DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 12/27/2021 has been entered.

Response to Amendment
This office action is in response to the amendment filed on 12/27/2021.
Claims 1-3 and 5-9 are pending for examination. Applicant amends claims 1 and 7-8. The amendments have been fully considered and entered.

Response to Arguments
Applicant’s arguments, see Remarks, filed 12/27/2021, with respect to the rejection of claims 1 and 7-8 under 35 U.S.C. § 103 have been fully considered. While the arguments are not persuasive, the rejection has been withdrawn in light of the interview held on 02/01/2022 and the examiner’s amendments presented below. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Sameer Gokhale (Reg. No. 62,618) on 02/01/2022.
Claims 1 and 7-8 are amended as follows:

Claim 1. (Currently Amended) A non-transitory log analysis device comprising: 
a memory; and 
a processor coupled to the memory and programmed to execute a process comprising: 
acquiring a first communication log obtained from communications in a predetermined network and a second communication log obtained from communications performed by malware; 
extracting a field satisfying a predetermined condition from a plurality of the fields included in the second communication log; 
generating a signature serving as a condition for detecting a terminal infected with the malware based on a field and a value included in the second communication log and in which a threshold value is set for the signature corresponding to occurrences 
acquiring information on the malware from a malware-sharing server, wherein the information is acquired as a report file including at least one of information on a file accessed by the malware, a command executed by the malware, behavior of the malware, and a detection result of anti-virus software on the malware; 
adding the information on the malware to the signature; 
analyzing the first communication log using the signature; 
detecting the terminal infected with the malware based on the pair of the extracted field and the value being recorded in the first communication log at least the threshold number of times; and 
displaying, in response to the detecting, a detection result obtained from the first communication log 

Claim 7. (Currently Amended) A log analysis method performed by a log analysis device, the log analysis method comprising: 
acquiring a first communication log obtained from communications in a predetermined network and a second communication log obtained from communications performed by malware; 
extracting a field satisfying a predetermined condition from a plurality of the fields included in the second communication log; 

acquiring information on the malware from a malware-sharing server, wherein the information is acquired as a report file including at least one of information on a file accessed by the malware, a command executed by the malware, behavior of the malware, and a detection result of anti-virus software on the malware; 
adding the information on the malware to the signature; 
analyzing the first communication log using the signature; 
detecting the terminal infected with the malware based on the pair of the extracted field and the value being recorded in the first communication log at least the threshold number of times; and 
displaying, in response to the detecting, a detection result obtained from the first communication log 

Claim 8. (Currently Amended) A non-transitory computer-readable recording medium having stored a program for analysis that causes a computer to execute a process comprising: 

extracting a field satisfying a predetermined condition from a plurality of the fields included in the second communication log; 
generating a signature serving as a condition for detecting a terminal infected with the malware based on a field and a value included in the second communication log and in which a threshold value is set for the signature corresponding to occurrences of recording of a pair of the extracted field and the value in a communication to be analyzed; 
acquiring information on the malware from a malware-sharing server, wherein the information is acquired as a report file including at least one of information on a file accessed by the malware, a command executed by the malware, behavior of the malware, and a detection result of anti-virus software on the malware; 
adding the information on the malware to the signature; 
analyzing the first communication log using the signature; 
detecting the terminal infected with the malware based on the pair of the extracted field and the value being recorded in the first communication log at least the threshold number of times; and 
displaying, in response to the detecting, a detection result obtained from the first communication log 


Allowable Subject Matter
Claims 1-3 and 5-9 are allowed. 
The following is an examiner’s statement of reasons for allowance:
The closest art of record Giokas et al. (US 20150128274 A1) teaches acquiring a management log and an antivirus/threat log, wherein the management log is analyzed using intrusion prevention system (IPS) signatures and a detection of malware occurs when IPS signatures are present in the log which would then be presented to a network operator.
Another art of record, Rostami-Hesarsorkh et al. (US 20170251003 A1) teaches extracting artifacts in a log file, generating a new signature for detecting malware based on the artifacts, adding corresponding URL information concerning the artifacts and displaying the newly generated signature including the corresponding URL information. 
The prior arts mentioned above taken alone or in combination fails to reasonably teach or suggest the combination set forth in independent claim 1 and specifically do not show “acquiring information on the malware from a malware-sharing server, wherein the information is acquired as a report file including at least one of information on a file accessed by the malware, a command executed by the malware, behavior of the malware, and a detection result of anti-virus software on the malware; adding the information on the malware to the signature; analyzing the first communication log using the signature; detecting the terminal infected with the malware based on the pair of the extracted field and the value being recorded in the first communication log at least the 
Similar reasoning is applied to independent claims 7 and 8. Claims 2-3, 5-6, and 9 depend from claim 1 and are allowable by virtue of their dependencies. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Sick et al. (US 20130167236 A1) teaches a malware information description page that displays three categories of information to a user including “Field,” “Example Content,” and “Description” columns, wherein the “Description” column contains brief comments describing the corresponding field and content ([0109]).
Xu et al. (US 9917852 B1) teaches tuning a threshold for Domain Generation Algorithm behavior detection where it is determined whether a signature has been triggered the threshold number of times (col. 20 lines 7-32).

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437                                   


/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437