DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-9 and 11-20 are pending in this office action.

Response to Amendment
This office action is in response to applicant’s communication filed on January 26th, 2022. The Applicant’s remark and amendments to the claims were considered with the results that follow.
In response to the last Office Action, claims 1, 4, 11-12, and 14-15 are amended. Claim 10 has been canceled. As a result, claims 1-9, and 11-20 are pending in this application.
Applicant’s argument to the rejections under 35 U.S.C 101 as being directed to non-statutory subject matter because the claim(s) as a whole are not significantly more than an abstract idea have overcome the rejection. The applicant amended the claims to include “...determining anomalous activity based on the match template and automatically performing a corrective action responsive to the anomalous activity”. The applicant provides support of the amended claims on [0027]-[0030] in the applicant’s specification and specify the amended claims are not mental process and that the claims integrate a judicial exception into a practical application. The rejection have been withdrawn due to the arguments filed on January 26th, 2022. 
Applicant’s argument to the objection to claims 4, and 14-15 for containing informalities have overcome the objection. Applicant amended claims 4, and 14-15 to overcome the objection. The objection have been withdrawn due to the arguments filed on January 26th, 2022. 

Response to Arguments
Applicant’s arguments, see pgs. 9 filed on January 26th, 2022, with respect to the rejections of independent claims 1, 11, and 12 under 35 U.S.C 103, where the applicant asserts that Chen does not disclose not teach or suggest, “replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score" as cited.

Examiner respectfully disagrees. Chen teaches on Lines 1145-1149, “Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates”.

Chen specify “replacing a token in the imperfectly matched template with a wildcard” on Lines 367-370.  Chen indicates on Lines 367-370, “the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character.

		Chen indicates on “to reduce the first similarity distance score” on 
Lines 1145-1149. Chen indicates on Lines 1145-1149, “Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed”.

	Chen specifying reducing the score by replacing the wildcard based on the claim on Lines 1151-1154. Chen on Lines 1151-1154, “For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in". Thus, Chen indicates on Lines 1145-1149, “Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1”, however the opposite may be applied if the log template were to be replace with a wildcard in such would modify the distance score. 
	
	As such, Chen teaches the above limitation as cited above. 

Applicant’s arguments, see pgs. 9-10 filed on January 26th, 2022, with respect to the rejections of dependent claims 5 and 16 under 35 U.S.C 103, where the applicant asserts that Chen does not disclose not teach or suggest, “determining that the first incoming message imperfectly matches the matched template includes determining that the first similarity distance score is greater than zero and less than a similarity threshold" as cited.

Examiner respectfully disagrees. The claimed limitation indicates “includes”, thus the examiner interprets options of matching the matched template to includes “determining that the first similarity score is greater than zero” and “less than a similarity threshold”.

Kimura teaches incoming message imperfectly matches the matched template includes determining that the first similarity distance score is greater than zero (Kimura: (b) Online message clustering; (c) Parameter optimization To obtain the most efficient result from our method, we need to optimize the weight parameter w and E. From the definition of log similarity, we can consider the problem of assigning a log message to a cluster as a linear classification problem such that

    PNG
    media_image1.png
    89
    629
    media_image1.png
    Greyscale

{Examiner correlates the formula above as receiving incoming message and determining whether to assigned the message to a current cluster after determining the message is greater than the threshold}) and less than a similarity threshold ((b) Online message clustering; (c) Parameter optimization To obtain the most efficient result from our method, we need to optimize the weight parameter w and E. From the definition of log similarity, we can consider the problem of assigning a log message to a cluster as a linear classification problem such that

    PNG
    media_image1.png
    89
    629
    media_image1.png
    Greyscale

{See (b) Online message clustering; (If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X)).

		As such, Kimura teaches the cited limitations as discussed above. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-8, 11-19 are rejected under 35 U.S.C. 103 as being unpatentable over Non-Patent Literature: Proactive Failure Detection Learning Generation Patterns of Large-scale Network Logs issued to Kimura et al. (hereinafter as "Kimura") in view of C.N. Application Publication 111160021 issued to WANG CHEN (Hereinafter as "CHEN").

Regarding claim 1, Kimura teaches a computer-implemented method for log message aggregation, comprising: determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates (Kimura: B. Online Log Template Extraction; The main ideas of the method are: (i) classification of each word based on the tendency to belong to a log template; and (ii) online clustering of arriving messages by regarding a log template as a cluster of messages and by using log similarity between template clusters and messages based on the classes of words. IV. EXPERIMENTS: A. Online template extraction evaluation
To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates

From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same); 

determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score (Kimura: A. Online template extraction evaluation;
To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same); 

determining anomalous activity based on the matched template (Kimura: A. Online template extraction evaluation: Thus, we used this field as the true 'label' for the log template of each message. To quantitatively evaluate accuracy of log templates. From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same. Log generation feature space vs. keyword feature space: The graph shows that the features of the proposed method achieve a higher value than all cases. This result indicates that the abnormality of logs is determined by their generation patterns, rather than the keywords in messages. C. Example of proactive failure detection: our system detected them because operations that causes them are all done manually; and thus they have less burstiness. In addition, we can see frequent log templates and periodic ones below the burst ones); 

automatically performing a corrective action responsive to the anomalous activity (Kimura: B. Online Log Template Extraction; We give an example of log template in Fig. 2. These log templates can be obtained from vendors' support pages or manuals; however, the formats may change due to OS upgrades or maintenance. C. Feature Extraction; (3) Burstiness: Some log messages become failures when they occur in sudden burst, although the message itself is not critical when it appears alone. For example, a single bit error at a certain module will be fixed by its error correction circuit and will not affect the network. However, if the bit error occurs more frequently than before, the module has the potential to crash and should be replaced (see e.g. Cisco's support page [7]). V. CONCLUSION; Although our system currently learns and detects abnormal logs in offline, automatic update of the features and the model is important in production networks.... improving the accuracy of future failure detection {Examiner correlates that replacing the module would be rebooting the system according to determining that the log message has been come a failure after analyzing certain anomaly}).  

	Kimura does not explicitly teach replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score

	However, CHEN teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score (CHEN: detailed description; lines 349-350; The log records in the log typically have an implicit log template (also called a log pattern), which refers to a standard pattern, or fixed format, used to generate the log records in the log. Lines 367-370; the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character. Lines 373-375; It should be noted that, in the matching process in the following text, the variable identifier may be determined to be identical to any character or entry. For example, it may be determined that "" is the same as "046523" when "" is matched with "046523". Lines 1145-1149; Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed. Lines 1151-1154; For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in");
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the invention, to modify Kimura (teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates and determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score) with the teachings of CHEN (teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score). One of ordinary skill in the art would have been motivated to make such a combination of improving distance score to help match the templates by updating the log sequence by adding values into the weight to help mitigate the efficiency issue in order to find match  (See CHEN: Lines 865-868). In addition, the references (Kimura and CHEN) teach features that are directed to analogous art and they are directed to the same field of endeavor as Kimura and CHEN are directed to receiving log data and performing a comparison on whether there is a match.
	Regarding claim 2, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Kimura further teaches the similarity distance score is determined as a token-based edit distance between the first incoming message and a template (Kimura: A. Online template extraction evaluation; To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same).  

	Regarding claim 4, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Chen further teaches further comprising pre-processing the first incoming message to replace one or more tokens in the first incoming message with a pre- processing wildcard (CHEN: detailed description; lines 349-350; The log records in the log typically have an implicit log template (also called a log pattern), which refers to a standard pattern, or fixed format, used to generate the log records in the log. Lines 367-370; the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character. Lines 373-375; It should be noted that, in the matching process in the following text, the variable identifier may be determined to be identical to any character or entry. For example, it may be determined that "" is the same as "046523" when "" is matched with "046523". Lines 1145-1149; Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed. Lines 1151-1154; For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in" {See also Lines 101-103; For any log record, because a plurality of characters are replaced by one fixed character, the number of characters contained in the log record is reduced, and the calculation complexity of the subsequent locality sensitive hash code is effectively reduced. Lines 1029-1032; the distance between the log record and each log template in the plurality of log templates is calculated (for example, the distance is calculated by using a Jaccard distance function), and the log record is compared with the log template closest to the log record, so that the operation cost can be reduced}).  

	Regarding claim 5, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Kimura further teaches determining that the first incoming message imperfectly matches the matched template includes determining that the first similarity distance score is greater than zero and less than a similarity threshold (Kimura: (b) Online message clustering; (c) Parameter optimization To obtain the most efficient result from our method, we need to optimize the weight parameter w and E. From the definition of log similarity, we can consider the problem of assigning a log message to a cluster as a linear classification problem such that

    PNG
    media_image1.png
    89
    629
    media_image1.png
    Greyscale

{{Examiner correlates the “includes” as option in determining the first similarity distance score is greater than zero and less than a similarity threshold. Kimura indicates on (b) Online message clustering; (If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X) as one option and the option log similarity being greater than zero}).  

	Regarding claim 6, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Kimura further teaches determining a second similarity distance score for a second incoming message by comparing the second incoming message to the one or more stored templates (Kimura: A. Online template extraction evaluation; To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same); 

determining that the second similarity distance score does not match any of the one or more stored templates (Kimura: A. Online template extraction evaluation; To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same.
(b) Online message clustering Next, for each arriving log message, we perform online clustering so that the message is assigned to the cluster with the highest similarity); and

 storing a new template that is based on the second incoming message (Kimura: (b) Online message clustering Next, for each arriving log message, we perform online clustering so that the message is assigned to the cluster with the highest similarity.
If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X).  

	Regarding claim 7, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Kimura further teaches determining that the second incoming message does not match any of the one or more stored templates includes determining that the second incoming message has a second similarity distance score for each of the one or more stored templates that is greater than a similarity threshold (Kimura: (b) Online message clustering; (c) Parameter optimization To obtain the most efficient result from our method, we need to optimize the weight parameter w and E. From the definition of log similarity, we can consider the problem of assigning a log message to a cluster as a linear classification problem such that

    PNG
    media_image1.png
    89
    629
    media_image1.png
    Greyscale

{{Examiner correlates the “includes” as option in determining the first similarity distance score is greater than zero and less than a similarity threshold. Kimura indicates on (b) Online message clustering; (If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X) as one option and the option log similarity being greater than zero}).  

	Regarding claim 8, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Kimura further teaches determining the first similarity distance score and the second similarity distance score are processed in parallel (Kimura: A. Online template extraction evaluation;
Using the above notations, the Rand index is defined as
TP+TN
RAND_INDEX = TP+TN +FN +FP.
From the definition, the Rand index has a value between 0
and 1, with O indicating that the two datatests do not agree
on any pair of points and 1 indicating that the datasets are
exactly the same. In other words, the Rand index can be
considered as an accuracy of clustering. In Table. III, we
show the Rand index for different E {Examiner correlates the parallel options as taking both template distance scores TP(True Positive) and TN(True Negative) and performing them simultaneously}).  

	Regarding claim 11, Kimura teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates (Kimura: B. Online Log Template Extraction; The main ideas of the method are: (i) classification of each word based on the tendency to belong to a log template; and (ii) online clustering of arriving messages by regarding a log template as a cluster of messages and by using log similarity between template clusters and messages based on the classes of words. IV. EXPERIMENTS: A. Online template extraction evaluation
To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates); 

determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score (Kimura: A. Online template extraction evaluation;
To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same); 

determining anomalous activity based on the matched template (Kimura: A. Online template extraction evaluation: Thus, we used this field as the true 'label' for the log template of each message. To quantitatively evaluate accuracy of log templates. From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same. Log generation feature space vs. keyword feature space: The graph shows that the features of the proposed method achieve a higher value than all cases. This result indicates that the abnormality of logs is determined by their generation patterns, rather than the keywords in messages. C. Example of proactive failure detection: our system detected them because operations that causes them are all done manually; and thus they have less burstiness. In addition, we can see frequent log templates and periodic ones below the burst ones); and

automatically performing a corrective action responsive to the anomalous activity (Kimura: B. Online Log Template Extraction; We give an example of log template in Fig. 2. These log templates can be obtained from vendors' support pages or manuals; however, the formats may change due to OS upgrades or maintenance. C. Feature Extraction; (3) Burstiness: Some log messages become failures when they occur in sudden burst, although the message itself is not critical when it appears alone. For example, a single bit error at a certain module will be fixed by its error correction circuit and will not affect the network. However, if the bit error occurs more frequently than before, the module has the potential to crash and should be replaced (see e.g. Cisco's support page [7]). V. CONCLUSION; Although our system currently learns and detects abnormal logs in offline, automatic update of the features and the model is important in production networks.... improving the accuracy of future failure detection).  

Kimura does not explicitly teach a non-transitory computer readable storage medium comprising a computer readable program for log message aggregation, wherein the computer readable program when executed on a computer causes the computer to perform the steps:

However, CHEN teaches a non-transitory computer readable storage medium comprising a computer readable program for log message aggregation (CHEN: Lines 1618-1620; In an exemplary embodiment, there is also provided a non-transitory computer-readable storage medium including instructions, such as a memory including instructions, which can be executed by a processor of a server to complete the log template shown in each embodiment of the present application), wherein the computer readable program when executed on a computer causes the computer to perform the steps: 

replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score (CHEN: detailed description; lines 349-350; The log records in the log typically have an implicit log template (also called a log pattern), which refers to a standard pattern, or fixed format, used to generate the log records in the log. Lines 367-370; the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character. Lines 373-375; It should be noted that, in the matching process in the following text, the variable identifier may be determined to be identical to any character or entry. For example, it may be determined that "" is the same as "046523" when "" is matched with "046523". Lines 1145-1149; Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed. Lines 1151-1154; For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in").  
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the invention, to modify Kimura (teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates and determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score) with the teachings of CHEN (teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score). One of ordinary skill in the art would have been motivated to make such a combination of improving distance score to help match the templates by updating the log sequence by adding values into the weight to help mitigate the efficiency issue in order to find match  (See CHEN: Lines 865-868). In addition, the references (Kimura and CHEN) teach features that are directed to analogous art and they are directed to the same field of endeavor as Kimura and CHEN are directed to receiving log data and performing a comparison on whether there is a match.
	Regarding claim 12, Kimura teaches  (Kimura: B. Online Log Template Extraction; The main ideas of the method are: (i) classification of each word based on the tendency to belong to a log template; and (ii) online clustering of arriving messages by regarding a log template as a cluster of messages and by using log similarity between template clusters and messages based on the classes of words. IV. EXPERIMENTS: A. Online template extraction evaluation
To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates); 

determine that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score (Kimura: A. Online template extraction evaluation;
To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same); 

determine anomalous activity based on the matched template (Kimura: A. Online template extraction evaluation: Thus, we used this field as the true 'label' for the log template of each message. To quantitatively evaluate accuracy of log templates. From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same. Log generation feature space vs. keyword feature space: The graph shows that the features of the proposed method achieve a higher value than all cases. This result indicates that the abnormality of logs is determined by their generation patterns, rather than the keywords in messages. C. Example of proactive failure detection: our system detected them because operations that causes them are all done manually; and thus they have less burstiness. In addition, we can see frequent log templates and periodic ones below the burst ones); 

	automatically perform a corrective action responsive to the anomalous activity (Kimura: B. Online Log Template Extraction; We give an example of log template in Fig. 2. These log templates can be obtained from vendors' support pages or manuals; however, the formats may change due to OS upgrades or maintenance. C. Feature Extraction; (3) Burstiness: Some log messages become failures when they occur in sudden burst, although the message itself is not critical when it appears alone. For example, a single bit error at a certain module will be fixed by its error correction circuit and will not affect the network. However, if the bit error occurs more frequently than before, the module has the potential to crash and should be replaced (see e.g. Cisco's support page [7]). V. CONCLUSION; Although our system currently learns and detects abnormal logs in offline, automatic update of the features and the model is important in production networks.... improving the accuracy of future failure detection).

	Kimura does not explictly teach a log aggregation system, comprising: a hardware processor; a memory, configured to store one or more templates and program code that, when executed by the hardware processor, is configured to  Page 4 of 11determine anomalous activity based on the matched template; 

However,  Chen teaches a log aggregation system, comprising: a hardware processor (CHEN: Lines 1618-1620; In an exemplary embodiment, there is also provided a non-transitory computer-readable storage medium including instructions, such as a memory including instructions, which can be executed by a processor of a server to complete the log template shown in each embodiment of the present application); 

a memory (CHEN: Lines 1618-1620; In an exemplary embodiment, there is also provided a non-transitory computer-readable storage medium including instructions, such as a memory including instructions, which can be executed by a processor of a server to complete the log template shown in each embodiment of the present application), 

configured to store one or more templates and program code that, when executed by the hardware processor, is configured to The log records in the log typically have an implicit log template (also called a log pattern), which refers to a standard pattern, or fixed format, used to generate the log records in the log. Lines 367-370; the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character. Lines 373-375; It should be noted that, in the matching process in the following text, the variable identifier may be determined to be identical to any character or entry. For example, it may be determined that "" is the same as "046523" when "" is matched with "046523". Lines 1145-1149; Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed. Lines 1151-1154; For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in" {See also Lines 101-103; For any log record, because a plurality of characters are replaced by one fixed character, the number of characters contained in the log record is reduced, and the calculation complexity of the subsequent locality sensitive hash code is effectively reduced. Lines 1029-1032; the distance between the log record and each log template in the plurality of log templates is calculated (for example, the distance is calculated by using a Jaccard distance function), and the log record is compared with the log template closest to the log record, so that the operation cost can be reduced});
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the invention, to modify Kimura (teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates and determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score) with the teachings of CHEN (teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score). One of ordinary skill in the art would have been motivated to make such a combination of improving distance score to help match the templates by updating the log sequence by adding values into the weight to help mitigate the efficiency issue in order to find match  (See CHEN: Lines 865-868). In addition, the references (Kimura and CHEN) teach features that are directed to analogous art and they are directed to the same field of endeavor as Kimura and CHEN are directed to receiving log data and performing a comparison on whether there is a match.
Regarding claim 13, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Kimura further teaches the similarity distance score is determined as a token-based edit distance between the first incoming message and a template (Kimura: A. Online template extraction evaluation; To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same).  

	Regarding claim 14, the modification of Kimura and CHEN teaches claimed invention substantially as claimed, and Chen further teaches the template updater is further configured to replace a token in the matched template with a new wildcard (CHEN: detailed description; lines 349-350; The log records in the log typically have an implicit log template (also called a log pattern), which refers to a standard pattern, or fixed format, used to generate the log records in the log. Lines 367-370; the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character. Lines 373-375; It should be noted that, in the matching process in the following text, the variable identifier may be determined to be identical to any character or entry. For example, it may be determined that "" is the same as "046523" when "" is matched with "046523". Lines 1145-1149; Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed. Lines 1151-1154; For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in").  

	Regarding claim 15, the modification of Kimura and Chen teaches claimed invention substantially as claimed, and Chen further teaches further comprising a message pre-processor, configured to replace one or more tokens in the first incoming message with a pre-processing wildcard (CHEN: detailed description; lines 349-350; The log records in the log typically have an implicit log template (also called a log pattern), which refers to a standard pattern, or fixed format, used to generate the log records in the log. Lines 367-370; the log template of the log is the log template of the log record in the log. Generally, when log template extraction is performed on a log record, if a variable part of the log record is identified, the variable part is marked by using a preset variable identifier, and the marking is essentially to replace the variable part by using the variable identifier. The variable identifier is typically a wildcard character. Lines 373-375; It should be noted that, in the matching process in the following text, the variable identifier may be determined to be identical to any character or entry. For example, it may be determined that "" is the same as "046523" when "" is matched with "046523". Lines 1145-1149; Wherein, the similarity of the constant parts of the two log templates can be determined by calculating the distance between the constant parts of the two log templates. It should be noted that when the similarity of the constant parts of the two log templates is not 1, the two log templates are not processed. Lines 1151-1154; For example, the two templates are: "User**has logged in" and "User***has logged in", the constant part of both contains four entries: {User,has,logged,in}. The similarity between the two is 1. Therefore, you can replace the variable part "**" of "User**has logged in" with "*", delete "User***has logged in", and get the combined log template: "User*has logged in" in").  

	Regarding claim 16, the modification of Kimura and Chen teaches claimed invention substantially as claimed, and Kimura further teaches the template matcher is further configured to determine that the first similarity distance score is greater than zero and less than a similarity threshold (Kimura: (b) Online message clustering; (c) Parameter optimization To obtain the most efficient result from our method, we need to optimize the weight parameter w and E. From the definition of log similarity, we can consider the problem of assigning a log message to a cluster as a linear classification problem such that

    PNG
    media_image1.png
    89
    629
    media_image1.png
    Greyscale

{{Examiner correlates the “includes” as option in determining the first similarity distance score is greater than zero and less than a similarity threshold. Kimura indicates on (b) Online message clustering; (If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X) as one option and the option log similarity being greater than zero}).  

	Regarding claim 17, the modification of Kimura and Chen teaches claimed invention substantially as claimed, and Kimura further teaches the template matcher is further configured to determine a second similarity distance score for a second incoming Page 5 of 11message by comparing the second incoming message to the one or more stored templates (Kimura: A. Online template extraction evaluation; To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same), and 

to determine that the second similarity distance score does not match any of the one or more stored templates (Kimura: A. Online template extraction evaluation; To quantitatively evaluate accuracy of log templates, we chose the Rand index [15], which is a well-known measure for evaluating two different clustering results. More precisely, for two arbitrary selected messages X and Y from the data, we first set the following:
• True Positive (TP): X and Y have the same MSG_ID and
our system classifies them into the same template.
• True Negative (TN): X and Y have different MSG_IDs and
our system classifies them as different templates.
• False Positive (FP): X and Y have different MSG_IDs and
our system classifies them into the same template.
• False Negative (TN): X and Y have the same MSG_ID and
our system classifies them as different templates.
From the definition, the Rand index has a value between 0 and 1, with O indicating that the two datatests do not agree on any pair of points and 1 indicating that the datasets are exactly the same.
(b) Online message clustering Next, for each arriving log message, we perform online clustering so that the message is assigned to the cluster with the highest similarity), and 

further comprising a template creator, configured to store a new template that is based on the second incoming message (Kimura: (b) Online message clustering Next, for each arriving log message, we perform online clustering so that the message is assigned to the cluster with the highest similarity. If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X).  

	Regarding claim 18, the modification of Kimura and Chen teaches claimed invention substantially as claimed, and Kimura further teaches the template matcher is further configured to determine that the second incoming message has a second similarity distance score for each of the one or more stored templates that is greater than a similarity threshold (Kimura: (b) Online message clustering; (c) Parameter optimization To obtain the most efficient result from our method, we need to optimize the weight parameter w and E. From the definition of log similarity, we can consider the problem of assigning a log message to a cluster as a linear classification problem such that

    PNG
    media_image1.png
    89
    629
    media_image1.png
    Greyscale

{{Examiner correlates the “includes” as option in determining the first similarity distance score is greater than zero and less than a similarity threshold. Kimura indicates on (b) Online message clustering; (If the highest log similarity is less than a predefined threshold E, then we create a new template cluster from X) as one option and the option log similarity being greater than zero}}).  

	Regarding claim 19, the modification of Kimura and Chen teaches claimed invention substantially as claimed, and Kimura further teaches further comprising parallel instances, each having a separate template matcher configured to determine the first similarity distance score and the second similarity distance score in parallel (Kimura: A. Online template extraction evaluation;
Using the above notations, the Rand index is defined as
TP+TN
RAND_INDEX = TP+TN +FN +FP.
From the definition, the Rand index has a value between 0
and 1, with O indicating that the two datatests do not agree
on any pair of points and 1 indicating that the datasets are
exactly the same. In other words, the Rand index can be
considered as an accuracy of clustering. In Table. III, we
show the Rand index for different E {Examiner correlates the parallel options as taking both template distance scores TP(True Positive) and TN(True Negative) and performing them simultaneously}).  

Claims 3, 9, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Non-Patent Literature: Proactive Failure Detection Learning Generation Patterns of Large-scale Network Logs issued to Kimura et al. (hereinafter as "Kimura") in view of C.N. Application Publication 111160021 issued to WANG CHEN (Hereinafter as "CHEN") in further view of U.S Patent  
10,353,756 issued to Yoon et al. (hereinafter as “Yoon”).

	Regarding claim 3, the modification of Kimura and Chen teaches claimed invention substantially as claimed, however the modification of Kimura and Chen does not explicitly teach the wildcard matches any token in a same position of the first incoming message.

Yoon teaches the wildcard matches any token in a same position of the first incoming message (Yoon: Col 22, lines 47-54; In the context of tokenized log data, the similarity value may pertain to the degree of overlap between two log messages in terms of "token count", "token content" and/or "token position". Token count pertains to a number of tokens in the log message. Token content pertains to the content of individual tokens and/or combinations of multiple tokens. Token position pertains to the relative location, presence, and/or absence of particular tokens within the log data. Col 23, lines 6-16; For example, a similarity value may be higher when there is a match between a number of tokens in the messages, when values of corresponding tokens are of a same size or word type (e.g., numeric characters only, a string of alphanumeric characters, or natural language), and/or when values of corresponding tokens match (e.g., as may be more likely for non-variable components). As one particular example, a similarity value may include a percentage of a first representative message's tokens having a value that is an exact match to a value of a corresponding token in a second representative message).  
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the invention, to modify Kimura (teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates and determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score) with the teachings of CHEN (teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score) to further include the teachings of Yoon (teaches the wildcard matches any token in a same position of the first incoming message). One of ordinary skill in the art would have been motivated to make such a combination of determining the match by clustering data into groups to determine the match without the need of extra resource (See Yoon: Col 16, lines 8-13). In addition, the references (Kimura, CHEN, and Yoon) teach features that are directed to analogous art and they are directed to the same field of endeavor as Kimura, CHEN, and Yoon are directed to receiving log data and performing a comparison on whether there is a match.
Regarding claim 9, the modification of Kimura and Yoon teaches claimed invention substantially as claimed, and however the modification of Kimura and Yoon does not explicitly teach comprising adding the second message to a shared queue after determining that the second similarity distance score does not match any of the one or more stored templates and before storing the new template.

Yoon teaches comprising adding the second message to a shared queue after determining that the second similarity distance score does not match any of the one or more stored templates and before storing the new template (Yoon: Col 16, lines 14-24; Thus, in some instances, a queue is managed and maintained, where queue elements corresponding to one or more log messages for which cluster assignments are to be refined, enhanced and/or used. An element may be added to the queue (for example) subsequent to an initial storing of the queue element and/or in response to receiving a query for data corresponding to or potentially corresponding to one or more associated log messages. In some instances, an element is added to the queue (or processing of a queue is initiated) in response to a detection that a clustering condition is satisfied. Col 29, lines 14-21; The data ingest logic may pull out the particular combination before or after the cluster identifiers are initially determined, or in parallel, asynchronously with determining the cluster identifiers. Once the particular combination has been detected and pulled out, the data ingest logic assigns a unique cluster identifier that is shared by messages matching the particular combination).  
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the invention, to modify Kimura (teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates and determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score) with the teachings of CHEN (teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score) to further include the teachings of Yoon (teaches the wildcard matches any token in a same position of the first incoming message). One of ordinary skill in the art would have been motivated to make such a combination of determining the match by clustering data into groups to determine the match without the need of extra resource (See Yoon: Col 16, lines 8-13). In addition, the references (Kimura, CHEN, and Yoon) teach features that are directed to analogous art and they are directed to the same field of endeavor as Kimura, CHEN, and Yoon are directed to receiving log data and performing a comparison on whether there is a match.
Regarding claim 20, the modification of Kimura and Yoon teaches claimed invention substantially as claimed, and Kimura further teaches the template matcher that determines the second similarity distance score is further configured to add the second message to a shared queue after determining that the second similarity distance score does not match any of the one or more stored templates (Yoon: Col 16, lines 14-24; Thus, in some instances, a queue is managed and maintained, where queue elements corresponding to one or more log messages for which cluster assignments are to be refined, enhanced and/or used. An element may be added to the queue (for example) subsequent to an initial storing of the queue element and/or in response to receiving a query for data corresponding to or potentially corresponding to one or more associated log messages. In some instances, an element is added to the queue (or processing of a queue is initiated) in response to a detection that a clustering condition is satisfied. Col 29, lines 14-21; The data ingest logic may pull out the particular combination before or after the cluster identifiers are initially determined, or in parallel, asynchronously with determining the cluster identifiers. Once the particular combination has been detected and pulled out, the data ingest logic assigns a unique cluster identifier that is shared by messages matching the particular combination).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the invention, to modify Kimura (teaches determining a first similarity distance score for a first incoming message by comparing the first incoming message to one or more stored templates and determining that the first incoming message imperfectly matches a matched template of the one or more stored templates, based on the first similarity distance score) with the teachings of CHEN (teaches replacing a token in the imperfectly matched template with a wildcard, to reduce the first similarity distance score) to further include the teachings of Yoon (teaches the wildcard matches any token in a same position of the first incoming message). One of ordinary skill in the art would have been motivated to make such a combination of determining the match by clustering data into groups to determine the match without the need of extra resource (See Yoon: Col 16, lines 8-13). In addition, the references (Kimura, CHEN, and Yoon) teach features that are directed to analogous art and they are directed to the same field of endeavor as Kimura, CHEN, and Yoon are directed to receiving log data and performing a comparison on whether there is a match.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
J.P Patent Application 2011-186516 issued to ABE HIDEYA (hereinafter as “HIDEYA”) teaches providing log management method and to determine whether the generated log information satisfy the present condition that already exist and present failure activity when occurring.
C.N Patent 111240942 issued to CHEN WANG (hereinafter as “WANG”) teaches determining log abnormity and acquiring the log to determine the distances between the two log and solving an issue to applied fixing the problem with low efficiency. 

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

					Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW N HO whose telephone number is (571)270-0590. The examiner can normally be reached M-F 10:30 -7.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre Vital can be reached on (571)272-4215. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
5/18/2022
/ANDREW N HO/Examiner
Art Unit 2162 
                                                                                                                                                                                                       
/PIERRE M VITAL/Supervisory Patent Examiner, Art Unit 2162