DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/17/2021 has been entered.
	Claims 1, 10, 12 and 13 have been amended, and claim 7 was previously cancelled.
	Claims 1-6 and 8-13 remain pending.
 

Claim Objections
2.	Applicant’s amendment to claim 13 in response to the previously raised claim objection has been considered and obviates previous objection, as such the objection is hereby withdrawn.



Claim Rejections - 35 USC § 112
3.	Applicant’s amendments to claims 10 and 12 in response to the previously raised rejections under 35 USC 112(b) have been considered and obviate previous objection, as such the rejections are hereby withdrawn.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


4.	Claim 12 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because the claim has been amended to be directed to an apparatus including only software components. The claim is therefore understood to be directed to software, which does not fall within one of the four statutory categories of subject matter (process, machine, manufactures, and composition of matter).
	In order to overcome the rejection, Applicant is urged to specify that the apparatus comprises a hardware element, such as a processor or memory.

Response to Arguments
5.	Applicant's arguments alleging that the applied references do not disclose collecting the log data during a session and then analyzing the cumulative log data in 
	Applicant first submits that Koepell does not disclose performing an analysis, such as pattern analysis, of collected data in real time during the session of the users because the analysis in Koepell is performed on stored data after the user sessions are finished. Although the Koepell reference is no longer relied upon, it is noted that this assertion is incorrect. Koepell expressly recites in the abstract that analysis results are used to update content presented in a Web page on a “real-time” and automatic basis.
	However, it is the Collazo reference which is now relied upon for teaching these limitations. Applicant acknowledges that the Collazo reference receives user requests during a session with a web site and grants or denies access to a user by comparing a functional user behavior pattern with known evaluation patterns. Similarly, to the claimed invention, this occurs by collecting the user behavior information from a web server and processing and analyzing the user behavior information in real time during the session. This is evident in paragraph [0009] which explicitly discloses that the security system of Collazo discerns between normal and malicious behavior through real-time analysis and correlation of behavior patterns in relation to other behavior patterns of the application, threat signatures, and overall usage of the web application. This is contrary to Applicant’s assertion that Collazo does not disclose the collecting, detecting and pattern analysis steps of amended claim 1 and therefore does not remedy the deficiencies of Koeppel and Martha. As cited below, Collazo does teach that functional behavior of a user is collected from a server component during a session and 
	The rejection is therefore maintained.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

s 1-6 and 11-13 are rejected under 35 U.S.C. 103 as being unpatentable over Collazo (US 2010/0299292) in view of Martha et al. (US 2016/0212231).

Regarding claim 1, Collazo teaches a method for analyzing an online behavior of a user accessing a web server through a user terminal, the method comprising: 
collecting, when the user terminal accesses the web server and forms a session (Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 respectively, [0049]), log data corresponding to a behavior performed by the user terminal in the session in real time from the web server as the log data is generated by the web server (Web server 204 and/or web server 206 may use network 202 to communicate data about functional user behavior to the behavior analysis engine 216. In some embodiments, the data about functional user behavior is captured on the server-side, [0047]; The information captured by server object 224 (or a client-side script) may be communicated to behavior analysis engine 216 over network 202, [0052]; As user 402 is using the application, qualitative and/or quantitative information about the functional user behavior is collected in step 404, as described in relation to server object 224, and behavior analysis engine 216, [0071]); 
detecting log data corresponding to a trigger log among the log data (The information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page. Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples 
extracting, when the trigger log is detected, log data cumulated up to a detection of the trigger log from a start of the session and generating cumulative log data (a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain, [0055]; Based on the attributes of the set of known frames and application-specific evaluation patterns, the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily, [0080]); and 
performing pattern analysis on the cumulative log data (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E, [0059]; The process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218, [0071]) in real time during the session (correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by 
However, Collazo does not explicitly disclose a detection time point or a start time point of the session.
Martha teaches log data cumulated up to a detection time point of a trigger log (e.g., Timestamp 2005-10-30T 10:50 of FIG. 11) from a start time point of a session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11; a webpage record may include a web browser identifier, a timestamp ID, a webpage ID, a referral ID, page type, page data, outgoing links, and/or incoming links, [0042]; The timestamp ID includes a time identifier that is associated with a time at which the corresponding web page is being accessed by the user via the web browser, [0042]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed 

Regarding claim 2, Collazo teaches the method of claim 1, wherein the log data includes at least one of 
a uniform resource locator (URL) address and a page identifier (ID) of a web page which the user terminal accesses in the web server, 
an input type and an input coordinate of an input which the user terminal applies in the web page, and 
log-in information of the user terminal (A user may provide text input for login fields 306, or text input for search field 308. The input provided along with an identification of the text field may be tracked by server object 224 in web server 204 and may be transmitted to behavior analysis engine 216, [0068]; The text input and the timestamped sequence of login attempts may be tracked by behavior analysis engine 216, [0068]).  

Regarding claim 3, Collazo teaches the method of claim 1, wherein the trigger log includes at least any one of an upload log corresponding to a behavior of uploading contents to the web server by the user terminal, a preference log corresponding to a behavior of inputting a 2preference for contents provided by the web server by the user terminal, a shopping access log corresponding to a behavior of accessing a shopping web page provided by the web server by the user terminal (For an e-commerce web site that offers a $10 (ten dollar) gift certificate to every one who registered for the web site, 
	
Regarding claim 4, Collazo does not explicitly disclose the method of claim 1, wherein in the generating of the cumulative log data, when a plurality of trigger logs are detected in one session, cumulative log data corresponding to respective trigger logs are individually generated.  
	Martha teaches wherein in generating of cumulative log data, when a plurality of trigger logs are detected in one session, cumulative log data corresponding to respective trigger logs are individually generated (If multiple pages are led by a single page, then multiple activity paths are created with the single page as a starting page, [0035]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to recognize a plurality of distinct webpage records in the system/method of Collazo as suggested by Martha to periodically and thoroughly track each activity of a user. One would be motivated to combine these teachings in order to maintain a complete and comprehensive record of each user activity and trigger event.

Regarding claim 5, Collazo teaches the method of claim 4, wherein the log data cumulated from the start of the session up to the detection of a most recent trigger log among the plurality of trigger logs becomes the cumulative log data (a Markov chain may model a page sequence in a user behavior session, and at each page request, 
	However, Collazo does not explicitly disclose the start time point or a detection time point.
	Martha teaches the log data cumulated from the start time point of the session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11) up to the detection time point of a most recent trigger log (e.g., Timestamp 2005-10-30T 11:23 of FIG. 11).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of the most recent user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed record of a time when the user first accesses a web page and the timing between each subsequent action, allowing for thorough activity and pattern analysis.

Regarding claim 6, Collazo teaches the method of claim 1, further comprising: 
determining whether the user terminal performs an abnormal behavior in the session by comparing the cumulative log data (An example of a behavior pattern is: Q=[0, 1, 1, 0, 1, 1, 0, 0, 0], [0057]-[0058]) with an abnormal operation pattern (An example of an evaluation pattern representing a malicious profile is: E=[0, 1, 1, 0, 1, 1, 
wherein abnormal behavior information corresponding to the abnormal behavior performed by the user terminal is included in the behavior information when the abnormal operation pattern corresponds to the cumulative log data. (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E. A match with an evaluation pattern associated with malicious activity may invoke a remediative action, [0059]; results of correlations are tracked and reported to system administrators for further inspection and analysis, [0061]).  

Regarding claim 11, Collazo-Martha teach a non-transitory computer readable recording medium storing a computer program for executing, by a processor, the method for analyzing the online behavior of the user of claim 1 (see rejection of claim 1).  

Regarding claim 12, Collazo teaches an apparatus for analyzing an online behavior of a user accessing a web server through a user terminal, the apparatus including software components comprising: 
a log collection unit collecting, when the user terminal accesses the web server and forms a session (Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 
4a trigger log detection unit detecting log data corresponding to a trigger log among the log data (The information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page. Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples may include timestamped user clicks or touch strokes within a web page or screen of the application. The functional user behavior may be processed and tagged by the context of the behavior, [0050]; User clicks, navigation to a different web page, activating a script or program to send a communication, or any other suitable user activity, may be functional user behavior tracked and monitored by behavior analysis engine 216. Clicks on a button that activates script, program, or sends a request, may be a potential vulnerability which attackers may use repetitively to slow down the server and perform a denial of service attack, [0067]); 

an analysis unit performing pattern analysis on the cumulative log data (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E, [0059]; The process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218, [0071]) in real time during the session (correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by behavior analysis engine 216 over a browser session) with a set of evaluation patterns (e.g., a set of known behavior profiles), [0056]; collect information about functional user behavior during the user behavior session, continue to update behavior pattern, and continue to correlate the updated behavior pattern with evaluation patterns, [0073]) and generating behavior information corresponding to the behavior of the user terminal (A match with an evaluation pattern associated with malicious activity may invoke a remediative action, such as session termination, [0059]; For instance, the 
However, Collazo does not explicitly disclose a detection time point or a start time point of the session.
Martha teaches log data cumulated up to a detection time point of a trigger log (e.g., Timestamp 2005-10-30T 10:50 of FIG. 11) from a start time point of a session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11; a webpage record may include a web browser identifier, a timestamp ID, a webpage ID, a referral ID, page type, page data, outgoing links, and/or incoming links, [0042]; The timestamp ID includes a time identifier that is associated with a time at which the corresponding web page is being accessed by the user via the web browser, [0042]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed record of a time when the user first accesses a web page and the timing between each subsequent action, allowing for thorough activity and pattern analysis.

Regarding claim 13, Collazo teaches an apparatus for analyzing an online behavior of a user accessing a web server through a user terminal, the apparatus comprising: 
a processor; and 
a memory coupled to the processor, 

collecting, when the user terminal accesses the web server and forms a session (Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 respectively, [0049]), log data corresponding to a behavior performed by the user terminal in the session in real time from the web server as the log data is generated by the web server (Web server 204 and/or web server 206 may use network 202 to communicate data about functional user behavior to the behavior analysis engine 216. In some embodiments, the data about functional user behavior is captured on the server-side, [0047]; The information captured by server object 224 (or a client-side script) may be communicated to behavior analysis engine 216 over network 202, [0052]; As user 402 is using the application, qualitative and/or quantitative information about the functional user behavior is collected in step 404, as described in relation to server object 224, and behavior analysis engine 216, [0071]), 
detecting log data corresponding to a trigger log among the log data (The information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page. Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples may include timestamped user clicks or touch strokes within a web page or screen of the application. The functional user behavior may be processed and tagged by the context of the behavior, [0050]; User clicks, navigation to a different web page, , 
extracting, when the trigger log is detected, log data cumulated up to a detection of the trigger log from a start of the session and generating cumulative log data (a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain, [0055]; Based on the attributes of the set of known frames and application-specific evaluation patterns, the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily, [0080]); and 
performing pattern analysis on the cumulative log data (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E, [0059]; The process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218, [0071]) in real time during the session (correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by behavior analysis engine 216 over a browser session) with a set of evaluation patterns (e.g., a set of known behavior profiles), [0056]; collect information about functional user behavior during the user behavior session, continue to update behavior pattern, and 
However, Collazo does not explicitly disclose a detection time point or a start time point of the session.
Martha teaches log data cumulated up to a detection time point of a trigger log (e.g., Timestamp 2005-10-30T 10:50 of FIG. 11) from a start time point of a session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11; a webpage record may include a web browser identifier, a timestamp ID, a webpage ID, a referral ID, page type, page data, outgoing links, and/or incoming links, [0042]; The timestamp ID includes a time identifier that is associated with a time at which the corresponding web page is being accessed by the user via the web browser, [0042]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed record of a time when the user first accesses a web page and the timing between each subsequent action, allowing for thorough activity and pattern analysis.


7.	Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Collazo-Martha in view of Wiener et al. (US 2016/0092914).

Regarding claim 8, Collazo-Martha do not explicitly disclose the method of claim 1, wherein when a shopping access log of accessing a shopping web page by the user terminal is included in the cumulative log data, the behavior information further includes product recommendation information corresponding to the shopping access log.  
	Wiener teaches wherein when a shopping access log of accessing a shopping web page by a user terminal is included in the cumulative log data (Data management server 111 will then analyze the data and events (see operation 204) to determine user attributes (e.g., gender, income range, interests, location, purchases, etc.) by mapping the data and event information to available taxonomies established by data providers, [0038]; questions pertaining to user behaviors that an advertiser might want to observe (and derive aggregate statistics) include, “What segment of users scroll fast?”, “What segment of users scroll slowly?”, “What segment of users hover over the shopping cart icon?”, [0042]), behavior information further includes product recommendation information corresponding to the shopping access log (an advertiser establishes business logic to serve specific content (e.g., a luxury vacation package advertisement), [0038];  When there is a match, data management server 111 can send the user profile 217 to the ad server to determine the content (e.g., a selection of targeted advertisements) to send to the user, [0038]).  


Regarding claim 9, Collazo-Martha do not explicitly disclose the method of claim 8, wherein when a search log, performed by the user terminal before the shopping access log, is included in the cumulative log data, product recommendation information corresponding to the search log is included in the behavior information.  
Wiener teaches wherein when a search log, performed by a user terminal before a shopping access log, is included in a cumulative log data (capture subsequent user input and events at the client device 106 (e.g., login credentials, search criteria, etc.). Certain inputs and/or events (e.g., search button click) will send user data and events 203 (e.g., search criteria, cookie information, login credentials, etc.) to the data management server 111, [0038]; following certain activity (e.g., entering search form data) and triggering events (e.g., clicking search button) as may be initiated by a user, [0054]), product recommendation information corresponding to the search log is included in behavior information (data management server 111 can send the user profile 207 to the ad server 112 to determine the content (e.g., a selection of targeted advertisements) to send to the user (see operation 208), [0038]; Ad tag request 4021 is 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to provide ads based on search inputs in the system/method of Collazo-Martha as suggested by Wiener in order to utilize user specified criteria to provide relevant and targeted advertising. One would be motivated to combine these teachings because one would recognize that there is a high probability that a user is currently interested in content related to a search criterion input by the user.


8.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Collazo-Martha-Wiener in view of Harper et al. (US 2012/0296745).

Regarding claim 10, Collazo-Martha-Wiener do not explicitly disclose the method of claim 9, wherein when there is no search log performed before the shopping access log in the cumulative log data, a search log performed in a previous session by the user terminal is extracted to generate product recommendation information corresponding to the search log performed in the previous session.  
Harper teaches wherein when there is no search log performed before shopping access log in cumulative log data, a search log performed in a previous session by a user terminal is extracted to generate product recommendation information 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize previous browsing history in the system/method of Collazo-Martha-Wiener as suggested by Harper to look up and determine user interests. One would be motivated to combine these teachings because maintaining this information would be a useful way to access user interest data when determining relevant recommendations to present to a user.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Qu et al.			US 10/587,707 – monitoring website session data in real-time.

Perevodchikov et al.	US 11,138,631 – evaluating active users in real-time and comparing with predictive user behavior.



Shaw et al.			US 2002/0083179 – dynamically personalizing sessions based on monitoring and detecting specific behavior during a communication session in real-time.

Bahadori et al.		US 2008/0086558 – collecting a pattern of clicks during a web session for analyzing.

Fefelov et al.			US 2012/0317281 – analyzing user behavior on a website based on real-time detection of event chains.

Orloff et al.			US 2014/0229363 – collecting observed user browser behavior for real-time analysis.

Adjaoute			US 2015/0039513 – detecting and preventing fraud by sending activity reports in real-time as a user visits and clicks through webpages.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHU WOOLCOCK whose telephone number is (571)270-3629. The examiner can normally be reached Tuesday, Thursday 9-6 ET.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chris Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHU WOOLCOCK
Examiner
Art Unit 2451



/MADHU WOOLCOCK/Primary Examiner, Art Unit 2451