DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 08/28/2019.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over  Wei et al 2011/0179467 in view of Modrall US 7,716340.

 	As per claim 1, Wei discloses a log analysis apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to execute a process comprising: 
 	firstly extracting a parameter from an access log pertaining to a request issued from a user terminal to a server ( par 0041 analytic information extracted from the access request to an analysis server for analysis), learning an appearance frequency of storing a learning result in a storage unit as a profile ( par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information and 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information); 
 	secondly extracting a parameter from an access log under analysis, acquiring a similarity by comparing the parameter with the parameter included in the profile stored in the storage unit, and  firstly determining an access in the access log under analysis as an attack when the similarity is lower than a threshold (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212. ); and 
 	user terminals, for each parameter, among access logs under analysis having a similarity lower than the threshold, and  secondly determining, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter (par 0049  [0049] Fourth step: The analysis server determines, in accordance with the cookie contents identified in every access request received (e.g., within a certain duration of time), whether the number of identified cookie contents has reached a threshold value. If the threshold value has 
 	Wei does not disclose taking a tally of number of different requesting user terminals.
  	However, Modrall disclose taking a tally of number of different requesting user terminals (col 1, lines 47-55  The first tally includes identification information of the client and a first number of access requests sent from the client to the first server, and the second tally includes the identification information of the client and a second number of access requests sent from the client to the second server. The first and second tallies are collated to determine a total number of access requests made by the client).



 	 As per claim 2, Wei in view of Modrall discloses the log analysis apparatus according to claim 1, Wei discloses wherein the process further comprises  thirdly extracting a common part of parameters included in accesses determined as attacks, and generating an attack pattern based on the common part (par 0014 the interception information includes a list of malicious access terminals and identifying attribute information on the malicious access terminals. The attribute information may include, but is not limited to, terminal identifiers, IP address, cookie contents, HTTP header field-setting identifiers, and/or one or more combinations of GET data contents and POST data content).  

As per claim 3,  Wei in view of Modrall discloses the log analysis apparatus according to claim 1, Wei discloses wherein the firstly extracting extracts a parameter from the access log, and abstracts the extracted parameter, and the learning learns an appearance frequency of the abstracted parameter ( par 0022 which data contents from the identified access requests are used as data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and 

 	As per claim 4, Wei in view of Modrall discloses the log analysis apparatus according to claim 1, Wei wherein the learning learns an appearance frequency of each parameter, and deletes a parameter with an appearance frequency equal to or lower than a predetermined threshold from the profile (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212 ).  

 	As per claim 5, Wei in view of Modrall discloses the log analysis apparatus according to claim 1, Mordrall disclose wherein  the taking takes a tally of number of different requesting user terminals, for each parameter included in an access log including a plurality of requests that are issued consecutively within a time period (col 2, lines 17-29   The first server may record, in a least-frequently-recently used (LFRU) queue, a tally associated with the client and send the tally to the third server. Collating the first and second tallies may include adding the first number of requests to the second number of requests. The first number of requests may be subtracted from the total number of requests if no further tallies associated with the client are received from the first server within an expiration period and the first server may send a tally associated with the client if the client requests access to the first server. The 
  a time interval between which is shorter than a threshold, among the access logs under analysis having a similarity lower than the threshold, and  the secondly determining determines, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter ( col 5, lines 37-55  Request queue 32 has a fixed size and is therefore limited in how many IP addresses it can record. Request queue 32 deletes existing entries of clients based on both the frequency of requests made by the clients to server 14a and the amount of time that passes before the clients send requests to server 14a. This type of deletion scheme is referred to as a least-recently-frequently used (LRFU) deletion scheme. For example, the collated log file 36 may delete an entry for client 12 if client 12 fails to make a request within a certain time period (e.g. thirty minutes) and if the tally of requests recorded for client 12 is below a given threshold (e.g., five requests). Request queue 32 applies the LRFU queuing mechanism so that the most active clients (i.e., the clients making the most requests over a given time period) filter to the top of request queue 32. The most active clients are of the most interest as they are the most indicative of suspicious behavior. In aggregating the dynamic tallies from the request queues of all the servers in server farm 14, mid-tier server 16 makes the larger determination of which clients are engaged in wholesale pernicious activity.).  

wherein the process further comprises thirdly determining whether a parameter included in an access that is determined as an attack matches an attack pattern having been already generated (par 0043  if the network server determines that the user terminal is found among the interception information, then it will intercept the access request and all subsequent access requests sent by the same user terminal and 0047] Second step: The network server analyzes the received access request and compares the identified cookie contents (e.g., extracted by the network server) in the access request with cookie contents in the interception information. If the identified cookie contents match cookie contents in the interception information, it means that these cookie contents are from an access request sent by a malicious access terminal. When the user terminal is determined to be a malicious access terminal, the network server intercepts the access request ), and deleting the parameter of the access determined as an attack when the parameter is determined to match  (par 0022 analysis server 12 analyzes the analytic information (e.g., obtain via one of the aforementioned methods) according to preset decision principles for determining when a user terminal is a malicious access terminal. Examples of preset decision principles include, but are not limited to, which data contents from the identified access requests are used as data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information).  


 	a learning process ( par 0041 an analysis server ) for extracting a parameter from an access log pertaining to a request issued from a user terminal to a server (par 0041 analytic information extracted from the access request to an analysis server for analysis ), learning an appearance frequency of the parameter, and storing a learning result in a storage unit as a profile(par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information and 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information ); 
an analyzing process (par 0041 an analysis server) for extracting a parameter from an access log under analysis, acquiring a similarity by comparing the parameter with the parameter included in the profile stored in the storage unit (par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information ), and determining an access in the access log under analysis as an attack when the similarity is lower than a threshold ( 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information); and 
208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212 ), and determining, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter ( par 0049  [0049] Fourth step: The analysis server determines, in accordance with the cookie contents identified in every access request received (e.g., within a certain duration of time), whether the number of identified cookie contents has reached a threshold value. If the threshold value has been reached, then it is probable that the user terminal that sent the access request containing the same cookie contents is a malicious access terminal, and the fifth step is performed. Otherwise, it determines that the user terminal is not a malicious access terminal and returns to the second step( re-learning )).  

 	As per claim 8, Wei discloses  A non-transitory computer-readable recording medium having stored therein a log analysis program that causes a computer to execute a process comprising:  
 	firstly extracting a parameter from an access log pertaining to a request issued from a user terminal to a server ( par 0041 analytic information extracted from the learning an appearance frequency of the parameter, and storing a learning result in a storage unit as a profile ( par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information and 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information); 
 	secondly extracting a parameter from an access log under analysis, acquiring a similarity by comparing the parameter with the parameter included in the profile stored in the storage unit, and  firstly determining an access in the access log under analysis as an attack when the similarity is lower than a threshold (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212. ); and 
 	user terminals, for each parameter, among access logs under analysis having a similarity lower than the threshold, and  secondly determining, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter (par 0049  [0049] Fourth step: The analysis server determines, in accordance with the cookie contents identified in every access request received (e.g., within a certain duration of time), whether the number of threshold value. If the threshold value has been reached, then it is probable that the user terminal that sent the access request containing the same cookie contents is a malicious access terminal, and the fifth step is performed. Otherwise, it determines that the user terminal is not a malicious access terminal and returns to the second step( re-learning ) and 0042] Step 212: it is determined whether to intercept the access request from the user based at least in part on the analysis result. In various embodiments, the network server has interception information that identifies malicious access terminals. In various embodiments, the interception information is based/derived from the analysis results. In some embodiments, the network server will compare the access request against its interception information (e.g., check whether an identifier associated with the user is found among the interception information/malicious access terminals). If a match of (e.g., an identifier of) the access request is found among the interception information, then then control passes to Step 214. Otherwise, if a match of the access request is not found among the interception information, then control passes to Step 210).  
 	Wei does not disclose taking a tally of number of different requesting user terminals.
  	However, Modrall disclose taking a tally of number of different requesting user terminals (col 1, lines 47-55  The first tally includes identification information of the client and a first number of access requests sent from the client to the first server, and the second tally includes the identification information of the client and a second number of access requests sent from the client to the second server. The first and second tallies are collated to determine a total number of access requests made by the client).
.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Jenkins US 2007/0186282 discloses [0040] In connection with an IP address originating an incoming request, if a frequency or total number of requests received from a particular IP address is determined to be above a threshold volume, an elevated threat rating may be associated with all incoming requests having this IP address. It should be noted that this frequency may also be determined with respect to a particular time period (e.g., a threshold number of requests per second). An embodiment may also have more than one threshold and more than one threat rating. As the actual number of requests varies in accordance with the one or more specified thresholds, the threat rating associated with the IP address also varies.
[0041] Also in connection with an IP address originating an incoming request, an elevated threat rating may be associated with the incoming request if a threshold number of errors are generated in connection with servicing requests from the IP address over a time period. For example, if a threshold number of file not found errors 
[0042] Note that a first threat profile may be maintained for the frequency of requests associated with particular IP addresses sending requests and a second different threat profile may be maintained for the types and/or number of errors associated with particular IP addresses sending requests. In connection with the foregoing two threat profiles, the attribute values both specify IP addresses. However, the threat rating associated with each IP address in each profile is determined in accordance with different criteria (e.g., first threat profile based on frequency or number of requests per IP address, and second threat profile based on type and/or number of errors per IP address).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone 
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496