DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to amendments filed on April 26, 2022.
Claims 1, 3, 5, 7-8 have been amended.
Claim 9 has been added.	Claims 1-9 are pending.

Response to Arguments
The objections regarding the specification have been withdrawn as the specification has been amended.
The rejections regarding 35 U.S.C. 101 for Claims 1-8 have been withdrawn as the claims have been amended.
The rejections regarding 35 U.S.C. 112(b) for Claims 3-5 have been withdrawn as the claims have been amended.
Applicant’s arguments with respect to claims 1-8 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. JP 2016-036383, filed on February 26, 2016.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 7-9 are rejected under 35 U.S.C. 103 as being unpatentable over Aoki et al. (JP 2008192091 A), hereinafter referred to as “Aoki”, and further in view of Tang (U.S. Pub. No. 2013/0104230 A1), hereinafter referred to as “Tang”.
Regarding Claim 1: 
	Aoki discloses the following limitations:
	An analysis device comprising: a memory; and a processor coupled to the memory and programmed to execute a process (Page 7, Par. 6, log analysis server 10 is a computer system (analysis device … programmed to execute a process comprising) including at least a CPU (processor coupled to the memory), a main memory (memory), and an HDD)
	comprising: receiving an input of data, as learning purpose data and determination target data, in which requests made to a server by a user are represented in a time series (Page 5, Par. 7, in FIG. 1, a log (input of data in which requests made to a server by a user are represented in a time series) analysis apparatus according to the present invention includes a log analysis server (learning purpose data) and a log management server.(determination target data))
	classifying, for each user who made the requests, the data received by the receiving (Page 8, Par. 2, the acquired logs (the data received by the receiving) are classified by user and operation content (classifying, for each user who made the requests))
	firstly extracting, from the learning purpose data classified by the classifying, the first number of consecutive requests (Page 6, Par. 3, the log analysis server (from the learning purpose data classified by the classifying) collects logs from the logs collected by the log management server in the target time zone, for example, logs related to sending e-mails and output to printers. A model showing the transition of the operation content (the first number of consecutive requests as feature values of the learning purpose data) in the time period is created (that performs learning by inputting the feature values of the learning purpose data to a machine learning algorithm)). Aoki teaches a system in which a computer analyzes logs in order to create a model of expected user behavior, i.e. machine learning. Therefore, under the broadest reasonable interpretation, the model creation of Aoki is a machine learning algorithm.  
	and creating a profile for each user based on the machine learning algorithm performing learning of feature values for each user (Page 3, Par. 1, a model (profile) composed of numerical values indicating the transition of the operation status for each user is calculated for each user (creating a profile for each user based on the machine learning algorithm performing learning of feature values for each user)). As argued previously, the model creation of Aoki is considered a machine learning algorithm, and the learning of feature values in this case refers to the calculation of values performed by Aoki. 
and secondly extracting, from the determination target data classified by the classifying, the first number of consecutive requests (Page 3, Par. 1, for the log acquired in the acquisition step (from the determination target data classified by the classifying), a model composed of numerical values indicating the transition of the operation status (extracting the first number of consecutive requests as feature values of the determination target data) for each user is calculated for each user)
	and determining as a determination result, based on the feature values of the determination target data and based on the profiles created by the creating, whether the determination target data is abnormal (Page 4, Par. 5, it has a total divergence score calculation step of calculating the total deviation score (based on the feature values of the determination target data and based on the profiles created by the creating) calculated from may also be characterized (determining as a determination result whether the determination target data is abnormal))
and outputting the determination result when the determination target data is determined to be abnormal (Page 6, Par. 4, and when a suspicious user is detected (when the determination target data is determined to be abnormal), the log analysis server may promptly notify the administrator X terminal (and outputting the determination result)). Aoki discloses notification of anomalies, i.e. an output of the determination result of abnormality. 

Tang discloses the following limitations not taught by Aoki:
and time intervals (Table 3; Par. [0047], the predetermined time period of traffic features may be useful in identifying a DDOS attack). Aoki does not disclose using time intervals as feature values for a machine learning algorithm. Tang however discloses using various types of time periods/intervals as feature values for a machine learning algorithm for detecting anomalies user requests to a server. Tang further teaches that analyzing such time intervals has the advantage of detecting a DDOS attack since computers may generate requests much faster than humans (Par. [0047], In contrast to legitimate network traffic, illegitimate traffic that may be part of a DDOS attack may artificially reduce the amount of time between requests. That is, a computer may be able to generate multiple data requests much faster than a human operator. In some configurations, analysis of the session features may be useful in detecting a DDOS attack).

References Aoki and Tang are considered to be analogous art because they both relate to anomaly detection of server requests using machine learning. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the anomaly detection system of Aoki with the time interval analysis of Tang in order to gain the benefit of detecting potential DDOS attacks.

Regarding Claim 7:
	Claim 7 is drawn to the method of using corresponding to the analysis device same as claimed in Claim 1. Therefore, method Claim 7 corresponds to apparatus Claim 1, and is rejected for the same reasons of motivation/combination of references as used above. 

Regarding Claim 8:
	Claim 8 is drawn to the non-transitory computer readable recording medium of using corresponding to the analysis device same as claimed in Claim 1. Therefore, non-transitory computer readable recording medium Claim 8 corresponds to apparatus Claim 1, and is rejected for the same reasons of motivation/combination of references as used above. However, Claim 8 further recites a non-transitory computer readable recording medium (Aoki, Page 7, Par. 6, the log analysis server 10 is a computer system including at least a CPU, a main memory, and an HDD (non-transitory computer readable recording medium)). 

Regarding Claim 9:
	Aoki/Tang discloses Claim 1.
	Tang further discloses the following limitations:
	wherein the first number of consecutive requests are consecutive requests to web pages (Abstract, These may include receiving a plurality of web log traces (wherein the first number of consecutive requests are consecutive requests to web pages) from one of a plurality of web servers). Tang teaches web log traces, i.e. requests to web pages, as shown in a later example (Par. [0034], For example, requesting device 108, a laptop, may request access to the McAfee home web page). 
	and the feature values further include a number of types of pages appearing in the consecutive requests (Par. [0033], DDOS analysis engine 204 may create a feature vector including the following features (and the feature values further include): (A) number of requests from a Source Internet Protocol address ("SIP"); (B) number of distinct Uniform Resource Identifiers ("URIs") requested by SIP (a number of types of pages appearing in the consecutive requests)). Tang further teaches an exemplary feature vector using number of distinct URIs as a feature value. As the phrase “types of pages” is not defined within the specification, under the broadest reasonable interpretation, a web page having a certain URI is considered here to be a type of web page, i.e. the type of web pages which are assigned to that URI (Par. [0054], child web sites from the home web site of McAfee… may be assigned the same or different URI from the parent web site). Therefore, Tang teaches the claimed limitation. Tang further teaches that tracking the number of Uniform Resource Identifiers (URIs) is useful for anomaly detection (Par. [0044], Automated, illegitimate web traffic, however, may be able to repeatedly request the same URI over a short period of time). 	References Aoki and Tang are considered to be analogous art because they both relate to anomaly detection of server requests using machine learning. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to further combine the anomaly detection system of Aoki with the URI feature values of Tang in order to gain the benefit of increased ability of detecting potential DDOS attacks.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Aoki/Tang as applied to Claim 1 above, and further in view of Denning (An Intrusion-Detection Model), hereinafter referred to as “Denning”.
Regarding Claim 2:
	Aoki/Tang discloses Claim 1.
	Aoki further discloses the following limitation:
	wherein the creating calculates an average value (Page 3, Par. 1, an average value indicating the operation status of the operation contents in the time zone is calculated (creating calculates an average value) from numerical values constituting the models of all models stored in the model)
	(taught by Denning below)
	(taught by Denning below)

	Denning discloses the following limitations not taught by Aoki/Tang:
	of all users of probability of occurrence of each feature value included in the profile for each user (Page 123, Par. 3, an activity profile (included in the profile of each user) contains information that identifies the statistical model (all users of probability of occurrence) and metric of a random variable (of each feature value))
	and further creates an average profile in which the calculated average value is used as the probability of occurrence of each feature value (Page 124, Col 2, Par. 10-11, the random variable represented by a profile for a class can aggregate activity for the class in two ways: … An example is a profile for the class of all users representing the average number of logins into the system per day, where all users are treated as a single entity (further creates an average profile in which the calculated average value is used as the probability of occurrence of each feature value)). Aoki/Tang discloses a model creation step which uses the operation history (consecutive requests) as feature values, but does not disclose the model to be that of a probability model. Denning however teaches that an activity profile may be one of a probability model and further teaches creating an average profile over all users. Denning teaches that the statistical model related to averaging allows for certain advantages: “it learns what constitutes normal activity from its observations” (Page 122, Col. 2, Par. 2) and “class-as-a-whole activity reveals whether some general pattern of behavior is normal with respect to a class” (Page 125, Col. 1, Par. 3).

	References Aoki/Tang and Denning are considered to be analogous art because they both relate to anomaly detection with respect to event logs. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the anomaly detection system of Aoki/Tang with the probability models of Denning in order to gain the benefit of having an adaptive definition of normality and being able to determine the general behavior of a system by aggregating the models into an average one.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Aoki/Tang as applied to Claim 1 above, and further in view of Trinita et al. (A Sliding Window Technique for Covariance Matrix to Detect Anomalies on Stream Traffic), hereinafter referred to as “Trinita”.
Regarding Claim 3:
	Aoki/Tang discloses Claim 1.
	Aoki further discloses the following limitations:
	The analysis device according to claim 1, wherein the secondly extracting extracts, (Page 6, Par. 3, a model showing the transition of the operation content in the time period is created (extracts for each of the second number of consecutive requests)). Aoki/Tang discloses that the determination target data is sampled within time periods, and a given time period constitutes a series of requests (second number of consecutive requests), and as used in Claim 1, Aoki/Tang meets the limitation of extracting the first number of consecutive requests as the feature values of the determination target data. Aoki/Tang however does not explicitly disclose the time periods to be constructed such that each request in the target data is used as a starting point, and this is taught by Trinita below. 
	and the determining calculates scores for each of the second number of consecutive requests based on the feature values of the determination target data and based on the profiles created by the creating (Page 3, Par. 1, a deviation score calculation step for calculating a deviation score of each user from a deviation calculation between the numerical value and the average value (and the determining calculates scores for each of the second number of consecutive requests based on the feature values of the determination target data and based on the profiles created by the creating))
	and determines whether the determination target data is abnormal based on an amount of change in the scores in a time series and a threshold (Page 10, Par. 8, notification of the calculation result (determination target data is abnormal) may be performed every time the total deviation score or the like is calculated ((based on an amount of change in the scores in a time series), or may be notified only when a user whose total deviation score or the like exceeds a predetermined threshold (and a threshold) as a result of the calculation)

	
	Trinita discloses the following limitation not taught by Aoki/Tang:
	by using each request in the determination target data classified by the classifying as a starting point (Page 178, Col. 1, Par. 2, in this sliding window technique, the amount of data experienced window shift which is done in sequence until the last data can be seen in Figure 3.2). In Figure 3.2, Trinita shows that the sliding window gradually moves forward by a single request. Aoki/Tang teaches dividing the data into time periods, but does not teach the time periods to start with each request. Trinita however teaches this limitation through the sliding window approach for anomaly detection. Trinita further teaches that “the sliding window technique is used to overcome the large number problems of detected data which affecting classification errors. This technique is excellent in dividing all the data equally without ignored it [sic]” (Page 176, Par. 2). In other words, the sliding window approach allows for partitioning of the data into smaller portions, thereby improving the accuracy of anomaly detection (such as in certain situations where there are multiple anomalous instances) without ignoring data. 

	References Aoki/Tang and Trinita are considered to be analogous art because they both relate to detecting anomalies in user traffic. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the anomaly detection system of Aoki/Tang with the sliding window approach of Trinita in order to gain the benefit of increased accuracy without ignoring parts of the data. 

	Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Aoki/Tang/Trinita as applied to Claim 3 above, and further in view of Bigus et al. (U.S. Pub. No. 2009/0293121 A1), hereinafter referred to as “Bigus”. 
Regarding Claim 4:
	The combination of Aoki/Tang/Trinita discloses Claim 3.
	Bigus discloses the following limitations not taught by the combination of Aoki/Tang/Trinita:
	wherein, when a moving average of the amount of change in the scores in a time series in a predetermined time period exceeds the threshold (Par. [0040], Once aggregated, this sum may be used as is or divided by the appropriate value to compute an average value over the specified time period (wherein, when a moving average of the amount of change in the scores in a time series in a predetermined time period), Par. [0052], The DTFS approach determines the time frame windows dynamically (moving average), Fig. 6A, 630 (exceeds the threshold)). Bigus teaches computing a moving average over a sliding window in order to detect deviation, and this detection occurs when the average exceeds a certain threshold as shown at reference number 630 in Fig. 6A. When combined with the change in scores previously taught by Aoki/Tang/Trinita, this teaches the claimed limitation. 
	the determining determines that the determination target data is abnormal and further determines that a time point at which the score exceeds the threshold as a time point at which impersonation of a user has occurred (Fig. 6A, 630; Par. [0054], A point 630 indicates that user action pattern profile has changed). Aoki/Tang/Trinita does not teach determining a time point of exceeding the threshold. Bigus however teaches identification of a point at which the score exceeds the threshold at reference number 630 in Fig. 6A, and this point is a time point as Fig. 6A is graphed as a function of time. Bigus further teaches that this determination can be used to detect deviation of user behavior (Par. [0054], As shown in FIG. 6A, line 610 illustrates how behavior of a tester cluster evolves over time … A point 630 indicates that user action pattern profile has changed). 

	References Aoki/Tang/Trinita and Bigus are considered to be analogous art because they both relate to detecting anomalies in time series data. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the anomaly detection system of Aoki/Tang/Trinita with the moving average/time point determination of Bigus in order to gain the benefit of identifying when user behavior deviation occurs. 

	Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Aoki/Tang/Trinita as applied to Claim 3 above, and further in view of Shetty et al. (An integrated Machine Learning and Control Theoretic model for mining concept-drifting data streams), hereinafter referred to as “Shetty”.
Regarding Claim 5:
	The combination of Aoki/Tang/Trinita discloses Claim 3.
	The combination of Aoki/Tang/Trinita further disclose the following limitations:
	Claim 5 further recites, barring one limitation which is taught by Shetty below, similar limitations to that of Claim 3, with the exception that “threshold calculation purpose data” is recited in lieu of “determination target purpose data”. This substitution is taught by Shetty below. Therefore, these limitations of Claim 5 correspond to those of Claim 3, and are rejected for the same reasons of anticipation as used above. 
	
	Shetty discloses the following limitations not taught by the combination of Aoki/Tang/Trinita:
	threshold calculation purpose data (Page 75, Col. 2, Par. 3, we present a [sic] integrated supervised machine learning and control theoretic model to adaptively tune the detection threshold (threshold calculation) of a real-time IDS in accordance with varying host and network behavior (determination target purpose data) for detecting concept drift in normal traffic patterns). The system disclosed by Shetty uses what was previously treated to be the determination target purpose data as data which to calculate the threshold. Therefore, the analogous limitations to that of Claim 3 are rejected for the same reasons of anticipation as argued previously.
	and calculating the threshold based on an amount of change in the scores in a time series (Page 76, Col. 1, Par. 2, our model can adapt the classification threshold (calculating the threshold) as a function of relative entropy measurements (based on an amount of change in the scores in a time series)). References Aoki/Tang/Trinita disclose an anomaly detection system but do not disclose a calculation of the threshold. Shetty however discloses tuning of the threshold using the target data. Shetty further teaches that such a dynamic threshold gives greater accuracy for detecting anomalies compared to a fixed threshold (Page 77, Col. 1, Par. 2, such an adaptive thresholding mechanism will enable an IDS to achieve greater average detection and false alarms accuracy. As a by-product, adaptive thresholding will also reduce the need for human threshold tuning, thereby making an IDS more automated). 

	References Aoki/Tang/Trinita and Shetty relate to anomaly detection systems regarding time series data in the form of user traffic. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the anomaly detection system of Aoki/Tang/Trinita with the threshold tuning of Shetty in order to gain the benefit of greater accuracy in detecting anomalies.

	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Aoki/Tang as applied to Claim 1 above, and further in view of Brownlee (How to Prepare Data For Machine Learning), hereinafter referred to as “Brownlee”.
Regarding Claim 6:
	Aoki/Tang discloses Claim 1.
	Brownlee discloses the following limitations not taught by Aoki/Tang:
	further comprising excluding data that satisfies a predetermined condition from among the pieces of data received by the receiving and editing data, which was not excluded, by using a predetermined process (Page 2, Par. 9, cleaning data is the removal or fixing of missing data (excluding data that satisfies a predetermined condition from among the pieces of data received by the receiving and editing data, which was not excluded, by using a predetermined process)). Aoki/Tang does not disclose removal/editing of the data. Brownlee however teaches that it is a common practice in the field of machine learning to preprocess data beforehand by removing/editing the data. Brownlee further teaches that such preprocessing is essential for reasons of removing unnecessary/sensitive data.
	wherein the classifying classifies, for each user who made the requests, the data edited by the editing (Page 1, Par. 3, the process for getting data ready for a machine learning algorithm can be summarized in three steps … Step 2: Preprocess Data). Brownlee teaches that the preprocessing (removal/editing) of the data is a necessary prerequisite for performing machine learning, which in this case precedes the classification of Claim 1. Therefore, the data edited by the preprocessing is later classified, and the claim limitation is met. 

	References Aoki/Tang and Brownlee are considered to be analogous art because both relate to machine learning. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the anomaly detection system of Aoki/Tang with the preprocessing of Brownlee in order to gain the benefit of removing unnecessary/sensitive data.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ETHAN V VO whose telephone number is (571)272-2505. The examiner can normally be reached M-F 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ETHAN V VO/Examiner, Art Unit 4122                                                                                                                                                                                                        
/TRANG T DOAN/Primary Examiner, Art Unit 2431