Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Notice of Allowability is in response to the RCE filed by Applicant on 5/4/2022 and Amendments authorized by Applicant’s representative on 6/10/2022. Claim 2 has been canceled.  No claims were added as New. Claims 1 and 3-22 are pending. 

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/4/2022 has been entered.
 






EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Applicant’s representative Benjamin Koopferstock Reg. No. 71,488 on 6/10/2022.
The application has been amended as follows: 

1.	(Currently Amended) A method of detecting potential anomalies at a cloud service infrastructure, comprising:
accessing a strings table, each respective entry of the strings table defining a respective character string and a respective anomaly probability for the character string;
generating, in a database of the cloud service infrastructure, a log entry related to an event occurring in the cloud service infrastructure, the log entry including a character string designating one of a name of a file and an IP address, the log entry including a domain name hosted by the service infrastructure;
searching for the character string in the strings table; and
marking the domain name as suspect when the character string is found in the strings table and when an anomaly probability corresponding to the character string exceeds a predetermined threshold, 
wherein, the predetermined threshold is calculated according to: 

            
                T
                h
                r
                e
                s
                h
                o
                l
                d
                =
                
                    
                        a
                        r
                        g
                        m
                        i
                        n
                    
                    
                        x
                    
                
                
                    
                        
                            
                                
                                    
                                        ∑
                                        
                                            s
                                            t
                                            r
                                            i
                                            n
                                            g
                                            ϵ
                                            S
                                            t
                                            r
                                            i
                                            n
                                            g
                                            s
                                        
                                    
                                    
                                        I
                                        
                                            
                                                p
                                                
                                                    
                                                        A
                                                        |
                                                        
                                                            
                                                                S
                                                                t
                                                                r
                                                            
                                                            
                                                                i
                                                            
                                                        
                                                    
                                                
                                                 
                                                <
                                                x
                                            
                                        
                                    
                                
                            
                            
                                m
                            
                        
                        >
                        0,95
                    
                
            
        		
____________________________________________________
wherein:
            
                I
            
         is an indicator function; and
            
                m
            
         is a number of entries in the strings table.
2.	(Cancelled) 

16.	(Currently Amended) A cloud service infrastructure, comprising:
a server configured to receive data packets and/or commands from a client;
a database configured to store a plurality of log entries, each respective log entry of the database including a respective character string associated with a respective domain name;
a processor; and
a memory device comprising a non-transitory computer-readable medium storing executable code thereon, 
wherein, the executable code comprises instructions for executing: 
accessing a strings table, each respective entry of the strings table defining a respective character string and a respective anomaly probability for the character string;
generating, in a database of the cloud service infrastructure, a log entry related to an event occurring in the cloud service infrastructure, the log entry including a character string designating one of a name of a file and an IP address, the log entry including a domain name hosted by the service infrastructure;
searching for the character string in the strings table; and
marking the domain name as suspect when the character string is found in the strings table and when an anomaly probability corresponding to the character string exceeds a predetermined threshold, 
wherein, the predetermined threshold is calculated according to: 
            
                T
                h
                r
                e
                s
                h
                o
                l
                d
                =
                
                    
                        a
                        r
                        g
                        m
                        i
                        n
                    
                    
                        x
                    
                
                
                    
                        
                            
                                
                                    
                                        ∑
                                        
                                            s
                                            t
                                            r
                                            i
                                            n
                                            g
                                            ϵ
                                            S
                                            t
                                            r
                                            i
                                            n
                                            g
                                            s
                                        
                                    
                                    
                                        I
                                        
                                            
                                                p
                                                
                                                    
                                                        A
                                                        |
                                                        
                                                            
                                                                S
                                                                t
                                                                r
                                                            
                                                            
                                                                i
                                                            
                                                        
                                                    
                                                
                                                 
                                                <
                                                x
                                            
                                        
                                    
                                
                            
                            
                                m
                            
                        
                        >
                        0,95
                    
                
            
        		
____________________________________________________
wherein:
            
                I
            
         is an indicator function; and
            
                m
            
         is a number of entries in the strings table.


Allowable Subject Matter
Claims 1 and 3-22 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:  
Claims 1 and 16 are directed towards a method of predicting potential anomalies.  Examiner conducted a final search on 6/13/2022 the closest prior art Baughmann et al (US 20180077120) in view of Meshi et al. (US 2018/0069883) and of Lim (US 2017/0228658), which a generally directed towards determining malicious strings, fails to teach the claimed limitations of claims 1 and 16. Specifically they fail to teach   generating, in a database of the cloud service infrastructure, a log entry related to an event occurring in the cloud service infrastructure, the log entry including a character string designating one of a name of a file and an IP address, the log entry including a domain name hosted by the service infrastructure; searching for the character string in the strings table; and
marking the domain name as suspect when the character string is found in the strings table and when an anomaly probability corresponding to the character string exceeds a predetermined threshold, 
wherein, the predetermined threshold is calculated according to: 

                
                    T
                    h
                    r
                    e
                    s
                    h
                    o
                    l
                    d
                    =
                    
                        
                            a
                            r
                            g
                            m
                            i
                            n
                        
                        
                            x
                        
                    
                    
                        
                            
                                
                                    
                                        
                                            ∑
                                            
                                                s
                                                t
                                                r
                                                i
                                                n
                                                g
                                                ϵ
                                                S
                                                t
                                                r
                                                i
                                                n
                                                g
                                                s
                                            
                                        
                                        
                                            I
                                            
                                                
                                                    p
                                                    
                                                        
                                                            A
                                                            |
                                                            
                                                                
                                                                    S
                                                                    t
                                                                    r
                                                                
                                                                
                                                                    i
                                                                
                                                            
                                                        
                                                    
                                                     
                                                    <
                                                    x
                                                
                                            
                                        
                                    
                                
                                
                                    m
                                
                            
                            >
                            0,95
                        
                    
                
            		
____________________________________________________
wherein:
                
                    I
                
             is an indicator function; and
                
                    m
                
             is a number of entries in the strings table.”

Applicant’s specific methods of determining string anomalies is not taught by conventional means.  Applicant’s calculated threshold uses a precise method which helps to narrow down anomalies and is not an obvious method.  As a result theses claims are in condition for Allowance.
Claim 21 is directed towards a method of predicting potential anomalies.  A thorough search was conducted on 6/8/2021 and the closest prior art Baughmann et al (US 20180077120) in view of Meshi et al. (US 2018/0069883) and of Lim (US 2017/0228658), which a generally directed towards determining malicious strings, fails to teach the claimed limitations of claim 21.  Specifically, they fail to teach “: determining, at the service infrastructure, that an anomaly has occurred at a detection time in relation to an impacted domain; accessing an anomalies table, each entry of the anomalies table including a name of a domain in which an anomaly has been detected in the timeframe of interest and a corresponding anomaly time; when an anomalies table entry exists for the impacted domain, updating the corresponding anomaly time in the anomalies table entry with the detection time; and when no anomalies table entry exists for the impacted domain: creating a new anomalies table entry for the impacted domain, the new anomalies table entry including the name of the impacted domain and the detection time, extracting from the domains table a list of character strings associated with the impacted domain, incrementing, in the strings table, for each character string of the list of character strings associated with the impacted domain, a number of domains that are associated with that character string and in which there has been an anomaly in the timeframe of interest, and decrementing, in the strings table, for each character string of the list of character strings associated with the impacted domain, a number of domains that are associated with that character string and in which there has been no anomaly in the timeframe of interest.”  The steps used in claim 21, is a novel way of determining malicious anomalies when compared to the conventional methods.  Conventional methods, use a combination of string comparisons with whitelists and blacklists to determine maliciousness.  However, the limitations stated above provide a new novel way to determine malicious anomalies.  Claim 22 is directed to a similar system, associated with the method of claim 21 respectively.  As a result claims 21 and 22, are in condition for Allowance.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439