DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 10-11, and 20 have been amended. Claims 1-20 have been examined.

Response to Arguments/Amendments
The prior rejection under 35 USC § 112 is withdrawn in view of the amendment to claim 10.
Applicant's arguments filed 12/16/2021 have been fully considered but they are not persuasive. 
On p. 9 of the remarks, Applicant suggests that cited art of record Puri discloses analysis of logs to extract “master walks” for a directed graph representation, but that the master walks correspond to the same log entries. Applicant argues that this is different from the claimed limitations regarding “segmenting respective log lines from the log file into respective sequences of log lines …” along with other elements of amended claim 1. However, Applicant’s basis that Puri corresponds to the same log entries and how this relates to the claim language is not fully understood. Puri’s master walks correspond to log file contents including identified log traces corresponding to “unique identifiers, time-stamps, events, and actions” (see Puri, ¶ 0018). The log files are segmented according to these identified log traces as depicted in Puri, Figs. 2 and 3A-3E. New log file entries are compared to the master walk as described in ¶ 0021, 
At the top of p. 10 of the remarks, Applicant argues that there is no motivation to combine Puri with Xu. In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, Xu teaches that LSTM can be utilized to provide a predictive system that achieves high accuracy with a small feature set as indicated in the rejection (see Xu, ¶ 0022). While Puri utilizes log files to generate the “master walk,” Xu’s LTSM could be utilized in order to generate this initial master walk for the reasons provided by Xu. Applicant’s argument is not persuasive.
Additional arguments on pp. 10-12 are essentially based upon previous arguments, and are not persuasive for the reasons indicated above.
It is noted that independent claims 11 and 19 do not include each of the limitations of amended independent claim 1. Therefore, the full argument with respect to claim 1 cannot be applied to claims 11 and 19 as implied in Applicant’s remarks.

Specification
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required: Claim 1 has been amended to include: “at least one respective sequence of log lines comprising at least two log lines that are non-consecutive in the log file.” The specification does not include a description of a sequence of log lines that are “non-consecutive” as provided in claim 1. If the specification is amended to provide support, care should be taken to avoid the introduction of improper new matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date 

Claims 1, 6-11, 16-17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication 2016/0253232 by Puri et al. (“Puri”) in view of U.S. Patent Application Publication 2013/0227350 by O’Riordan et al. (“O’Riordan”) and U.S. Patent Application Publication 2019/0138542 by Van Beest et al. (“Van Beest”).

In regard to claim 1, Puri discloses:
1. A method comprising: See Puri, at least Fig. 10, broadly depicting a method.
extracting features from each log [datum] of a log file; determining, based on the extracted features, a sequence of log [data], the sequence of log [data] including multiple log [data] that occur in chronological order; See Puri, ¶ 0018, e.g. “Data present in the contents of log files may be characterized by log traces with unique identifiers, time-stamps, events, and actions.” Also see ¶ 0026, e.g. “The system and method disclosed herein may provide for processing of logs and extraction of trace sequences at large volumes of data.” Also see ¶ 0032, e.g. “… the log file data 106 such as log content may be characterized by events with unique identifiers, timestamps, and actions. … The master directed graph 108 that is mined from the log files 104 may represent behavioral patterns that describe temporal ordering and potential causality relationships between trace events that occur with a certain measure of probability. … the graph matching module 126 may extract several features, such as, for example, probability ranking of 
Puri does not expressly disclose line/lines. However, this is taught by O’Riordan. See O’Riordan, Fig. 2A and ¶ 0036, e.g. “In this example, the trace log view 102 displays multiple steps or events of previous execution of the subject program, each step on a different text line.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s log traces with O’Riordan’s text lines in order to utilize a standard format of data as suggested by O’Riordan.
determining, for each respective log line from the sequence of log lines, probabilities of a set of log lines occurring within a predetermined window of time from the respective log line from the sequence of log lines; See Puri, Fig. 2, depicting a graph representation of a log file. Also see ¶ 0032, e.g. “… the log file data 106 such as log content may be characterized by events with unique identifiers, timestamps, and actions. … The master directed graph 108 that is mined from the log files 104 may represent behavioral patterns that describe temporal ordering and potential causality relationships between trace events that occur with a certain measure of probability. … the graph matching module 126 may extract several features, such as, for example, probability ranking of occurrence, overlap, distance, and the correlation of the transition weights or probabilities to describe a time correlated series of log traces.” Also see ¶ 0033, e.g. “Over time, information that is present in the log file 104 may be mined to link events together, discover time correlated groupings of events or behaviors, and tracked according to frequency of occurrence and frequency of occurrence of transitions ab (i.e., the edge probability value).” Also see ¶ 0037, e.g. “Based on the foregoing aspects, assuming independence of the underlying data, the probability ranking for any walk i occurring may be specified as follows: Pwi=Πλn,k Equation (1)”.
Puri discloses time correlations which apply to different periods of time, i.e., time between different logged events. See Puri, ¶ 0033 as cited above. However, Puri does not expressly disclose:  determining, for each respective log line from the sequence of log lines, probabilities of different periods of time within the predetermined window of time that a next log line will occur after the respective log line from the sequence of log lines; However, Van Beest teaches probability distributions for estimating when a next event will occur. See Van Beest, Fig. 4 and ¶ 0115, e.g. “Given a large number of the duration values, processor 102 can fit a precise distribution function. From such a distribution, processor 102 can establish anomaly intervals, i.e., intervals on the time axis for which the likelihood of that value occurring is estimated to be less than a threshold, given the distribution.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s time correlated log trace events with Van Beest’s probability distribution in order to estimate when a next trace event will occur as opposed to an anomalous event as suggested by Van Beest.
segmenting respective log lines from the log file into respective sequences of log lines based at least in part on … the probabilities of different periods of time that the next log line occurs after the respective log line,  See Puri, Fig. 2, depicting a graph of a segmented log file including probabilities. Also see ¶ 0054, where Puri describes anomaly detection using graph similarity metrics and probability density distributions. Also see ¶ 0032, e.g. “The master directed graph 108 that is mined from the log files 104 may represent behavioral patterns that describe temporal ordering and potential causality relationships between trace events that occur with a certain measure of probability.” … at least one respective sequence of log lines comprising at least two log lines that are non-consecutive in the log file; See Puri, ¶ 0035, e.g. “As each trace event is extracted from a log trace, the trace event may be correlated against previously mined and known trace events using its feature set, and ordered temporally to create a unique sequence of trace events.” The act of ordering implies that the sequence is distinct from the log trace and provides a non-consecutive arrangement.
Puri does not expressly disclose the probabilities of the set of log lines occurring within the predetermined window of time and. However, this is taught by Van Beest as cited above. Also see Van Beest, Fig. 4, depicting a probability distribution of a series of events based upon different periods of time.
determining a predicted subsequent log line based at least in part on an actual log line from a selected one of the respective sequences of log lines and … See Puri, at least ¶ 0020 along with Fig. 2, depicting a master directed graph of log events and associated probabilities for predictions of a selected sequence. Also see Figs. 3A-3E, depicting “decomposed incoming walk” graphs used for comparison with the master graph for predicting anomalous states. 
a second predetermined window of time; and However, this is taught by Van Beest. See Van Beest, ¶ 0155, e.g. “prediction of the observed behavior.” Also see Van Beest Fig. 4, depicting a probability distribution of a series of events based upon different periods of time. Note that Van Beest broadly teaches multiple time windows respective of a given event. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s multiple graph based predictions with Van Beest’s probability distribution in order to estimate when a next trace event will occur as opposed to an anomalous event as suggested by Van Beest.
detecting an anomaly when an actual subsequent log line differs from the predicted subsequent log line. See Puri, ¶ 0020, e.g. “The system and method disclosed herein may characterize how an incoming directed graph representing a set of events differs from a master directed graph that represents known or pre-established events. A graph matching module of the contextual graph matching based anomaly detection system may calculate a bounded metric to characterize the degree of contextual fitness or anomalousness of a decomposed incoming walk compared to a decomposed master graph walk of the master directed graph.” Also see ¶ 0025, e.g. “report anomalous states by analyzing the execution times of events.” Also See Van Beest, ¶ 0128, e.g. “Event structures can capture behavioral relations between events, summarize possible behaviors as represented in the underlying event log and provide a suitable mechanism for runtime comparison of the learned behaviors with a current execution of the process.”

In regard to claim 6, Puri discloses:
6. The method of claim 1, wherein the different periods of time correspond to a number of respective consecutive periods of time occurring after each log line, and the probabilities of different periods of time correspond to a probability distribution over the different periods of time. See Van Beest, Fig. 4, as cited above, depicting a range of time periods corresponding to a probability distribution.

In regard to claim 7, Puri discloses:
7. The method of claim 1, wherein detecting the anomaly when the actual subsequent log line differs from the predicted subsequent log line further comprises: detecting the anomaly when the actual subsequent log line differs from the predicted subsequent log line and … See Puri, ¶ 0020, 0025, and 0128 as well as Van Beest, ¶ 0128 as cited above. 
Puri does not expressly disclose a probability associated with the predicted subsequent log line exceeds a threshold. However, this is taught by Van Beest. See Van Beest, Fig. 4 and ¶ 0115, e.g. “threshold.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s anomaly prediction with Van Beest’s threshold in order to establish an anomaly trigger, as essentially suggested by Van Beest.

In regard to claim 8, Puri does not expressly disclose: 
8. The method of claim 1, further comprising: sending a notification in response to the detected anomaly. However, this is taught by Van Beest. See Van Beest, ¶ 0078, e.g. “If an execution deviates from the model, alarms or warnings will be triggered for each exception.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s anomaly with Van Beest’s notification in order to provide a warning as suggested by Van Beest.

In regard to claim 9, Puri discloses:
9. The method of claim 1, wherein segmenting respective log lines from the log file into respective sequences of log lines further comprises: matching a particular log line to a particular sequence of log lines based on a score. See Puri, ¶ 0021, e.g. “A graph matching module may determine an overlap score for each walk pair of a plurality of walk pairs including each of the plurality of decomposed master graph walks and the decomposed incoming walk, and further determine a distance difference score and a correlation score for each walk pair of the plurality of walk pairs.”

In regard to claim 10, Puri discloses:
10. The method of claim 1, wherein a probability that the respective log line occurs within the respective sequences of log lines indicates a lower probability in comparison to a predicted log line. See Puri, Fig. 2, indicating respectively higher and lower probability edge weights.


11. A system comprising; a processor; a memory device containing instructions, which when executed by the processor cause the processor to: See Puri, Fig. 11, depicting processor 1102, and memory 1106 containing instructions 1120. 
All further limitations of claim 11 have been addressed in the above rejection of claim 1.

In regard to claims 16-17, parent claim 11 is addressed above. All further limitations have been addressed in the above rejections of claims 6-7, respectively.

In regard to claim 20, Puri discloses:
20. A non-transitory computer-readable medium comprising instructions, which when executed by a computing device, cause the computing device to perform operations comprising: See Puri, Fig. 11, elements 1106 and 1120, depicting memory comprising instructions.
… determining a predicted subsequent log line based at least in part on an actual log line from one of the respective sequences of log lines from the log file and … See Puri, at least ¶ 0020 along with Fig. 2, depicting a master directed graph of log events and associated probabilities for predictions of a selected sequence. Also see Figs. 3A-3E, depicting “decomposed incoming walk” graphs used for comparison with the master graph for predicting anomalous states.
.

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Puri in view of  O’Riordan and Van Beest as applied above, and further in view of U.S. Patent Application Publication 2005/0183068 by Cwalina et al. (“Cwalina”).

In regard to claim 2, Puri discloses:
2. The method of claim 1, wherein each log line includes a timestamp, See Puri, ¶ 0032, e.g. “the log file data 106 such as log content may be characterized by events with unique identifiers, timestamps, and actions.” 
Puri does not expressly disclose: a thread identifier, and a log message string, each log line corresponding to a thread of an application. However, this is taught by Cwalina. 
See Cwalina, ¶ 0017, e.g. “When multiple threads execute the executing software, separate correlation identifier stacks may be maintained for each thread and used to distinguish the threads from each other. Trace event payloads may comprise a variety of data, including an event identifier, a message, a timestamp, etc.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s log data with Cwalina’s thread identifier and message in order to distinguish log data as suggested by Cwalina.

.

Claims 4-5, 14-15, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Puri in view of O’Riordan and Van Beest as applied above, and further in view of U.S. Patent Application Publication 2017/0293542 by Xu (“Xu”).

In regard to claim 4, Puri does not expressly disclose: 
4. The method of claim 1, wherein determining the probabilities of the set of log lines occurring within the predetermined window of time is based on a long short-term memory network. However, Xu teaches this. See Xu, Fig. 4, element 402 “LSTM neural network.” Also see ¶ 0022, “LSTM.” It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to use Puri’s probabilities with Xu’s LSTM network in order to utilize a predictive system that achieve high accuracy with a small features set as suggested by Xu.

In regard to claim 5, Puri does not expressly disclose: 
5. The method of claim 1, wherein determining the probabilities of the set of log lines occurring within the predetermined window of time is based on a feed-forward neural network. However, this is taught by Xu. See Xu, ¶ 0044, e.g. “feed-forward.” It would have been obvious to one of ordinary skill in the art before the effective filing 

In regard to claims 14-15, parent claim 11 is addressed above. All further limitations have been addressed in the above rejections of claims 4-5, respectively.

In regard to claims 17-18, parent claim 15 is addressed above. All further limitations have been addressed in the above rejections of claims 8-9, respectively.

Allowable Subject Matter
Claims 3 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  
U.S. Patent Application Publication 2018/0046529 by Togawa generally teaches generation of feature vectors using Mahalanobis’ distance (see at least ¶ 0141). 
However, the cited prior art taken alone or in combination fail to teach, in combination with the other claimed limitations, the limitations of claims 3 and 13. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
WO-2019060327-A1 by Li et al. See Abstract, e.g. “Log entries in a log are parsed into respective structured data sequences that include a log key and a parameter set for each entry.”
U.S. Patent Application Publication 2017/0169360 by Veeramachaneni et al. (“Veeramachaneni”) See Veeramachaneni, Fig. 1, element 112 “Computing one or more features from the log lines.”
“Anomaly Detection for Discrete Sequences: A Survey” by Chandola et al. Chandola teaches window technique for segmenting sequence. Teaches variable markovian techniques and sparse markovian technique: “RIPPER” (Lee et al) which predicts a kth symbol given first k-1 symbols. Teaches variable length conditional probabilities of a symbol (see top right of p. 830). 
U.S. Patent Application Publication 2005/0223282 by Frey et al., see ¶ 0137, e.g. “GUI 1400 may sort the merged log messages (e.g., in descending order of time, according to their respective timestamps).”
U.S. Patent Application Publication 2008/0162687 by Scott, see ¶ 0058, e.g. “Data acquisition process 10 may parse 166 log file 68 to aid in the processing of log file 68. For example and referring also to FIG. 5, log file 68 may be parsed 166 to sort log file 68 according to sessions identifiers, thus generating modified log file 68'.”

THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to James D Rutten whose telephone number is (571)272-3703.  The examiner can normally be reached on M-F 9:00-5:30 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Li B Zhen can be reached on (571)272-3768.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/James D. Rutten/Primary Examiner, Art Unit 2121