DETAILED ACTION
	This is in response to the amendment filed on February 14th 2022.

Response to Arguments
Applicant’s arguments, see pg. 6, filed 2/14/22, with respect to the specification have been fully considered and are persuasive.  The objection of the specification has been withdrawn. 

Applicant’s arguments, see pg. 6-7, filed 2/14/22, with respect to the rejection(s) of claim(s) 1-6 under 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made under 103.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/6/22 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav et al. US 2016/0359886 A1.

	Regarding claim 1, Yadav discloses a detecting device (paragraph 57, Fig. 2) comprising:
	a memory, and a processor coupled to the memory (paragraph 57, Fig. 2) and programmed to execute a process comprising:
obtaining a network log and a host log of a device (receive network data and node data – paragraphs 62-64 and Fig. 3); 
firstly converting the network log into a first feature value in a form which is inputtable to a multimodal generative model, the multimodal generative model being a generative model which generates output data on the basis of multiple latent variables represented by random variables (machine learning algorithms process the network data into a model which is used to output data – paragraphs 22, 52-54; firstly data is converted to be suitable for modeling – paragraphs 74-75, Fig. 5); 
secondly converting the host log into a second feature value in a form which is inputtable to the generative model (repeat data conversion for additional data – paragraphs 74-75, Fig. 5); 
inputting at least one of the first and second feature values to the generative model (Fig. 5; also see paragraph 52 which teaches dynamically updating models with new data);
calculating the output data (Fig. 5); and
detecting an abnormality about the device using an anomaly score calculated on the basis of the output data (see abstract, paragraphs 3, 20, and 79-82, Fig. 5).

Yadav also discloses the [logs] have different output intervals (sensors have different output intervals depending on whether they are software or circuit based – see paragraphs 43 and 64; e.g. circuit sensor output is on the order of milliseconds while a software sensor is on the order of seconds), and the network log is one of a plurality of network logs (multiple sensors / logs – see Fig. 3) that have different output intervals depending on an interface for output (output interval depends on interface, i.e. software interface has different output interval than hardware/circuit interface – see paragraph 43).
Yadav does not explicitly disclose the network log and host log must have different output intervals as it could be that all sensors are software or all sensors are hardware (paragraph 43) which may result in the output interval being the same (this is unlikely as Yadav teaches that even circuit based sensors have different intervals between 10-1000 ms, and software sensors are “approximately” one second – see paragraph 43).  Nevertheless, it is not inherent that the network log and host log are different so hence the 103 rejection.  Based solely on the teachings of Yadav, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yadav so that the host log and network log have different intervals as required by the claim.  Yadav suggests using software sensors for VM and circuit sensors for nodes/physical components (paragraphs 63-64), this would result in the claimed feature of the network log and host log having different output intervals depending on the interface for output.

	Regarding claim 2, Yadav discloses having the generative model learn so that the difference between the output data and each of the feature values input to the generative model is reduced (this is machine learning algorithms in operation – paragraph 22; the system runs and thereby “learns” to improve the model’s output – Fig. 5).

	Regarding claim 3, Yadav discloses firstly converting converts quantitative data included in the network log into a prescribed statistic of quantitative data and qualitative data included in the network log into a k-hot vector included in the network log where k is an integer of at least 1 (convert network data into vector – paragraph 76).

	Regarding claim 4, Yadav discloses secondly converting converts time-series accumulated data included in the host log into data per unit time (data is collected over time – paragraph 22, and organized into time periods – paragraph 45) and normalizes data related to the use amount of a resource by dividing the data by the total amount of the resource (data involves resource usage including individual process/user information and overall processing capabilities – paragraph 46).

	Regarding claim 5, Yadav discloses when a plurality of host logs correspond to one network log (receive data from a plurality of sources – paragraph 33), the secondly converting converts the plurality of host logs into the second feature value as one feature value by calculating at least one of a maximum, minimum, mean and a variance of the elements of the plurality of host logs (convert data – Fig. 5, using min and max values – paragraph 92, Fig. 10).

	Regarding claim 6,  it is a method claim that corresponds to the device of claim 1 but is broader in scope; thus it is rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Harutyunyan et al. US 2016/0234238 A1 discloses a log management system (abstract) that teaches collecting logs at different output intervals (paragraphs 12-13).
Zhan et al. US 2019/0205511 A1 discloses network monitoring including using a model to determine abnormal behavior (paragraph 37).

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D RECEK whose telephone number is (571)270-1975. The examiner can normally be reached Flex M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kevin Bates can be reached on 5712723980. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JASON D RECEK/Primary Examiner, Art Unit 2458                                                                                                                                                                                                        
(571) 270-1975