Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness
rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed
invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be
negated by the manner in which the invention was made.

 Claims 1, 2, 7, 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over JP 2017/107330A hereinafter after Etsuko, and in further view of WO 2015/140843 A1 hereinafter Nomura. 
Regarding 1
	Etsuko discloses: 
	An information selection device comprising: a memory storing instructions; and a processor connected to the memory and configured to execute the instructions to specify target log information among log information (Abstract: “An assistance device (information selection device) includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events.”; Page 2: “The abnormal event indicated by the received abnormal event information (target log information) is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system”) the log information representing that a process is executed for a processing object in a target system, the target log information representing a processing object that may affect an abnormal process executed in the target system (Page 2: “The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system.”);

	Nomura discloses:
	and calculate an abnormality degree of the target log information based on the calculated frequency (Page 14: “For example, the path abnormality degree evaluation unit 160 may evaluate the degree of abnormality of each side by determining whether the number of occurrences (frequency) of the relationship between elements represented by each side is smaller than a predetermined threshold. The threshold may be a number obtained by dividing the total number of times by the total number of sides.”)
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed
invention to modify the teaching of Etsuko in order to include a feature that calculate an abnormality degree based on the calculated frequency as taught by Nomura. One of ordinary skill in the art would have been motivated to do so because Nomura recognizes that the abnormality rate of a target log information can be calculated based off the frequency and relationship between elements (Page 14: “For example, the path abnormality degree evaluation unit 160 may evaluate the degree of abnormality of each side by determining whether the number of occurrences (frequency) of the relationship between elements represented by each side is smaller than a predetermined threshold. The threshold may be a number obtained by dividing the total number of times by the total number of sides.”).
Etsuko further discloses:
and select relevant log information with having the abnormality degree satisfying a condition for determining abnormal log information among the target log information (Page 2: “The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system.”).
Regarding claim 2
Etsuko discloses: 
The information selection device according to claim 1, wherein the processing object is, at least, one of a process different from the process, a socket accessed in the process, and a file accessed in the process. (Abstract: An assistance device (information selection device) includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events.; Page 3: “In the case of an event for a certain host, the element may be any of process, file, and external host. An event between elements is, for example, that the process has accessed the file when one of the elements is a process and the other is a file.”).
Regarding claim 7
Etsuko discloses: 
The information selection device according to claim 1, wherein the processor is configured to execute the instructions to determine whether or not the log information received from the target system is abnormal log information including an abnormal process satisfying a predetermined abnormality determination specify the target log information in reply to determining that the log information is the abnormal log information by the abnormality determination means (Page 3: “The detection unit 140 detects an event having a high possibility of abnormality from the log stored in the storage unit 130. An example of this abnormal event is shown in FIG. FIG. 3 is a diagram illustrating an example of a list of abnormal events (abnormal event list) detected by the detection unit 140. Note that the abnormal event list shown in FIG. 3 includes abnormal events for a certain host detected from the log.”; Page 9: “As shown in FIG. 13, the detection unit 140 detects an abnormal event (step S131). Thereafter, the receiving unit 150 receives an input from the administrator (step S132). Then, the classifying unit 111 classifies abnormal events after the time specified based on the input received by the receiving unit 150 for each element related to the abnormal event (step S133).”).
	Regarding claim 9
Etsuko discloses: 
	An information selection method, by an information processing device, comprising: specifying target log information among log information (Abstract: “An assistance device (information selection device) includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events.”; Page 2: “The abnormal event indicated by the received abnormal event information (target log information) is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system”), the log information representing that a process is executed for a processing object in a target system, the target log information representing a processing “The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system.”);
Etsuko does not disclose the following limitation “calculating a frequency of the target log information for each combination of the process with the processing object; calculating an abnormality degree of the target log information based on the calculated frequency”
	Nomura discloses:
calculating a frequency of the target log information for each combination of the process with the processing object; calculating an abnormality degree of the target log information based on the calculated frequency (Page 14: “For example, the path abnormality degree evaluation unit 160 may evaluate the degree of abnormality of each side by determining whether the number of occurrences (frequency) of the relationship between elements represented by each side is smaller than a predetermined threshold. The threshold may be a number obtained by dividing the total number of times by the total number of sides.”);
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed
invention to modify the teaching of Etsuko in order to include a feature that calculate an abnormality degree based on the calculated frequency as taught by Nomura. One of ordinary skill in the art would have been motivated to do so because Nomura recognizes that the abnormality rate of a target log information can be calculated based off the frequency and relationship between elements (Page 14: “For example, the path abnormality degree evaluation unit 160 may evaluate the degree of abnormality of each side by determining whether the number of occurrences (frequency) of the relationship between elements represented by each side is smaller than a predetermined threshold. The threshold may be a number obtained by dividing the total number of times by the total number of sides.”).
Etsuko further discloses:
and selecting relevant log information with having the abnormality degree satisfying a condition for determining abnormal log information among the target log information (Page 2: “The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system.).
	Regarding claim 10
Etsuko discloses:
	A non-transitory recording medium storing an information selection program causing a compute to achieve: a target information specification function configured to specify target log information among log information (Abstract: “An assistance device (information selection device) includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events.”; Page 2: “The abnormal event indicated by the received abnormal event information (target log information) is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system”), the log information representing that a process is executed for a processing object in a target system, the target log information representing a processing object that may affect an abnormal process executed in the target system (Page 2: “The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system.”);
Etsuko does not disclose the following limitation discloses “a calculation function configured to calculate a frequency of the target log information for each combination of the process with the processing object, and calculate an abnormality degree of the target log information based on the calculated frequency”
	Nomura discloses: 
a calculation function configured to calculate a frequency of the target log information for each combination of the process with the processing object, and calculate an abnormality degree of the target log information based on the calculated frequency (Page 14: “For example, the path abnormality degree evaluation unit 160 may evaluate the degree of abnormality of each side by determining whether the number of occurrences (frequency) of the relationship between elements represented by each side is smaller than a predetermined threshold. The threshold may be a number obtained by dividing the total number of times by the total number of sides.”);
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed
invention to modify the teaching of Etsuko in order to include a feature that calculate an abnormality degree based on the calculated frequency as taught by Nomura. One of ordinary skill in the art would have been motivated to do so because Nomura recognizes that the abnormality rate of a target log information can be calculated based off the frequency and relationship between elements (Page 14: “For example, the path abnormality degree evaluation unit 160 may evaluate the degree of abnormality of each side by determining whether the number of occurrences (frequency) of the relationship between elements represented by each side is smaller than a predetermined threshold. The threshold may be a number obtained by dividing the total number of times by the total number of sides.”).
Etsuko discloses: 
and a selection function configured to select relevant log information with having the abnormality degree satisfying a condition for determining abnormal log information among the target log information (Page 2: “The classification unit 11 receives abnormal event information indicating an abnormal event. The abnormal event indicated by the received abnormal event information is an event having a high possibility of abnormality detected from a log that is a result of monitoring the monitored system. The log includes information indicating an event between elements for each host included in the monitoring target system.”).
Claims 3 is rejected under 35 U.S.C. 103 as being unpatentable over JP 2017/107330A hereinafter after Etsuko, in view of WO 2015/140843 A1 hereinafter Nomura, and in further view of WO 2014/174738 A1 hereinafter Masahiro. 
Regarding Claim 3
Etsuko discloses:
The information selection device according to claim 1, wherein the processor is configured to execute the instructions to calculate the abnormality degree (Abstract: “An assistance device (information selection device) includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events.”; Page 11:“As shown in FIG. 17, the abnormal event list in the present embodiment includes the degree of abnormality of each abnormal event in addition to the abnormal event list shown in FIG. In the present embodiment, the degree of abnormality is represented by a numerical value from 0 to 1, as shown in FIG. 17, and it is assumed that the higher the numerical value, the higher the possibility of abnormality.”), 
	Etsuko does not disclose the following limitation “the abnormality degree being higher toward lower frequency, the abnormality degree being lower toward higher frequency”  
	Masahiro discloses:
	the abnormality degree being higher toward lower frequency, the abnormality degree being lower toward higher frequency (Page 4: “Therefore, the degree of abnormality calculation unit 24 may calculate the degree of abnormality using a function that calculates the degree of abnormality higher for events with a lower occurrence frequency of changes in the crowd behavior pattern.”)
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed
invention to modify the teaching of Etsuko and Nomura in order to include a feature in which the calculation of an abnormality degree would be higher toward lower frequency as taught by Masahiro. One of ordinary skill in the art would have been motivated to do so because Masahiro recognizes that the abnormality calculation will increase if the frequency of an event is lower when compared to its normal state (Page 4: “For example, when an event that does not occur so much occurs in the monitored environment, it can be said that the situation in which such an event occurs is a situation that deviates from the normal state.”).
	Claims 4, 5, and 6 are rejected under 35 U.S.C. 103 as being unpatentable over JP 2017/107330 A hereinafter after Etsuko, in view of WO 2015/140843 A1 hereinafter Nomura, and in further view of US 2019/0108112 A1 hereinafter Kannan.
Regarding Claim 4
	Etsuko does not disclose the following information “wherein the processor is configured to execute the instructions to generate display information used in displaying the relevant log information in accordance with a mode depending on the processing object”
Kannan discloses:
	The information selection device according to claim 1, wherein the processor is configured to execute the instructions to generate display information used in displaying the relevant log information in accordance with a mode depending on the processing object (Claim 9: “The log analysis tool as claimed in claim 8, wherein the output module further displays metadata associated to a log selected from the subset, wherein the metadata indicates timestamp, message, source file of the log, logged date, log type, device name, and file name.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Etsuko and Nomura in order to include a feature that can display the relevant log information in accordance with a mode as taught by Kannan. One of ordinary skill in the art would have been motivated to do so because Kannan recognizes that display metadata associated with the log information can be further processed and filtered by a user in order to examine the data in other means (¶36: “In one example, a grid view page 402 illustrating the metadata associated to a log is shown in FIG. 4. As shown in the figure, the grid view comprises two panels i.e. a Services Panel 404 and a Display Selection 404. The Services Panel 404 displays the subset of the plurality of parsed logs, as filtered by the user.”)
Regarding Claim 5
Etsuko discloses:
The information selection device according to claim 4, wherein the processor is configured to execute the instructions to generate display information representing a graph which includes vertices and edges representing the relevance information and display a screen based on the generated display information on a display device, each of the vertices being defined for a processing object in the relevant log information and a process in the relevant log information, each of the edges representing an association between a vertex representing a process and a vertex representing a processing object (Abstract: “An assistance device includes a sorting unit configured to sort events picked as abnormal events from a plurality of events among elements by elements relevant to the abnormal events; and a generation unit configured to generate a relationship graph to be displayed on a display screen on the basis of a sorting result, the relationship graph being designed such that abnormal events are presented with vertexes representing the elements and sides representing relationship among the elements, and that the elements are arranged by type on the display screen”).
Regarding Claim 6 
Etsuko discloses:
The information selection device according to claim 4, wherein the processor is configured to execute the instructions to generate graph information representing a graph that includes vertices and edges, each of the vertices being defined for a processing object in the target log information and a process in the relevant log information, each An assistance device includes a sorting unit configured to sort events picked as abnormal events (target log information) from a plurality of events (relevant log information) among elements by elements relevant to the abnormal events”; Abstract: “a generation unit configured to generate a relationship graph to be displayed on a display screen on the basis of a sorting result, the relationship graph being designed such that abnormal events are presented with vertexes representing the elements and sides representing relationship among the elements, and that the elements are arranged by type on the display screen”) 
Etsuko does not disclose the following limitation “and set, to the display information, a part representing the relevant log information among the graph information generated by the target information specification means”
Kannan discloses:
and set, to the display information, a part representing the relevant log information among the graph information generated by the target information specification means (“The log analysis tool as claimed in claim 8, wherein the output module further displays metadata (relevant log information) associated to a log selected from the subset, wherein the metadata indicates timestamp, message, source file of the log, logged date, log type, device name, and file name.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Etsuko and Nomura in order to include a feature that can display the relevant log information in accordance with a mode as taught by Kannan. One of ordinary skill in the art would have been motivated to do so because Kannan recognizes that display metadata associated with the log information can be further processed and filtered by a user in order to examine the data in other means (¶36: “In one example, a grid view page 402 illustrating the metadata associated to a log is shown in FIG. 4. As shown in the figure, the grid view comprises two panels i.e. a Services Panel 404 and a Display Selection 404. The Services Panel 404 displays the subset of the plurality of parsed logs, as filtered by the user.”)
Claims 8 is rejected under 35 U.S.C. 103 as being unpatentable over JP 2017/107330 A hereinafter after Etsuko, in view of WO 2015/140843 A1 hereinafter Nomura, in view of US 2019/0108112 A1 hereinafter Kannan, and in further view of WO 2016/073765 A1 hereinafter Li.
Regarding claim 8

Li discloses:
The information selection device according to claim 6, wherein the processor is configured to execute the instructions to store template information representing a graph that includes edges associated with a predetermined abnormality degree and calculate the predetermined abnormality degree for a part matching the template information among the graph information (¶9: “In yet another aspect of the present disclosure, a computer program product is provided that includes a computer readable storage medium having computer readable program code embodied therein for performing a method for behavior query construction in temporal graphs using discriminative sub-trace mining. In an embodiment, the method may include generating system data logs to provide temporal graphs.”; ¶26: “To overcome this problem, the present principles teaches identifying the most discriminative patterns for target behaviors in temporal graphs and employ the most discriminative patterns as behavior queries. Accordingly, these behavior queries, which may consist of only a few edges, are easier to interpret and modify as well as being robust to noise.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Etsuko, Nomura, and Kannan in order to include a feature that can store template information representing a graph and calculate the predetermined abnormality degree using the template information as taught by Li. One of ordinary skill in the art would have been motivated to do so because Li recognizes that the temporal graph patterns can be used in order to calculate the maximum discriminative score (¶26: “In accordance with one embodiment, a positive set and a negative set of temporal graphs may be determined, and temporal graph patterns with maximum discriminative score may be identified”).






Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800- 786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/              Examiner, Art Unit 2431                                                                                                                                                                                          

/LYNN D FEILD/              Supervisory Patent Examiner, Art Unit 2431