DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

This Office Action is in response to the patent application filed on June 29, 2020, for application number 16/914,899. Claims 1-20 have been considered. Claims 1, 11 and 18 are independent claims.
This action is made Non-Final.

Prior Art
Listed herein below are the prior art references relied upon in this Office Action:
Coskun et al. (US Patent No. US 11,374,952 B1), referred to as Coskun herein.
Martyanov (US Patent Application Publication US 20210200612 A1), referred to as Martyanov herein.
Jakobsson et al. (US Patent Application Publication US 20190199745 A1), referred to as Jakobsson herein.
Muddu et al. (US Patent Application Publication US 20190327251 A1), referred to as Muddu herein.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-5, 8, 11-15, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Coskun in view of Martyanov.
Regarding independent claim 1, Coskun teaches “A method comprising: associating anomalous first text, from a first data set, with a first classification (Coskun, at column 2, lines 23-28, from a large number of user activity records, determine whether a request is non-anomalous or potentially anomalous.); 
processing the first data set using at least one of machine learning or artificial intelligence to identify a second text that is in close context to the first text in the first data set (id. at column 2, lines 46-54, to determine whether requests to perform actions within a distributed computing environment are potentially anomalous or non-anomalous, and computing normalcy scores, which indicate a relative closeness of the attributes of the incoming request with attributes of the closest matching requests in a training data set. As described at column 6, line 37 to column 7, line 17, both encoder and decoder include a plurality of neural networks to output a normalcy score.), and adding the second text to a text list associated with the first classification (id. at column 2, lines 54-57, based on the generated normalcy score for a request, a determination of whether the request is potentially anomalous or non-anomalous may be performed); 
enriching the text list by processing the second text to generate a third text, and adding the third text to the text list to produce an enriched text list and such that the third text is also associated with the first classification (id. at column 2, lines 59-65, incoming requests that result in the generation of normalcy scores indicative of a similarity to other events known to have been non-anomalous events, e.g., a probability approaching 1 that a similar request has been previously performed within the distributed computing environment) may be considered to be non-anomalous requests.); …” However, Coskun does not explicitly teach “matching the second text and the third text in the enriched text list to text in a second data set; and 
classifying the text in the second data set as having the first classification when the text in the second data set matches the second text or the third text in the enriched text list.”
Martyanov is in the same field of systems and methods for detecting anomalies in text content of data objects (Martyanov, at Abstract) that teaches matching the second text and the third text in the enriched text list to text in a second data set (id. at ¶ [0016], The trained supervised neural network may compare the features generated from the unsupervised neural network to determine anomalies in character sequences.); and classifying the text in the second data set as having the first classification when the text in the second data set matches the second text or the third text in the enriched text list (id. at ¶ [0016], when a data object is received by the anomaly detection system, an anomaly detection engine may access the trained anomaly classifier and use the trained anomaly classifier to output identifying information indicating one or more anomalous text character sequences in the text content of the data object.).
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun’s method with matching features of the trained supervised neural network with features generated from the unsupervised neural network in a new data object and classifying the one or more anomalous text character sequences of the data object as taught by Martyanov because a person analyzing a text log for evidence of an error related to a particular service may not have familiarity with that particular service, then this may compound the difficulty in trying to isolate the cause of an error condition (Martyanov, at ¶ [0002]).
Independent claim 11 is directed towards an apparatus equivalent to a method found in claim 1, and is therefore similarly rejected.
Independent claim 18 is directed towards a non-transitory computer readable storage media equivalent to a method found in claim 1, and is therefore similarly rejected.

Regarding claim 2, Coskun in view of Martyanov teaches all the limitations of independent claim 1. Coskun further teaches “wherein at least one of the first data set and the second data set is unstructured (Coskun, at column 8, line 66 to column 9, line 3, teaches activity log data store may be a flat file store including one or more files in which user activity information is stored.).”

Regarding claim 3, Coskun in view of Martyanov teaches all the limitations of independent claim 1. Coskun further teaches “wherein at least one of the first data set and the second data set is structured (Coskun, at column 8, line 66 to column 9, line 3, teaches Activity log data store may be structured, for example, as a relational database.).”

Regarding claim 4, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun does not explicitly teach “wherein the first classification comprises a severity level.”
Martyanov is in the same field of systems and methods for detecting anomalies in text content of data objects (Martyanov, at Abstract) that the output from the trained anomaly classifier indicate whether the modification changed degree of the classification (e.g., the first condition is still satisfied but not as severe) for which the trained anomaly classifier is trained (id. at ¶ [0037]). 
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with the classification comprises a severity level as taught by Martyanov because when a person analyzing a text log for evidence of an error related to a particular service may not have familiarity with that particular service, it compound the difficulty in trying to isolate the cause of an error condition (Martyanov, at ¶ [0002]).

Regarding claim 5, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun does not explicitly teach “wherein processing the second text comprises processing the second text using natural language processing.”
Martyanov is in the same field of systems and methods for detecting anomalies in text content of data objects (Martyanov, at Abstract) that using a natural language processing algorithm that identifies characters, words and/or phrases that can be embedded into vector space as inputs for the artificial neural network to learn possible values and structure of the data object (id. at ¶ [0016]).
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with processing the data object using natural language processing algorithm as taught by Martyanov because it would not possible to identify the characters, the words, and/or the phrases of the data object without the natural language processing (Martyanov, at ¶ [0036]).

Regarding claim 8, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun does not explicitly teach “further comprising generating multiple enriched lists, each associated with a respective classification.”
Martyanov is in the same field of systems and methods for detecting anomalies in text content of data objects (Martyanov, at Abstract) that generate an output that includes identifying information indicating the one or more first common anomalous text character sequences in the first set of the second plurality of data objects and identifying information indicating the one or more second common anomalous text character sequences in the second set of the second plurality of data objects (id. at ¶ [0041]).
 Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with generating multiple common anomalous text character sequences as taught by Martyanov because the user may want to omit a known anomaly that may not be the cause of the issue to determine other anomalies in the data objects (Martyanov, at ¶ [0041]).
Claims 12-15 are directed towards an apparatus equivalent to a method found in claims 2-5 respectively, and are therefore similarly rejected.
Claim 19 is directed towards non-transitory computer readable storage media equivalent to a method found in claim 2, and is therefore similarly rejected.
Claim 20 is directed towards non-transitory computer readable storage media equivalent to a method found in claim 5, and is therefore similarly rejected.

Claim(s) 6, 9, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Coskun in view of Martyanov as applied to claim 1 above, and further in view of Jakobsoon.
Regarding claim 6, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun in view of Martyanov does not explicitly teach “wherein in close context comprises within five words of the first text.”
Jakobsoon is in the same field of determining a security risk associated with the received electronic message (Jakobsoon, at Abstract) that if any string distance measure determined for a list of trusted contacts is greater than a threshold value, the message is identified as potentially an impersonation attack message (id. at ¶ [0206]).
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with close context comprises within a threshold value of words of the first text as taught by Jakobsoon because an attacker may use substitution characters to visually mimic a character in an identifier of a trusted contact (Jakobsoon, at ¶ [0205]).

Regarding claim 9, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun in view of Martyanov does not explicitly teach “wherein the first data set and the second data set are log files from a same domain.”
Jakobsoon is in the same field of determining a security risk associated with the received electronic message (Jakobsoon, at Abstract) that a higher measure of trust indicates a higher likelihood that an authentic message sent by the contact will not include malicious and/or undesired content, the measure of trust may be for a domain of the message contact that covers all messages of the same domain (id. at ¶ [0191]).
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with all log of messages are from the same domain as taught by Jakobsoon because the measure of trust indicates a measure that the message contact is likely to send a message that is of value to a recipient/user (Jakobsoon, at ¶ [0191]).

Claim 16 is directed towards an apparatus equivalent to a method found in claim 6, and is therefore similarly rejected.

Claim(s) 7, 10, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Coskun in view of Martyanov as applied to claim 1 above, and further in view of Muddu.
Regarding claim 7, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun in view of Martyanov does not explicitly teach “wherein processing the second text to generate the third text comprises applying a cosine similarity measure to select the third text.”
Muddu is in the same field of detecting security related anomalies and threats in a computer network environment (Muddu, at Abstract) that applying cosine similarity between two vectors representing the two sequences to compare the similarity between the sequences of characters (id. at ¶¶ [0531]-[0532]).
 Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with applying a cosine similarity measure to select the sequence of character as taught by Muddu because it is useful to capture the similarity between the frequent subsequences of the two sequences (Muddu, at ¶ [0532]).

Regarding claim 10, Coskun in view of Martyanov teaches all the limitations of independent claim 1. However, Coskun in view of Martyanov does not explicitly teach “further comprising receiving the log files from a network device operating in a network.”
Muddu is in the same field of detecting security related anomalies and threats in a computer network environment (Muddu, at Abstract) that data sources represent various data sources that provide event data including machine data, to be analyzed for anomalies and threats, the data source is a source of data pertaining to logs which are generated from network routers (id. at ¶ [0163]).
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Coskun in view of Martyanov’s method with receiving the log files from a network device as taught by Muddu because there is a need for analyzing machine data, contain a log of an event that takes place in the network environment, to diagnose equipment performance problems, monitor user actions and interactions, and to derive other insights like user behavior baseline, anomalies and threats (Muddu, at ¶¶ [0188]-[0189]).
Claim 17 is directed towards an apparatus equivalent to a method found in claim 10, and is therefore similarly rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SEUNG W JUNG whose telephone number is (571)270-5249. The examiner can normally be reached Monday-Friday, 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Scott Baderman can be reached on (571)272-3644. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SEUNG W. JUNG
Examiner
Art Unit 2144



/SCOTT T BADERMAN/           Supervisory Patent Examiner, Art Unit 2144