DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on December 23, 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “first determination unit configured to retrieve”  in claim 1; “first determination unit is configured to store” in claim 2; “first determination unit is configured to output” in claim 3; “second determination unit configured to retrieve” in claim 4; “second determination unit is configured to store” in claim 5; “second determination unit is configured to output” in claim 6; and “plurality of devices configuring the monitored system” in claims 7 and 8.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function.  Such claim limitation(s) is/are: “first anomaly detection unit configured to detect” and “first storage unit configured to have stored” in claim 1;  and “second storage unit configured to have stored” in claim 4; .
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Rajasekharan et al, US 2019/0042744.

As per claim 1, it is taught of an anomaly detection device comprising:
a first anomaly detection unit (anomalous backup activity detection module, #402 in Figure 4) configured to detect anomalous first monitored data from among a plurality of first monitored data obtained from a monitored system (paragraph 0022, lines 1-7 and paragraph 0023, lines 1-5);
a second anomaly detection unit (anomalous file detection module, #406 in Figure 4) configured to operate in parallel with the first anomaly detection unit (paragraph 0035, lines 1-8) and detect anomalous second monitored data from among a plurality of second monitored data obtained from the monitored system (paragraph 0022, lines 1-7 and paragraph 0030, lines 1-7);
a first storage unit (paragraph 0018, lines 12-25) configured to have the anomalous first monitored data and the anomalous second monitored data stored therein in association with each other, the anomalous second monitored data having been detected before lapse of a given time from detection time of the anomalous first monitored data (paragraph 0034, lines 1-11); and
a first determination unit configured to, when the anomalous first monitored data is detected, retrieve the anomalous second monitored data associated with the detected anomalous first monitored data from the first storage unit and output a first anomaly detection result including the retrieved anomalous second monitored data and the detected anomalous first monitored data (paragraph 0028, lines 1-6 and paragraph 0041, lines 1-18).
As per claim 2, it is disclosed wherein the first determination unit is configured to, when the anomalous first monitored data is detected, in a case where the anomalous second monitored data associated with the detected anomalous first monitored data is not stored in the first storage unit, store the detected anomalous first monitored data into the first storage unit (paragraph 0034, lines 1-11) and, when the anomalous second monitored data is detected before lapse of a given time from detection time of the anomalous first monitored data, store the detected anomalous second monitored 3Docket No. J-20-0285 data into the first storage unit in associated with the stored anomalous first monitored data (paragraph 0041, lines 1-18).
As per claim 3, it is taught wherein the first determination unit is configured to, when the anomalous first monitored data is detected, in a case where the anomalous second monitored data associated with the detected anomalous first monitored data is not stored in the first storage unit, output a second anomaly detection result including the detected anomalous first monitored data (paragraph 0041, lines 1-18).
As per claim 4, it is disclosed of further comprising:
a second storage unit configured to have the anomalous second monitored data and the anomalous first monitored data stored therein in association with each other, the anomalous first monitored data having been detected before lapse of a given time from detection time of the anomalous second monitored data; and a second determination unit configured to, when the anomalous second monitored data is detected, retrieve the anomalous first monitored data associated with the detected anomalous second monitored data from the second storage unit and output a third anomaly detection result including the retrieved anomalous first monitored data and the detected anomalous second monitored data (paragraph 0034, lines 1-11 and paragraph 0041, lines 1-18).
As per claim 5, it taught wherein the second determination unit is configured to, when the anomalous second monitored data is detected, in a case where the anomalous first monitored data associated with the detected anomalous second monitored data is not stored in the second storage unit, 4Docket No. J-20-0285 store the detected anomalous second monitored data into the second storage unit and, when the anomalous first monitored data is detected before lapse of a given time from detection time of the anomalous second monitored data, store the detected anomalous first monitored data into the second storage unit in associated with the stored anomalous second monitored data (paragraph 0034, lines 1-11 and paragraph 0041, lines 1-18).
As per claim 6, it is disclosed wherein the second determination unit is configured to, when the anomalous second monitored data is detected, in a case where the anomalous first monitored data associated with the detected anomalous second monitored data is not stored in the second storage unit, output a fourth anomaly detection result including the detected anomalous second monitored data (paragraph 0034, lines 1-11 and paragraph 0041, lines 1-18). 
As per claim 7, it is taught wherein the plurality of first monitored data include measured values on a plurality of performance indexes (file attributes, metadata) acquired from a plurality of devices configuring the monitored system, and the plurality of second monitored data include a plurality of text logs acquired from the plurality of devices configuring the monitored system (paragraph 0031, lines 1-19).
As per claim 8, wherein the plurality of first monitored data include a plurality of text logs acquired from a plurality of devices configuring the monitored system, and the plurality of second monitored data include measured values on a plurality of performance indexes (file attributes, metadata) acquired from the plurality of devices configuring the monitored system (paragraph 0031, lines 1-19).
As per claim 9, it is taught of an anomaly detection method comprising:
detecting anomalous first monitored data (anomalous backup activity detection module, #402 in Figure 4) from among a plurality of first monitored data obtained from a monitored system (paragraph 0022, lines 1-7 and paragraph 0023, lines 1-5);
in parallel with detecting the anomalous first monitored data (paragraph 0035, lines 1-8), detecting anomalous second monitored data from among a plurality of second monitored data obtained from the monitored system (paragraph 0022, lines 1-7 and paragraph 0030, lines 1-7); and
when the anomalous first monitored data is detected, retrieving the anomalous second monitored data (anomalous file detection module, #406 in Figure 4) associated with the detected anomalous first monitored data from a first storage unit (paragraph 0018, lines 12-25) in which the anomalous first monitored data and the anomalous second monitored data having been detected before lapse of a given time from detection time of the anomalous first monitored data are stored in association with each other (paragraph 0034, lines 1-11), and outputting a first anomaly detection result including the retrieved anomalous second monitored data and the detected anomalous first monitored data (paragraph 0028, lines 1-6 and paragraph 0041, lines 1-18).
As per claim 10, it is disclosed The anomaly detection method according to Claim 9, comprising, when the anomalous first monitored data is detected, in a case where the anomalous second monitored data associated with the detected anomalous first monitored data is not stored in the first storage unit, storing the detected anomalous first monitored data into the first storage unit (paragraph 0034, lines 1-11) and, when the anomalous second monitored data is detected before lapse of a given time from detection time of the anomalous first monitored data, storing the detected anomalous second monitored data into the first storage unit in associated with the stored anomalous first monitored data (paragraph 0041, lines 1-18).
As per claim 11, it is taught when the anomalous first monitored data is detected, in a case where the anomalous 6Docket No. J-20-0285 second monitored data associated with the detected anomalous first monitored data is not stored in the first storage unit, outputting a second anomaly detection result including the detected anomalous first monitored data (paragraph 0041, lines 1-18).
As per claim 12, it is disclosed when the anomalous second monitored data is detected, retrieving the anomalous first monitored data associated with the detected anomalous second monitored data from a second storage unit in which the anomalous second monitored data and the anomalous first monitored data having been detected before lapse of a given time from detection time of the anomalous second monitored data are stored in association with each other, and outputting a third anomaly detection result including the retrieved anomalous first monitored data and the detected anomalous second monitored data (paragraph 0034, lines 1-11 and paragraph 0041, lines 1-18).
As per claim 13, it is taught when the anomalous second monitored data is detected, in a case where the anomalous first monitored data associated with the detected anomalous second monitored data is not stored in the second storage unit, storing the detected anomalous second monitored data into the second storage unit and, when the anomalous first monitored data is detected before lapse of a given time from detection time of the anomalous second monitored data, storing the detected anomalous first monitored data into the second storage unit in associated with the stored anomalous second monitored data (paragraph 0034, lines 1-11 and paragraph 0041, lines 1-18).
As per claim 14, it is disclosed when the anomalous second monitored data is detected, in a case where 7Docket No. J-20-0285 the anomalous first monitored data associated with the detected anomalous second monitored data is not stored in the second storage unit, outputting a fourth anomaly detection result including the detected anomalous second monitored data (paragraph 0034, lines 1-11 and paragraph 0041, lines 1-18).
As per claim 15, it is taught wherein the plurality of first monitored data include measured values on a plurality of performance indexes (file attributes, metadata) acquired from a plurality of devices configuring the monitored system, and the plurality of second monitored data include a plurality of text logs acquired from the plurality of devices configuring the monitored system (paragraph 0031, lines 1-19).
As per claim 16, it is disclosed wherein the plurality of first monitored data include a plurality of text logs acquired from a plurality of devices configuring the monitored system, and the plurality of second monitored data include measured values on a plurality of performance indexes (file attributes, metadata) acquired from the plurality of devices configuring the monitored system (paragraph 0031, lines 1-19).
As per claim 17, it is taught of a non-transitory computer-readable recording medium having a program stored thereon, the program comprising instructions for causing a computer to function as:
a first anomaly detection unit (anomalous backup activity detection module, #402 in Figure 4) configured to detect anomalous first monitored data from among a plurality of first monitored data obtained from a monitored system (paragraph 0022, lines 1-7 and paragraph 0023, lines 1-5);
a second anomaly detection unit (anomalous file detection module, #406 in Figure 4) configured to operate in parallel with the first anomaly detection unit (paragraph 0035, lines 1-8) and detect anomalous second monitored data from among a plurality of second monitored data obtained from the monitored system (paragraph 0022, lines 1-7 and paragraph 0030, lines 1-7);
a first storage unit (paragraph 0018, lines 12-25) configured to have the anomalous first monitored data and the anomalous second monitored data stored therein in association with each other, the 8Docket No. J-20-0285 anomalous second monitored data having been detected before lapse of a given time from detection time of the anomalous first monitored data (paragraph 0034, lines 1-11); and
a first determination unit configured to, when the anomalous first monitored data is detected, retrieve the anomalous second monitored data associated with the detected anomalous first monitored data from the first storage unit and output a first anomaly detection result including the retrieved anomalous second monitored data and the detected anomalous first monitored data (paragraph 0028, lines 1-6 and paragraph 0041, lines 1-18).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Langton et al, U.S. Patent 9,646,159 is relied upon for disclosing of parallel execution of a security device, see column 17, lines 4-10.
Zhang et al, US 2016/0164721 is relied upon for disclosing of performing anomaly detection in parallel, see paragraph 0029.
Takahashi et al, U.S. Patent 10,140,836 is relied upon for disclosing of detecting abnormalities by detecting a difference in time, see abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER A REVAK whose telephone number is (571)272-3794. The examiner can normally be reached 5:30am - 3:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LYNN FEILD can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/CHRISTOPHER A REVAK/Primary Examiner, Art Unit 2431