DETAILED ACTION
This Office Action is in response to Application filed on 16 June 2020.
Claims 1-20 are pending.  The claims have been considered and examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-6, 8-14, and 16-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hajimirsadeghi, U.S. Patent App. Pub. 2020/0076841, hereinafter referred to as “Hajimirsadeghi”. 
Referring to claim 1, Hajimirsadeghi discloses techniques for anomaly detection of operational logs (See paragraph 0097). - A computer-implemented method for processing event logs, comprising:
Hajimirsadeghi discloses computer processing each log message for a plurality of logs (See paragraphs 0097 and 0099). - obtaining one or more event logs generated by a process executing on one or more computing devices;
Hajimirsadeghi discloses log messages are stored as records in database table (See paragraph 0190). - generating, for each of multiple events in an event log of the one or more event logs, a table of logged event instances for the event;
Hajimirsadeghi discloses an anomaly detector being autoencoder and performing anomaly analysis of the log messages (See paragraphs 0097 and 0275). - for each of the multiple events, processing the table using an autoencoder to identify one or more of the logged event instances as anomalies in the process; and
Hajimirsadeghi discloses raising an alert when determining a sequence is anomalous (See paragraph 0118-0119). - outputting an indication of at least a portion of the anomalies in the process.

Referring to claim 2, Hajimirsadeghi discloses the autoencoder is trained using machine learning models and using various flows that are anomalous (See paragraphs 0127 and 0186). - The computer-implemented method of claim 1, further comprising, for each of the multiple events, training a model for the autoencoder using the logged event instances for the event from multiple event logs, wherein processing the table using the 

Referring to claim 3, Hajimirsadeghi discloses extracting key value pairs for log messages (See paragraph 0102). - The computer-implemented method of claim 2, wherein training the model includes: determining one or more key value pairs of the logged event instances to be used as features for training the model; and
Hajimirsadeghi discloses the trainable anomaly detector works on vectors based on key value pairs (See paragraph 0287-0288). - training the model based on values of the features, and
Hajimirsadeghi discloses the trainable anomaly detector indicates the vector is anomalous (See paragraph 0288). - wherein the autoencoder identifies the one or more of the logged event instances as anomalies based on a value of the features of the one or more of the logged event instances.

Referring to claim 4, Hajimirsadeghi discloses data is data transformation numeric range normalization (See paragraph 0176). - The computer-implemented method of claim 3, wherein training the model based on the values of the features includes at least one of generating the values as numeric values and/or normalizing the numeric values.

Referring to claim 5, Hajimirsadeghi discloses anomaly detection involving the difference of sequences and measured as an anomaly score (See paragraph 0139). - 

Referring to claim 6, Hajimirsadeghi discloses determining an anomaly if the score exceed a threshold and training is considered complete when the errors fall below the threshold (See paragraphs 0140 and 0187). - The computer-implemented method of claim 3, wherein determining the one or more key value pairs to be used as the features for training the model includes determining that a numeric count of distinct values for each key value pair in the logged event instances is within a threshold numeric range.

Referring to claim 8, Hajimirsadeghi discloses the alert contains details of the anomaly the specific packet, original sequence or suspect network flow (See paragraph 0142). - The computer-implemented method of claim 1, wherein the indication includes a list of the anomalies including one or more parameters for locating the anomalies in the one or more event logs.

Referring to claim 9, Hajimirsadeghi discloses determining similar data flows by other log traces (See paragraph 0243). - The computer-implemented method of claim 1, further comprising generating, based on the identified anomalies for the one or more event logs, a signature for the one or more event logs, wherein the indication includes a clustered list of multiple event logs having similar anomalies.

Referring to claim 10, Hajimirsadeghi discloses a computer and techniques for anomaly detection of operational logs (See paragraphs 0097-0098). -  A computing device for processing event logs, comprising:
Hajimirsadeghi discloses a main memory storing instructions to be executed by a processor (See paragraphs 0344-0347). - a memory storing one or more parameters or instructions for executing an operating system and one or more processes; and
Hajimirsadeghi discloses a processor coupled via a bus to the memory (See paragraphs 0344-347). - at least one processor coupled to the memory, wherein the at least one processor is configured to:
Hajimirsadeghi discloses computer processing each log message for a plurality of logs (See paragraphs 0097 and 0099). - obtain one or more event logs generated by a process executing on one or more computing devices;
Hajimirsadeghi discloses log messages are stored as records in database table (See paragraph 0190). - generate, for each of multiple events in an event log of the one or more event logs, a table of logged event instances for the event;
Hajimirsadeghi discloses the autoencoder is trained using machine learning models and using various flows that are anomalous (See paragraphs 0127 and 0186). - for each of the multiple events, train a model for an autoencoder using the logged event instances for the event from multiple event logs;
Hajimirsadeghi discloses an anomaly detector being autoencoder and performing anomaly analysis of the log messages (See paragraphs 0097 and 0275). - for each of 
Hajimirsadeghi discloses raising an alert when determining a sequence is anomalous (See paragraph 0118-0119). - output an indication of at least a portion of the anomalies in the process.

Referring to claim 11, Hajimirsadeghi discloses extracting key value pairs for log messages (See paragraph 0102). - The computing device of claim 10, wherein the at least one processor is configured to train the model at least in part by: determining one or more key value pairs of the logged event instances to be used as features for training the model; and
Hajimirsadeghi discloses the trainable anomaly detector works on vectors based on key value pairs (See paragraph 0287-0288). - training the model based on values of the features, and
Hajimirsadeghi discloses the trainable anomaly detector indicates the vector is anomalous (See paragraph 0288). - wherein the autoencoder identifies the one or more of the logged event instances as anomalies based on a value of the features of the one or more of the logged event instances.

Referring to claim 12, Hajimirsadeghi discloses data is data transformation numeric range normalization (See paragraph 0176). - The computing device of claim 11, wherein the at least one processor is configured to train the model based on the 

Referring to claim 13, Hajimirsadeghi discloses anomaly detection involving the difference of sequences and measured as an anomaly score (See paragraph 0139). - The computing device of claim 11, wherein the autoencoder identifies the one or more of the logged event instances as anomalies based on subtracting output of the autoencoder from the table to determine, for each of the one or more of the logged event instances identified as anomalies, an error value of one or more of the features.

Referring to claim 14, Hajimirsadeghi discloses determining an anomaly if the score exceed a threshold and training is considered complete when the errors fall below the threshold (See paragraphs 0140 and 0187). - The computing device of claim 11, wherein the at least one processor is configured to determine the one or more key value pairs to be used as the features for training the model at least in part by determining that a numeric count of distinct values for each key value pair in the logged event instances is within a threshold numeric range.

Referring to claim 16, Hajimirsadeghi discloses the alert contains details of the anomaly the specific packet, original sequence or suspect network flow (See paragraph 0142). - The computing device of claim 11, wherein the indication includes a list of the anomalies including one or more parameters for locating the anomalies in the one or more event logs.

Referring to claim 17, Referring to claim 9, Hajimirsadeghi discloses determining similar data flows by other log traces (See paragraph 0243). - The computing device of claim 11, the at least one processor is further configured to generate, based on the identified anomalies for the one or more event logs, a signature for the one or more event logs, wherein the indication includes a clustered list of multiple event logs having similar anomalies.

Referring to claim 18, Hajimirsadeghi discloses a storage medium storing instructions that cause a machine to operate and techniques for anomaly detection of operational logs (See paragraphs 0349 and 0097). - A non-transitory computer-readable medium, comprising code executable by one or more processors for processing event logs, the code comprising code for:
	Hajimirsadeghi discloses computer processing each log message for a plurality of logs (See paragraphs 0097 and 0099). - obtaining one or more event logs generated by a process executing on one or more computing devices;
Hajimirsadeghi discloses log messages are stored as records in database table (See paragraph 0190). - generating, for each of multiple events in an event log of the one or more event logs, a table of logged event instances for the event;
Hajimirsadeghi discloses an anomaly detector being autoencoder and performing anomaly analysis of the log messages (See paragraphs 0097 and 0275). - for each of the multiple events, processing the table using an autoencoder to identify one or more of the logged event instances as anomalies in the process; and


Referring to claim 19, Hajimirsadeghi discloses the autoencoder is trained using machine learning models and using various flows that are anomalous (See paragraphs 0127 and 0186). - The non-transitory computer-readable medium of claim 18, further comprising code for, for each of the multiple events, training a model for the autoencoder using the logged event instances for the event from multiple event logs, wherein the code for processing the table using the autoencoder processes the table using the trained autoencoder to identify the one or more of the logged event instances as anomalies in the process.

Referring to claim 20, Hajimirsadeghi discloses extracting key value pairs for log messages (See paragraph 0102). - The non-transitory computer-readable medium of claim 19, wherein the code for training the model includes code for: determining one or more key value pairs of the logged event instances to be used as features for training the model; and 
Hajimirsadeghi discloses the trainable anomaly detector works on vectors based on key value pairs (See paragraph 0287-0288). - training the model based on values of the features, and 
Hajimirsadeghi discloses the trainable anomaly detector indicates the vector is anomalous (See paragraph 0288). - wherein the autoencoder identifies the one or more .

Allowable Subject Matter
Claim 7 and 15 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

U.S. Patent App. Pub. 2020/0349470 to Ikeda et al.
- Anomaly detection including autoencoder
U.S. Patent App. Pub. 2021/0011832 to Togawa
- Log analysis system including autoencoder
U.S. Patent App. Pub. 2021/0097385 to Gupta et al.
- Detecting application events based on encoding application log values

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSEPH D MANOSKEY whose telephone number is (571)272-3648. The examiner can normally be reached M-F 7:30am to 4pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on 571-272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JOSEPH D MANOSKEY/Primary Examiner, Art Unit 2113                                                                                                                                                                                                        March 12, 2022