DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 12/3/2021 has been placed of record in the file.
Claims 1 and 8-10 have been amended.
Claim 4 has been canceled.
Claims 1-3 and 5-10 are now pending.
The applicant’s arguments with respect to claims 1-3 and 5-10 have been considered but are moot in view of the following new grounds of rejection.

Response to Amendment
Claims have been amended to further define the similarity determination.  The amendment proves a change in scope to the independent claims as the independent claims now explicitly state wherein the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target.  However, none of the amended claims show a patentable distinction over the prior art as evidenced by the following new grounds of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3 and 5-10 are rejected under 35 U.S.C. 103 as being unpatentable over Perdisci et al. (U.S. Patent Application Publication Number 2015/0026808), hereinafter referred to as Perdisci, in view of Xu et al. (U.S. Patent Application Publication Number 2017/0264626), hereinafter referred to as Xu.
Perdisci disclosed techniques for the detection of malware using behavioral clustering.  In an analogous art, Xu disclosed techniques for the detection of malicious cookies using clustering.  Both systems deal directly with detecting malicious network traffic by using clustering.
Regarding claim 1, Perdisci discloses a profile generation device that generates a profile indicating characteristics of a request to a web server, the request being a detection target, the profile generation device comprising: a memory; and a processor coupled to the memory and programmed to execute a process comprising: acquiring profile information including a combination of path parts and parameters included in a request that is learning data (paragraph 7, collects HTTP traffic information from known malware samples); and when a group of the acquired profile information includes a predetermined number or more of profile information in which the path parts are different but similarity between names of the parameters is equal to or more than a predetermined value, generating a profile in which the group of the profile information is aggregated (paragraph 7, clusters HTTP traffic information, and paragraph 74, clustering based on structural features of HTTP requests).

Regarding claim 2, the combination of Perdisci and Xu discloses wherein, when the group of the acquired profile information includes a predetermined number or more of profile information groups in which the path parts are different but the names of the parameters are equal to each other, setting the profile information group, in which the names of the parameters are equal to each other, as an aggregation target (Perdisci, paragraph 77, clustering based on parameter names).
Regarding claim 3, the combination of Perdisci and Xu discloses wherein, when aggregating a profile information group in which the similarity between the names of the parameters is equal to or more than the predetermined value, aggregating a profile information group in which similarity between parameter value information included in the profile 
Regarding claim 5, the combination of Perdisci and Xu discloses wherein, when aggregating a profile information group in which the similarity between the names of the parameter is equal to or more than the predetermined value, setting a wildcard as a path part in a profile information group to be aggregated in the profile (Perdisci, paragraph 133, approximate matching ignores certain characters).
Regarding claim 6, the combination of Perdisci and Xu discloses wherein, when aggregating a profile information group in which the similarity between the names of the parameter is equal to or more than the predetermined value, setting, as a non-aggregation target, parameter value information in which the number of appearances or an appearance ratio of the parameter value information in the profile information group is smaller than the predetermined value (Perdisci, paragraph 78, clustering based on parameter values, and paragraph 81, dendrogram cut splits clusters).
Regarding claim 7, the combination of Perdisci and Xu discloses wherein the profile is information in which the path parts included in the request, the names of the parameters, and parameter value information of the parameters are correlated with one another (Perdisci, paragraph 79, weights defined for path, parameter name, and parameter value factors).
Regarding claim 8, Perdisci discloses an attack detection device that detects an attack by using a profile indicating characteristics of a request to a web server, the request being a detection target, the attack detection device comprising: a memory; and a processor coupled to the memory and programmed to execute a process comprising: acquiring profile information including a combination of path parts and parameters included in a request that is learning data 
Perdisci does not explicitly state wherein the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target.  However, using a longest common subsequence algorithm in such a fashion was well known in the art as evidenced by Xu.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Perdisci by adding the ability that the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target as provided by Xu (see paragraph 47, determines if pattern is shared with known malware family using LCS algorithm).  One of ordinary skill in the art would have recognized the benefit that analyzing HTTP strings in such a way would assist in facilitating enhanced malware detection (see Xu, paragraph 39).
Regarding claim 9, Perdisci discloses a profile generation method using a profile generation device that generates a profile indicating characteristics of a request to a web server, the request being a detection target, the profile generation method comprising: acquiring profile information including a combination of path parts and parameters included in a request that is learning data (paragraph 7, collects HTTP traffic information from known malware samples); and generating, when a group of the acquired profile information includes a predetermined number or more of profile information in which the path parts are different but similarity between names of the parameters is equal to or more than a predetermined value, a profile in which the group of the profile information is aggregated (paragraph 7, clusters HTTP traffic information, and paragraph 74, clustering based on structural features of HTTP requests).
Perdisci does not explicitly state wherein the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target.  However, using a longest common subsequence algorithm in such a fashion was well known in the art as evidenced by Xu.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Perdisci by adding the ability that the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target as provided by Xu (see paragraph 47, determines if pattern is shared with known malware family using LCS algorithm).  One of ordinary skill in the art would have recognized the benefit that analyzing HTTP strings in such a way would assist in facilitating enhanced malware detection (see Xu, paragraph 39).
Regarding claim 10, Perdisci discloses a non-transitory computer-readable recording medium having stored a profile generation program that generates a profile indicating characteristics of a normal request to a web server, the request being a detection target, and causes a computer to execute a process comprising: acquiring profile information including a
combination of path parts and parameters included in a request that is learning data (paragraph 7, collects HTTP traffic information from known malware samples); and generating, when a group of the acquired profile information includes a predetermined number or more of profile information in which the path parts are different but similarity between names of the parameters is equal to or more than a predetermined value, a profile in which the group of the profile information is aggregated (paragraph 7, clusters HTTP traffic information, and paragraph 74, clustering based on structural features of HTTP requests).
Perdisci does not explicitly state wherein the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target.  However, using a longest common subsequence algorithm in such a fashion was well known in the art as evidenced by Xu.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Perdisci by adding the ability that the similarity is determined in accordance with a length of a longest common subsequence between a character class sequence of the profile and a character class sequence of the detection target as provided by Xu (see paragraph 47, determines if pattern is shared with known malware family using LCS algorithm).  One of ordinary skill in the art would have recognized the benefit that analyzing HTTP strings in such a way would assist in facilitating enhanced malware detection (see Xu, paragraph 39).

Conclusion
11.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
12.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/Victor Lesniewski/Primary Examiner, Art Unit 2493