DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 6, 10, 15 and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 10, 15 and 19 recites “classifying a portion of the unstructured text as anomalous …”; and “… includes an indication that the portion of the unstructured text is anomalous ”. The term “anomalous” is vague and not clear.
Claim 1 attempts to define the subject-matter in terms of the result to be achieved "classifying a portion ... by inputting text to a machine learning-based model", which merely amounts to a statement of the underlying problem, without providing the technical features necessary for achieving this result. It is vague and not clear.
Claim 6 recites “classifying a second portion of the unstructured text as anomalous”. The term “anomalous” is vague and not clear.
In Claims 4, 9, 13, and 18, the functional statement "tokenizing one or more numbers ... to represent a magnitude" does not enable the skilled person to determine which technical features are necessary to perform the stated function and what the term "magnitude" refers to. It is vague and not clear.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-7, 9-12, 14-16, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Patthak et al. (US #2016/0292592) in view of Mahapatra et al. (Contextual Anomaly Detection in Text Data).

Regarding Claim 1, Patthak discloses a method (abstract, ¶0007) comprising:
obtaining unstructured text generated by a device regarding operation of the device (Patthak ¶0040 discloses implement machine learning-based classification of logs. This approach can be used to group logs automatically using a machine learning infrastructure. ¶0041 discloses the illustration with respect to "log" data, is not limited in its scope only to the analysis of log data, and indeed is applicable to wide range of data types); 
identifying the unstructured text as associated with a particular command or process that generated the unstructured text (Patthak ¶0061 discloses the daemon manager 334 takes the log content and packages it up so that it can be handed back to the LA agent 333. ¶0064 discloses the retrieved log data undergoes a "parse" stage 312, where the log entries are parsed and broken up into specific fields; Fig. 3A);
classifying a portion of the unstructured text as anomalous by inputting the unstructured text to a machine learning-based model trained to predict text generated by the particular command or process (Patthak ¶0189 discloses within a machine learning infrastructure 1504 [Fig. 15], a set of classifiers 1504a and 1504b use the learning models 1505a and 1505b, respectively, to classify the logs 1501a-c. ¶0136 discloses log anomaly detection and scoring. ¶0058 discloses at 132, incident management can be performed upon the processed data; Figs. 1A-1B. One or more alert conditions can be configured within log analytics system such that upon the detection of the alert condition, an incident management mechanism 117 provides a notification to a designated set of users of the incident/alert); and
provide the unstructured text for display that includes an indication that the portion of the unstructured text is anomalous (Patthak ¶0217 discloses Fig. 21-11 illustrates one possible approach to display classification results within a user interface on a display device; Fig. 1A: 103; Fig. 29: 1411).
Patthak may not explicitly disclose classifying a portion of the unstructured text as anomalous by inputting the unstructured text to a machine learning-based model trained to predict text generated by the particular command or process.
However, Mahapatra (title) teaches classifying a portion of the unstructured text as anomalous by inputting the unstructured text to a machine learning-based model trained to predict text generated by the particular command or process (Mahapatra section 3 discloses detect the occurrence of abnormal/deviant topics and themes in large scale textual logs [like emails, blogs etc.] that could help us in inferring anomalous shifts in behavioral patterns. Page 480 last para discloses table 2 shows all the quality metrics obtained by us on these three datasets and report precision, recall, F-score, sensitivity and specificity scores of the classification of the anomalous class. Page 475: Fig. 4).
Patthak and Mahapatra are analogous art as they pertain to anomaly detection. Therefore it would have been obvious to someone of ordinary skill in the art before the effective filing date of the invention was made to modify classification system (as taught by Patthak) to simplify the construction of the algorithm and also ensure that the results from both unfiltered and filtered versions of the algorithm are clearly visible by introducing context as a post-processing filter for regular topic modeling-based anomaly detection techniques (as taught by Mahapatra, Page 473 2nd para) for both reductions of false positives and detection of previously undetected anomalies in existing datasets (Mahapatra, Page 487 1st para).



Regarding Claim 2, Patthak in view of Mahapatra discloses the method as in claim 1,
wherein the indication comprises highlighting of the portion of the unstructured text (Patthak ¶0046 discloses a user interface [UI] mechanism generates the UI to display the classification and analysis results, and to allow the user to interact with the log analytics system. ¶0152 discloses there are numerous ways that can be provided to list fields for user to select/de-select them for display purpose in the search findings table. One example approach is based on static metadata, and another possible way is based on dynamic search results. ¶0217 discloses each of the different log types are presented, along with a percentage probability that the log should be classified as that log type. Alternatively, the list is sorted, and only the top n log types with the highest probability percentages are displayed in the interface. Or, instead of displaying detailed percentage probabilities, one [or more] recommended classifications are provided for only those log types which meet a threshold level of similarity [e.g., by establishing a similarity threshold radius when comparing the log vector to log type centroids]).

Regarding Claim 3, Patthak in view of Mahapatra discloses the method as in claim 1,
wherein the machine learning-based model comprises a neural network (Patthak ¶0042 discloses method and system for implementing high volume of log collection and analytics, which is usable in conjunction with machine learning classification of log files).

Regarding Claim 5, Patthak in view of Mahapatra discloses the method as in claim 1,
wherein the unstructured text comprises log data or command line interface (CLI) text generated by the device (Patthak “Log Data” Figs. 1B, 17, 21-2 to 21-10, 25, and 27).

Regarding Claim 6, Patthak in view of Mahapatra discloses the method as in claim 1, further comprising:
classifying a second portion of the unstructured text as anomalous (Patthak claim 1: second type of vector data for the log; automatically classifying the log as the log type); and
identifying the second portion of the unstructured text as a variable field based on a score distribution calculated by the machine learning-based model (Patthak claim 1: parsing the log to store log items comprising fields and values based at least in part on identification of the log type).

Regarding Claim 7, Patthak in view of Mahapatra discloses the method as in claim 1, further comprising:
training the machine learning-based model to predict text generated by the particular command or process using a training dataset comprising text generated by the particular command or process (Patthak ¶0186 discloses provide an approach to perform machine learning-based classification of logs; Fig. 15. ¶0193 discloses at 1602 [Fig. 16], the process begins with a training phase to generate learning models for the classification process. ¶0197 discloses at 1702 [Fig. 17], a set of logs is identified that correspond to known log types. This set of known logs forms the basis of the training data. The set of known logs can comprise an initial set of training material, or can be provided as follow-up training materials from a feedback process where previous incorrectly-classified logs are identified and placed within the training materials to improve the accuracy of the learning models).

Regarding Claim 9, Patthak in view of Mahapatra discloses the method as in claim 1, further comprising:
tokenizing one or more characters of the portion of the unstructured text, prior to input to the machine learning-based model, based on whether the one or more characters are capitalized (Patthak ¶0190 discloses a second classifier, referred to herein as a "token classifier", can operate based upon vectors generated by identification of certain tokens within the log. ¶0192 discloses classifier 1504a is a distribution classifier and classifier 1504b is a token classifier. ¶0202 discloses the log is converted into a second type of vector [token vector 1906a] where the tokens within the log [or at least the top n tokens within the log] are used to generate the token vector 1906a. ¶0203 discloses each of the other logs undergoes this same process. Fig. 19-3 illustrates processing for Log 2, where the log is converted into a first distribution vector 1904b and a second token vector 1906b. ¶0204 discloses for the coordinate space 1912 that corresponds to the token vectors, a similarity radius 1919 has been established which groups points 1913a, 1913b, and 1913c into the same cluster. ¶0205 discloses centroids can then be identified for each cluster. Also refer to ¶0206-0214).

Claims 10-12, 14-16, and 19-20 are rejected for the same reasons as set forth in Claims 1-3, 5-7, and 9.

Claims 4, 8,13, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Patthak et al. (US #2016/0292592) in view of Mahapatra et al. (Contextual Anomaly Detection in Text Data) further in view of Huang et al. (US #2018/0285397).

Regarding Claim 4, Patthak in view of Mahapatra discloses the method as in claim 1, further comprising:
tokenizing one or more numbers in the portion of the unstructured text to represent a magnitude, prior to input to the machine learning-based model (Patthak ¶0190 discloses a second classifier, referred to herein as a "token classifier", can operate based upon vectors generated by identification of certain tokens within the log. ¶0192 discloses classifier 1504a is a distribution classifier and classifier 1504b is a token classifier. ¶0202 discloses the log is converted into a second type of vector [token vector 1906a] where the tokens within the log [or at least the top n tokens within the log] are used to generate the token vector 1906a. ¶0203 discloses each of the other logs undergoes this same process. Fig. 19-3 illustrates processing for Log 2, where the log is converted into a first distribution vector 1904b and a second token vector 1906b. ¶0204 discloses for the coordinate space 1912 that corresponds to the token vectors, a similarity radius 1919 has been established which groups points 1913a, 1913b, and 1913c into the same cluster. ¶0205 discloses centroids can then be identified for each cluster. Also refer to ¶0206-0214).
In an analogous art, Huang (abstract; Figs. 3, 5) also teaches tokenizing one or more numbers in the portion of the unstructured text to represent a magnitude, prior to input to the machine learning-based model (Huang ¶0033 discloses in the case of unstructured log data, inverted indexing techniques can be used, whereby each token is treated equally and independently [i.e., each token becomes an independent key in the index]. ¶0036 discloses a device in a network tokenizes a plurality of strings from unstructured log data into entity tokens and non-entity tokens. The entity tokens identify entities in the network.  ¶0041 discloses log analysis process 248 can include a tokenizer 306 that breaks down the strings/lines of log data 304 into individual tokens/words. For example, in the case of a string "creating instance INS001 for service SVC001," tokenizer 306 can tokenize the string into the following tokens: "creating," "instance," "INS001," "for," "service," "SVC001". ¶0048 discloses context constructor 312 may determine the "context" for each of the entity patterns from pattern extractor 310. Such a context can comprise a predefined number of tokens or patterns that appear in a given pattern before or after an entity wildcard. ¶0049 discloses embedder 314 can use machine learning to perform such a mapping. For example, embedder 314 can use a trained neural network having a single projection layer and a single output layer).
Patthak, Mahapatra, and Huang are analogous art as they pertain to anomaly detection. Therefore it would have been obvious to someone of ordinary skill in the art before the effective filing date of the invention was made to modify the teachings of Patthak in view of Mahapatra in light of the teachings of Huang for a particular entity-centric context to comprise a sequence of tokens that precede or follow an entity token in the tokenized strings (as taught by Huang, ¶0036) by tokenizing a plurality of strings from unstructured log data into entity tokens and non-entity tokens (Huang, ¶0009).

Regarding Claim 8, Patthak in view of Mahapatra discloses the method as in claim 1, but may not explicitly disclose wherein the device comprises a network router or network switch.
However, Huang (abstract; Fig. 2) teaches wherein the device comprises a network router or network switch (Huang ¶0027 discloses node/devices 200 that can be used by, e.g., any of the computing devices shown in Figs. 1A-1B, particularly the PE routers 120, CE routers 110, nodes/device 10-20, servers 152-154 [e.g., a network controller located in a data center, etc.], any other computing device that supports the operations of network 100 [e.g., switches, etc.], or any of the other devices).
Patthak, Mahapatra, and Huang are analogous art as they pertain to anomaly detection. Therefore it would have been obvious to someone of ordinary skill in the art before the effective filing date of the invention was made to modify the teachings of Patthak in view of Mahapatra in light of the teachings of Huang to interconnect routers by the public internet, a multiprotocol label switching [MPLS] virtual private network [VPN], or the like (as taught by Huang, ¶0027) to transmit and/or receive data using a variety of different communication protocols (Huang, ¶0028).

Claims 13, 17, and 18 are rejected for the same reasons as set forth in Claims 4 and 8.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOGESHKUMAR G PATEL whose telephone number is (571)272-3957. The examiner can normally be reached 7:30 AM-4 PM PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Duc Nguyen can be reached on 571-272-7503. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YOGESHKUMAR PATEL/Primary Examiner, Art Unit 2651