netflow protocol data to when the initially collected data reflects an abnormal condition, which avoids excess traffic volume on the network and hindrance of network performance."  Similarly, see page 25 of the Office Action which also includes analysis as to whether the pending claims mirror aspects of the Example claim 42 such as "providing remote access and transmitting data in real time."  Similarly, see page 22 of the Office Action which also includes such mirroring analysis with respect to Example claim 39.  Such analysis by the Office Acton is in direct contradiction to USPTO guidance.  That is, see the first paragraph of the USPTO's Subject Matter Eligibility Examples: Abstract Ideas 37-42 which notes (emphasis added): "[t]hat is, it is not necessary for a claim under examination to mirror an example claim to be subject matter eligible under the 2019 PEG."  However, the above-quoted portion of the current rejection reflects an implied, albeit improperly implied, requirement to mirror the example claim, and as such, at least that portion of the rejection should be withdrawn.

	However, the Examiner respectfully disagrees.

	With regards to # 1 above, the quoted “this example” is reprinted for purposes of discussion in this Office action below:
	
    PNG
    media_image1.png
    319
    795
    media_image1.png
    Greyscale

	Applicant alleges that receiving data (logs / other logs) from a network prevents “this example” from being printed on paper and/or from being abstract.  However, the Examiner disagrees and points to MPEP 2106.04(a)(2)(III)(C)(2):
	A Claim That Requires a Computer May Still Recite a Mental Process.
	2. Performing a mental process in a computer environment.  An example of a case identifying a mental process performed in a computer environment as an abstract idea is Symantec Corp., 838 F.3d at 1316-18, 120 USPQ2d at 1360.  In this case, the Federal Circuit relied upon the specification when explaining that the claimed electronic post office, which recited limitations describing how the system would receive, screen and distribute email on a computer network, was analogous to how a person decides whether to read or dispose of a particular piece of mail and that "with the exception of generic computer-implemented steps, there is nothing in the claims themselves that emphasis added)
	The Examiner asserts that just because data is received from a generic computer environment such as a network, this does not mean that the data is excluded from being analyzed in the mind, mentally or with pen and paper, as described above.

	With regards to # 2 above, the Examiner disagrees and points to MPEP 2106.05(I):
	Although the courts often evaluate considerations such as the conventionality of an additional element in the eligibility analysis, the search for an inventive concept should not be confused with a novelty or non-obviousness determination.  See Mayo, 566 U.S. at 91, 101 USPQ2d at 1973 (rejecting "the Government’s invitation to substitute §§ 102, 103, and 112  inquiries for the better established inquiry under § 101 ").  As made clear by the courts, the "‘novelty’ of any element or steps in a process, or even of the process itself, is of no relevance in determining whether the subject matter of a claim falls within the § 101  categories of possibly patentable subject matter." Intellectual Ventures I v. Symantec Corp., 838 F.3d 1307, 1315, 120 USPQ2d 1353, 1358 (Fed. Cir. 2016) (quoting Diamond v. Diehr, 450 U.S. at 188–89, 209 USPQ at 9). See also Synopsys, Inc. v. Mentor Graphics Corp., 839 F.3d 1138, 1151, 120 USPQ2d 1473, 1483 (Fed. Cir. 2016) ("a claim for a new abstract idea is still an abstract idea. The search for a § 101  inventive concept is thus distinct from demonstrating § 102  novelty.").  In addition, the search for an inventive concept is different from an obviousness analysis under 35 U.S.C. 103.  See, e.g., BASCOM Global Internet v. AT&T Mobility LLC, 827 F.3d 1341, 1350, 119 USPQ2d 1236, 1242 (Fed. Cir. 2016) ("The inventive concept inquiry requires more than recognizing that each claim element, by itself, was known in the art. . . . [A]n inventive concept can be found in the non-conventional and non-generic arrangement of known, conventional pieces."). Specifically, lack of novelty under 35 U.S.C. 102  or obviousness under 35 U.S.C. 103  of a claimed invention does not necessarily indicate that additional elements are well-understood, routine, conventional elements.  Because they are separate and distinct requirements from eligibility, patentability of the claimed invention under 35 U.S.C. 102  and 103 with respect to the prior art is neither required for, nor a guarantee of, patent eligibility under 35 U.S.C. 101.  The distinction between eligibility (under 35 U.S.C. 101 ) and patentability over the art (under 35 U.S.C. 102  and/or 103 ) is further discussed in MPEP § 2106.05(d).

	With regards to # 3 above, the claim in Cosmokey is:
	1. A method of authenticating a user to a transaction at a terminal, comprising the steps of:
	transmitting a user identification from the terminal to a transaction partner via a first communication channel,
	providing an authentication step in which an authentication device uses a second communication channel for checking an authentication function that is implemented in a mobile device of the user,
	as a criterion for deciding whether the authentication to the transaction shall be granted or denied, having the authentication device check whether a predetermined time relation exists between the transmission of the user identification and a response from the second communication channel,
	ensuring that the authentication function is normally inactive and is activated by the user only preliminarily for the transaction,
	ensuring that said response from the second communication channel includes information that the authentication function is active, and
	thereafter ensuring that the authentication function is automatically deactivated.
	The decision is careful to state that:
	While prior cases can be helpful in analyzing eligibility, whether particular claim limitations are abstract or, as an ordered combination, involve an inventive concept that 
transforms the claim into patent eligible subject matter, must be decided on a case-by-case basis in light of the particular claim limitations, patent specification, and invention at issue.  Here, the claim limitations are more specific and recite an improved method for overcoming hacking by ensuring that the authentication function is normally inactive, activating only for a transaction, communicating the activation within a certain time window, and thereafter ensuring that the authentication function is automatically
deactivated.  The specification explains that these features in combination with the other elements of the claim constitute an improvement that increases computer and network security, prevents a third party from fraudulently identifying itself as the user, and is easy to implement and can be carried out even with mobile devices of low complexity…Here, as the specification itself makes clear, the claims recite an inventive concept by requiring a specific set of ordered steps that go beyond the abstract idea emphasis added)
	In other words, the specification alone is not enough to render a set of claims patent eligible under at least step 2.  As stated above, whether particular claim limitations are abstract or, as an ordered combination, involve an inventive concept that 
transforms the claim into patent eligible subject matter, must be decided on a case-by-case basis in light of the particular claim limitations, patent specification, and invention at issue.  Not or.  As such, the Examiner’s assertion as to such improvements needing to be recited "in the claim language" is correct.

	With regards to # 4 above, Applicant’s assumption that the Examiner implied a requirement to mirror the example claim (e.g. the USPTO example claim 40) is incorrect.  Nowhere within the Office action, mailed 07/27/2021, did the Examiner state that the claims of the instant application needed to be mirrored to example claims.  The Examiner was, and is again, clearly stating that the claimed invention of the instant application merely recites a two-step analysis which could be performed abstractly by using a scenario such as the example found in # 1 above.  This is contrasted with the USPTO example claim 40 which clearly recites a particular technological improvement in the art.
	
	For at least the reasoning provided above, Claims 1-4 and 6-9 remain rejected.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


Communication
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to JOSEPH KUDIRKA whose telephone number is (571)270-7126.  The Examiner can normally be reached M-F 9am - 6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center.  Unpublished application information in Patent Center is available to registered users.  To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov.  Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format.  For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JOSEPH R KUDIRKA/Primary Examiner, Art Unit 2114