DETAILED ACTION
This action is in response to the reply received 2/1/2022. After consideration of applicant's amendments and/or remarks:
Examiner maintains rejections under 35 USC § 103.
Claims 1-20 are rejected under 35 USC § 103.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Muddu et al., U.S. PG-Publication No. 2017/0063888 A1, in view of Pande et al., U.S. PG-Publication No. 2018/0270261 A1.

Claim 1
	Muddu discloses a method for detecting anomalies in mission-critical environments. [FUNCTIONAL LANGUAGE: INTENDED USE] The preamble recites an intention for using the method with the intended use for detecting anomalies in mission-critical environments.  When the body of a claim sets forth all limitations of the claimed invention and the preamble merely states the purpose or intended use of the invention, "then the preamble is not considered a limitation and is of no significance to claim construction." Statements in the preamble reciting the purpose of intended use of a claimed invention are evaluated by determining "whether the recited purpose of intended use results in a structural difference . . . between the claimed invention and the prior art." MPEP 2111.02(II). The body of the claim does not recite structure specific to detecting anomalies in mission-critical environments, because the recited limitations are applicable to all detecting anomalies in any generic environment. Thus, the intended use of detecting anomalies in mission-critical environments recited in the preamble is not considered a limitation and is of no significance to claim construction.
	Muddu discloses a method "for anomalous activity detection in a networked environment." Muddu, ¶ 137.
	Muddu discloses parsing at least one received data set into a text structure. Figure 4 illustrates an exemplary security platform 300 comprising data sources 402 "that provide event data including machine data, to be analyzed for anomalies." Platform 300 further comprises a semantic processor 316 that "may perform parsing of the incoming event data" and "prepare the data for more efficient downstream utilization" (i.e. parses event data set into text structure for more efficient downstream utilization). Id. at ¶¶ 163-165.
	Muddu discloses isolating a protocol language of the at least one received data set, wherein the protocol language is a standardized pattern for communication over at least one protocol. The machine data "contains a record … of an event that takes place in the network environment," and can include "data from APIs" (i.e. data from a standardized pattern for communication). Id. at ¶ 189. Parsers 806 parse the event data (e.g. machine data) "to tokenize the event data into tokens." The initial parsing steps "can include using regular expression[s] to perform extraction or stripping." For example, "if the data is a system log (syslog), then a syslog regular expression can be used to strip away the packet of syslog (i.e., the outer shell of syslog) to reveal the event message inside." Id. at ¶¶ 209-210.
	Muddu discloses generating at least one document from the contents of the received at least one data set, wherein the at least one document includes at least one parsed text structure referencing a unique identifier. Muddu discloses generating a document comprising of an event message, by stripping (i.e. isolating) the protocol language within machine/event data. The generated document comprises the revealed event message inside. See Id. Muddu discloses a field mapper 808 that "map[s] extracted tokens to one or more corresponding fields with predetermined meanings." For example, mapper 808 can "identify and extract entities from the tokens, and more specifically, the data format can specify which of the extracted tokens represent entities." The entities are unique references to "a user, a device, an application, a session" or "a uniform resource locator (URL)." Id. at ¶ 211; See Also ¶ 232 (identify resolution module 812 obtains unique identifiers such as "machine identifier," MAC or IP address, "user login identifier," and "electronic mail address").
	Muddu discloses detecting insights in the generated documents. Muddu discloses that the entity extraction process "enables the security platform to gain potential insight on the environment in which the security platform is operating." Id. at ¶ 212.
	Muddu discloses extracting rules from the detected insights. Muddu discloses that "the behavior analytics leverage machine learning data processing procedures … do not require any preexisting knowledge such as known signatures and rules" (i.e. the machine learning learns rules). Id. at ¶ 137. An analysis module 330 receives data processed by the semantic processor 316 and "analyzes the data in real-time to detect anomalies." Id. at ¶ 169. The analysis is performed by a machine learning based "complex event processing (CEP) engine that provides a mechanism to process data from multiple sources … to derive anomaly-related … conclusions in real-time." Id. at ¶¶ 270-273. The ML-based CEP engine "can train a decision tree" that "can make predictions based on historical sequence of events." Id. at ¶ 277. A decision tree is analogous to a set of rules, because the decisions in the tree are made according to rules. See Id. ("the trained decision tree is superior to a user-specified rule").
	Muddu discloses detecting anomalies by applying the extracted rules. Analysis module 330 "analyzes the data in real-time to detect anomalies." Id. at ¶ 168. Further, Muddu discloses that "an anomaly detected by … the ML-based CEP engine can correspond to an event, a sequence of events, an entity, a group of entities, or any combination thereof" and the output of the engine "can be an anomaly" presented on a display. Id. at ¶ 278.
	Muddu does not expressly disclose wherein the at least one parsed text structure is organized within the at least one document according to a natural language scheme.
	Pande discloses wherein the at least one parsed text structure is organized within the at least one document according to a natural language scheme. Pande discloses a method "for applying a model to detect and classify anomalies in event logs." Pande, ¶ 3. The method is "a rapid approach … to detect fault in critical safety systems." The method applies "the concept of word embeddings to enterprise event logs … by applying word embeddings to millions of events in an event log, and enterprise thread detection system may rapidly identify potentially anomalous events." Id. at ¶ 20. Pande discloses an anomaly classification engine comprising a "vocabulary generator 312" that "parses all event logs to generate a vocabulary of size V," comprising "all unique features in all event logs." Id. at ¶ 56. A vocabulary is a "natural language scheme."
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the anomaly detection method of Muddu to incorporate using word embeddings to determine anomalies as taught by Pande. One of ordinary skill in the art would be motivated to integrate using word embeddings to determine anomalies into Muddu, with a reasonable expectation of success, increase speed and efficiency of anomaly detection in large datasets, so that "an enterprise threat detection system may rapidly identify potentially anomalous events." See Pande, ¶ 21; See Also ¶¶ 2; 98.

Claim 2
	Muddu discloses wherein isolating the protocol language of the at least one received data set further comprises: generating documents from the contents of the at least one received data set. Field mapper 808 maps extracted tokens to fields in order "to identify and extract entities from the tokens" and "the field mapper 808 can map a value extracted to a key to create a key-value pair, based on [a] predetermined data format." Muddu, ¶ 211. The generated key-value pair information are generated documents containing extracted entities.

Claim 3
	Pande discloses wherein detecting insights in the documents generated further comprises: applying a natural language processing (NLP) technique to the at least one generated document. The method applies "the concept of word embeddings to enterprise event logs … by applying word embeddings to millions of events in an event long, and enterprise thread detection system may rapidly identify potentially anomalous events." Pande, ¶ 20.

Claim 4
	Pande discloses wherein the natural language processing (NLP) technique includes at least statistical language modeling (SLM). Pande discloses "training a model to identify regularly co-occurring features in order to identify anomalous features that are not regularly occurring in an event log." Pande, ¶ 23. The trained language model "captures statistical characteristics of features as they occur in a particular event log." Id. at ¶ 28.

Claim 5
	Pande discloses wherein the natural language processing (NLP) technique includes at least word embedding. The method applies "the concept of word embeddings to enterprise event logs … by applying word embeddings to millions of events in an event long, and enterprise thread detection system may rapidly identify potentially anomalous events." Pande, ¶ 20.

Claim 6
	Muddu discloses wherein the at least one received data set includes application programming interface (API) communications. The machine data "contains a record … of an event that takes place in the network environment," and can include "data from APIs" (i.e. data from a standardized pattern for communication). Muddu, ¶ 189.

Claim 7
	Muddu discloses wherein parsing the at least one received data set further comprises: parsing the records as any one of: sentences, words information elements, data units, and parsing procedures or sequences involving data packets or messages as paragraphs, wherein paragraphs contain sentences and sentences contain words. Muddu discloses using a parser to "tokenize the event data into tokens, which may be keys, values, or more commonly, key-value pairs," (i.e. words information elements and/or data units). Muddu, ¶ 209.

Claim 8
	Muddu discloses wherein isolating the protocol language of the at least one data set further comprises: identifying pre-defined messages, procedures, and sessions for a protocol. The machine data "contains a record … of an event that takes place in the network environment," and can include "data from APIs" (i.e. data from a standardized pattern for communication). Id. at ¶ 189. Parsers 806 parse the event data (e.g. machine data) "to tokenize the event data into tokens." The initial parsing steps "can include using regular expression[s] to perform extraction or stripping." For example, "if the data is a system log (syslog), then a syslog regular expression can be used to strip away the packet of syslog (i.e., the outer shell of syslog) to reveal the event message inside." Id. at ¶¶ 209-210. The "outer shell" is a pre-defined message portion of the system log; the outer shell is pre-defined because it is stripped using a regular expression.

Claim 9
	Muddu discloses wherein generating the at least one document further comprises: identifying unique identifiers in the at least one received data set; and creating separate documents containing records relating to each identified unique identifier. Muddu discloses a user interface that provides a document view providing "separate listings for each type of entity … that is associated with an anomaly." Muddu, ¶ 451; See Also ¶ 459 ("[f]or each entity … a link is included" when clicked "the user is taken to a separate view for that selected entity").

Claim 10
	Claim 10 recites a medium storing instructions for performing the steps of the method recited in claim 1. Accordingly, claim 10 is rejected as indicated in the rejection of claim 1.

Claims 11-19
	Claims 11-19 recite a system configured to perform the steps of the method recited in claims 1-9. Accordingly, claims 11-19 are rejected as indicated in the rejection of claims 1-9.


Claim 20
	Muddu discloses wherein the at least one received set is for a mission critical environment. [FUNCTIONAL LANGUAGE: INTENDED USE] This limitation employs functional language because it recites a feature by what it does rather than by what it is. MPEP 2173.05(g). The broadest reasonable interpretation of this limitation is a "received set" having structure to store data. The recitation of an intention for using the data in a "mission critical environment" has no patentable weight because it merely states an intended use for the "received set" See MPEP 2111.04.
	Nonetheless, Muddu discloses that the method may be applied to "mission critical systems." Muddu, ¶¶ 372; 378; 404; 613; 635.
	Muddu discloses wherein the detection of insights in the generated documents is based on the isolated protocol language. Muddu discloses an embodiment wherein a protocol attribute of data traffic is used to determine "rarity feature of data traffic," which is in turn "used to detect anomalies represented in event data." For example, features in specific network protocols may have values that "occur more commonly … than another value of the feature." For example, hyper-text transfer protocol port value 80 is much more common than other ports. Muddu, ¶¶ 697-700.


Response to Arguments
Applicant's arguments filed 2/1/2022 have been fully considered but they are not persuasive.

Applicant argues that the cited prior art does not teach or suggest "isolating a protocol language, i.e. a network language constructed from pre-defined messages, sessions, and procedures used in a given communication protocol, which is called for by [claim 1]," because "data from APIs which may be parsed into tokens … does not correspond to a isolating a protocol language."  Rem. pg.7.
The Examiner disagrees.
The Specification discloses isolating a protocol language as parsing text to isolate the part that governs communication within a network. Specification ¶ 42 ("language isolated may be a network language … used in a given communication protocol"); ¶ 43 ("isolation of the protocol language may be achieved by analysis of … data parsed at S420").
Applicant argues that the machine data of Muddu is limited only to data from APIs. However, the machine data is disclosed as more than just API data. Muddu discloses a method of analyzing "machine data" containing "a record … of an event that takes place in the network environment." The machine data is "more than mere logs," it can include text such as "configurations, data from APIs, message queues, change events, the output of diagnostic commands, call detail records, sensor data from industrial systems, and so forth." Muddu, ¶ 189, emphasis added; See Also ¶ 188; FIGS. 7A-B (listing example types of machine data).  Accordingly, the machine data of Muddu includes text comprising pre-defined messages (e.g. message queues, output of diagnostic commands, sensor data from industrial systems), sessions (e.g. call detail records), and procedures (e.g. change events) used in a given communication protocol.
Further, Muddu discloses parsing and stripping away (i.e. isolating) this protocol language from the machine data. Parsers 806 parse the event data (e.g. machine data) "to tokenize the event data into tokens." The initial parsing steps "can include using regular expression[s] to perform extraction or stripping." For example, "if the data is a system log (syslog), then a syslog regular expression can be used to strip away the packet of syslog (i.e., the outer shell of syslog) to reveal the event message inside." Muddu, ¶¶ 209-210; See Also ¶ 205 (format detector 804 performs data format pattern matching "by stripping away a format that has been identified (e.g. by stripping away a known event header, like a Syslog header)").
Accordingly, Muddu discloses obtaining a machine data, stripping (i.e. isolating) the outer shell of the syslog (i.e. protocol language) to generate a new document— comprising of only the event message inside.

Applicant argues that the cited prior art does not teach of suggest "the generation of a document including at least one parsed text structure wherein the at least one parsed text structure is organized within the at least one document according to a natural language scheme," because "it seems that the extracted entities" in Muddu "are identified and extracted from a token, which means extracting the token from the event data that represented the event." Rem. pg.8.
The Examiner disagrees.
As discussed supra, Muddu discloses obtaining a machine data, stripping (i.e. isolating) the outer shell of the syslog (i.e. protocol language) to generate a new document— comprising of only the event message inside. See Muddu, ¶¶ 209-210.
The method extracts tokens from the event data representing the event. Id. at ¶ 190. The tokens extracted corresponds to "one or more corresponding fields with predetermined meanings," wherein the meanings enable a field mapper 808 "to identify and extract entities from the tokens." Entities can include "a user, a device, an application, a session, a uniform resource locator (URL), or a threat." Id. at ¶ 211. Accordingly, Muddu discloses parsing the event data to identify unique identifiers (e.g. user, device, application, session, URL).
Applicant argues that the generated document "must be amenable to natural language processing" and "must have a parsed text structure such that it is amenable to have a natural language type of structure, e.g., being analogous to having paragraphs made of sentences and sentences made of words." Rem. pg.8. This is beyond what the claim actually recites though— the claim merely requires that the document include "at least one parsed text structure … organized … according to a natural language scheme." There is no explicit recitation of parsing paragraphs, sentences, and/or words.
Nonetheless, Muddu does not expressly disclose that the event message is organized according to a natural language scheme (as indicated in the Office Action). However, Muddu does disclose that if a network administrator "wishes to receive data in a new data format, he can edit the configuration file to create rules … for the particular data format including, for example, identifying how to tokenize the data, identifying which data are the entities in the particular format, and/or identifying the logic on how to establish a relationship [between the entities]." Id. at ¶ 219.
Pande discloses using word embeddings to enterprise event logs to detect anomalous events. Pande, ¶ 21. An anomaly classification server 102 "trains a model to identify one or more anomalous features in one or more event logs … using language models as Word2Vec to represent features within event logs as vectors." Id. at ¶ 40. In one example, Pande describes how the trained model "finds anomalous words in a sentence that corresponds to the event log." Id. at ¶¶ 63-65, emphasis added.
Examiner relies on Muddu to teach isolating (e.g. stripping) the protocol language from machine event data to generate a document comprising of an event message for abnormality analysis. Muddu suggests that the method could be modified to accommodate different data formats. Muddu, ¶ 219. Pande teaches detecting and classifying anomalies in event logs comprising sentences using word embeddings.
Accordingly, the method of Muddu could be modified with the language model of Pande to accommodate an event log comprising event data arranged in textual sentences. One of ordinary skill in the art would be motivated to integrate using word embeddings to determine anomalies into Muddu, with a reasonable expectation of success, increase speed and efficiency of anomaly detection in large datasets, so that "an enterprise threat detection system may rapidly identify potentially anomalous events." See Pande, ¶ 21; See Also ¶¶ 2; 98.

Applicant argues that the cited prior art does not teach or suggest detecting insights in the generated document, because Muddu discloses gaining potential insights not in the generated documents, rather the "insight is gained based on the entity extraction." Rem. pg.8.
The Examiner disagrees.
Muddu discloses that the "output of the machine learning layer 110 includes anomalies, threat indicators, and/or threats" (e.g. insights). Muddu, ¶ 158. Data sources 302 provide event data to data receivers 310. The data is channeled to a semantic processor 316 to "perform parsing of the incoming event data … and, optionally filtering of the event data." The data is distributed to analysis module 330 for analyzing data in real-time "to detect anomalies, threat indicators, and threats." Id. at ¶¶ 163-169; FIG. 4. Muddu extracts tokens from the event message (generated document isolated from protocol language) to "gain potential insight on the environment in which the security platform is operating." Id. at ¶¶ 210-212. The entities are extracted from the generated document comprising the event message.

Applicant argues that the cited prior art does not teach extracting rules from the detected insights, because Muddu does not teach or suggest extracting rules from the detected insights, rather a "decision tree is trained [to] make predictions based on historical sequence of events," and "being trained based on historical events simply does not make the decision corresponds to rules extracted from the detected insights." Rem. pg.9.
The threat insights are determined using a machine learning based complex event processing (CEP) engine, wherein the "CEP engine is a processing entity that tracks and reliable analyzes and processes unbounded streams of electronic records to derive a conclusion therefrom." A conventional CEP engines known in the art "rel[y] on user-specified rules to processes an incoming event," but are "unable to derive conclusions based on patterns or behaviors that are not previously known to authors of the user-specified rules." The machine learning based CEP "can train a decision tree based on historical events." Muddu, ¶¶ 277-279.
This decision tree is literally comprised of rules (to make decisions) extracted from historical event data. Muddu makes it clear that CEP engines use rules; and the machine learning version CEP performs data analysis on historical event data to extract rules to create a decision tree using machine learning techniques.

Applicant argues that the cited prior art does not teach or suggest "generating at least one document," because Pande relates "to analyzing already existing event logs to detect anomalies based on the analysis" and no cited art teaches the generating step.
The Examiner disagrees.
Muddu discloses obtaining a machine data, stripping (i.e. isolating) the outer shell of the syslog (i.e. protocol language) to generate a new document— comprising of only the event message inside. Muddu, ¶¶ 209-210; See Also ¶ 205 (format detector 804 performs data format pattern matching "by stripping away a format that has been identified (e.g. by stripping away a known event header, like a Syslog header)").
Examiner relies on Muddu to teach isolating (e.g. stripping) the protocol language from machine event data to generate a document comprising of an event message for abnormality analysis. Muddu suggests that the method could be modified to accommodate different data formats. Muddu, ¶ 219. Pande teaches detecting and classifying anomalies in event logs comprising sentences using word embeddings.
Accordingly, the method of Muddu could be modified with the language model of Pande to accommodate an event log comprising event data arranged in textual sentences. One of ordinary skill in the art would be motivated to integrate using word embeddings to determine anomalies into Muddu, with a reasonable expectation of success, increase speed and efficiency of anomaly detection in large datasets, so that "an enterprise threat detection system may rapidly identify potentially anomalous events." See Pande, ¶ 21; See Also ¶¶ 2; 98.

	Accordingly, the rejection of claims 1-19 under 35 USC § 103 are maintained.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANK D MILLS whose telephone number is (571)270-3172. The examiner can normally be reached M-F 10-6 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAVITA PADMANABHAN can be reached on (571)272-8352. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FRANK D MILLS/Primary Examiner, Art Unit 2176                                                                                                                                                                                                        May 5, 2022