DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 06/15/2021.
Claims 1-7 are pending and are rejected.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/15/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. JP2018-237795, filed on 12/19/2018.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.



Regarding claim 2, it does not clearly define whether the term “monitor communication” in line 6 is referred to the “communication” as recited in line 8 of claim 1.  For the purpose of examination, the communication in claim 2 is interpreted and referred to the communication in line 8 of claim 1.

Claims 3 and 5 are rejected for the same reason.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Higashi (JP2017-139558 A) in view of Oba (US 20190190938 A1).
As to claim 1, Higashi teaches a detection apparatus comprising:
processing circuitry configured to:
([0038], figs. 3-4, upon receiving the solution request from the GW10, the PF20 acquires; [0041] if the communication model information corresponding to the service ID and the transmission period are stored in the aggregation information storage unit 25, the communication model information and the transmission period are also included in the response in addition to the result of the service resolution; [0053] a threshold value derived from the target communication model information and the communication characteristic value may be compared to determine whether or not there is an abnormality (whether or not communication of the communication device having the function is normal)) ; and
detect an abnormality in the communication ([0029] the communication control unit 16 detects an abnormal terminal by comparing the communication model information stored in the comparison information storage unit 18 with the communication characteristic value acquired after receiving the communication model information, and performs communication interruption or the like on the terminal).
Higashi does not explicitly teach
monitor communication of the monitoring target communication device using the acquired normal communication model.
Oba teaches
monitor communication of the monitoring target communication device using the acquired normal communication model ([0113] inspection data 212 is included in the obtained data 210, and is data subjected to anomaly diagnosis for determining whether or not data 210 obtained from monitoring target 300 is anomalous by using the generated anomaly detection models. Note that a plurality of obtained packets including not only normal data but also anomalous data can be used as learning data 211).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Higashi disclosure, the using the acquired data to determine the anomaly, as taught by Oba.  One would be motivated to do so to detect anomalies in a 
 As to claim 2, Higashi and Oba teach the detection apparatus according to claim 1, wherein Oba further teaches the processing circuitry is further configured to:
additionally learn the acquired normal communication model using communication data on normal communication of the monitoring target communication device ([0177] detection model learning unit 120 identifies the model which corresponds to at least one of the destination IP, the destination port, the protocol, and the source IP obtained by reading the header of the target learning packet),
the monitor communication of the monitoring target communication device using the additionally learned normal communication model, and detect the abnormality in the communication ([0177] detection model learning unit determines the classification of the model according to at least one of the IP range and the port range of the monitoring target and the range of extraction of N-grams).
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Higashi disclosure, the using the acquired data to determine the anomaly, as taught by Oba.  One would be motivated to do so to detect anomalies in a plurality of packets by using learning models, and a learning method and a learning device which learn the learning models.

As to claim 3, Higashi and Oba teach the detection apparatus according to claim 1, wherein Higashi further teaches the processing circuitry is further configured to:
couple, if a plurality of normal communication models are acquired, the plurality of acquired normal communication models ([0030], fig. 1, the aggregation learning unit 22 generates communication model information for each service across the plurality of GWs 10 based on the communication characteristic value for each service, in which the communication characteristic values included in the distributed information received by the distributed information reception unit 21 are aggregated or integrated (couple) in units of service across the GW 10), 
the  monitor communication of the monitoring target communication device using the coupled normal communication models, and detect the abnormality in the communication ([0035] the abnormality detection phase is a phase in which abnormality detection is performed based on the learned communication model information).

As to claim 4, Higashi and Oba teach the detection apparatus according to claim 3, wherein Oba further teaches
the normal communication models each include a probability density function of calculating a probability density that communication of the communication device having the function is normal communication ([0195] detection model learning unit 120 calculates probability of occurrence of N-grams Pr.sub.1 to Pr.sub.6 from the number of occurrences of N-grams n.sub.1 to n.sub.6 of each model of the anomaly detection models), and
the processing circuitry is further configured to the couple the normal communication models by adding up the probability density functions respectively included in the acquired normal communication models ([0205] a score is calculated based on the probability of occurrence of the combination of N data units in the payload in view of the sequential order of N data units in the payload, and thus, an accurate score can be calculated in view of the sequential information; [0214] focusing on the point that the method of ANAGRAM (frequency-based) uses a simple calculation mean in the calculation of anomaly scores, probabilistic models are assumed and a method of calculating anomaly scores with more theoretical validity is used).


As to claim 5, Higashi and Oba teach the detection apparatus according to claim 3, wherein Higashi further teaches the processing circuitry is further configured to:
additionally learn the coupled normal communication models using communication data on normal communication of the monitoring target communication device ([0035] a processing procedure executed in the abnormality detection system. This processing procedure is classified into 2 phases: a learning phase and an abnormality detection phase. The learning phase is a phase in which the communication model information is learned based on the notification specific value), 
monitor communication of the monitoring target communication device using the additionally learned coupled normal communication models, and detect the abnormality in the communication ([0035] The abnormality detection phase is a phase in which abnormality detection is performed based on the learned communication model information).

As to claim 6, Higashi teaches a detection method comprising:
acquiring, from a storage having stored therein normal communication models for determining, for each function of a communication device, whether or not communication of the communication device having the function is normal, at least one normal communication model that corresponds to a function of a monitoring target communication device ([0038], figs. 3-4, upon receiving the solution request from the GW10, the PF20 acquires; [0041] if the communication model information corresponding to the service ID and the transmission period are stored in the aggregation information storage unit 25, the communication model information and the transmission period are also included in the response in addition to the result of the service resolution; [0053] a threshold value derived from the target communication model information and the communication characteristic value may be compared to determine whether or not there is an abnormality (whether or not communication of the communication device having the function is normal)); and
detecting an abnormality in the communication, by processing circuitry ([0029] the communication control unit 16 detects an abnormal terminal by comparing the communication model information stored in the comparison information storage unit 18 with the communication characteristic value acquired after receiving the communication model information, and performs communication interruption or the like on the terminal).
Higashi does not explicitly teach
monitoring communication of the monitoring target communication device using the acquired normal communication model, 
Oba teaches
monitoring communication of the monitoring target communication device using the acquired normal communication model ([0113] inspection data 212 is included in the obtained data 210, and is data subjected to anomaly diagnosis for determining whether or not data 210 obtained from monitoring target 300 is anomalous by using the generated anomaly detection models. Note that a plurality of obtained packets including not only normal data but also anomalous data can be used as learning data 211),
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Higashi disclosure, the using the acquired data to determine the anomaly, as taught by Oba.  One would be motivated to do so to detect anomalies in a plurality of packets by using learning models, and a learning method and a learning device which learn the learning models. 

As to claim 7, Higashi teaches a non-transitory computer- readable recording medium storing therein a detection program that causes a computer to execute a process comprising:
acquiring, from a storage having stored therein normal communication models for determining, for each function of a communication device, whether or not communication of the communication device having the function is normal, at least one normal communication model that corresponds to a function of a monitoring ([0038], figs. 3-4, upon receiving the solution request from the GW10, the PF20 acquires; [0041] if the communication model information corresponding to the service ID and the transmission period are stored in the aggregation information storage unit 25, the communication model information and the transmission period are also included in the response in addition to the result of the service resolution; [0053] a threshold value derived from the target communication model information and the communication characteristic value may be compared to determine whether or not there is an abnormality (whether or not communication of the communication device having the function is normal)); and
detecting an abnormality in the communication ([0029] the communication control unit 16 detects an abnormal terminal by comparing the communication model information stored in the comparison information storage unit 18 with the communication characteristic value acquired after receiving the communication model information, and performs communication interruption or the like on the terminal).
Higashi does not explicitly teach
monitoring communication of the monitoring target communication device using the acquired normal communication model, 
Oba teaches
monitoring communication of the monitoring target communication device using the acquired normal communication model ([0113] inspection data 212 is included in the obtained data 210, and is data subjected to anomaly diagnosis for determining whether or not data 210 obtained from monitoring target 300 is anomalous by using the generated anomaly detection models. Note that a plurality of obtained packets including not only normal data but also anomalous data can be used as learning data 211),
It would have been obvious to a person of ordinary skill in the art before the effective filling date of the claimed invention made to include in the Higashi disclosure, the using the acquired data to determine the anomaly, as taught by Oba.  One would be motivated to do so to detect anomalies in a plurality of packets by using learning models, and a learning method and a learning device which learn the learning models. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Yano (US 20160353972 A1).
Suzuki (US 20160119181 A1).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANH NGUYEN whose telephone number is (571)270-0657. The examiner can normally be reached M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 5712703037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.