DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 05/23/2022.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-8 under 35 USC 103(a) for rejected claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

 	Applicant argued on the page 7 of the remark that Wei does not disclose the claim recitation regarding "taking a tally of number of different requesting user terminals.
 	Examiner respectfully disagrees, However, Wei discloses, par 0018 IP address, cookie contents, HTTP header field-setting identifier, requested data contents (e.g., data contents that a user terminal requests via the GET function), par 0029, the hummock module counts, i.e. tally, the number of times that IP address, i.e. terminal, within a certain duration. Thus, it can be seen as Wei terminal requests .i.e. different requests, have been counted. 
  	Applicant also conceded that Modrall appears to describe taking tallies of numbers of access requests sent from a single client, not a plurality of different requesting user terminals, to two servers.
  	Examiner respectfully disagrees. Wei discloses the counting the multiple requests and Modrall discloses taking tallies of numbers of access requests sent from a single client. Wei’s multiple requests can be equal to the access requests of the single client. So Modrall can tally the different requests. 
 	
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of counting the multiple requests of Wei  and modifying with Modrall taking tallies of numbers of access requests, because doing so would provide total number of tally to improve the communication tally.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.




Claims 1-8 are rejected under 35 U.S.C. 103 as being unpatentable over  Wei et al 2011/0179467 in view of Modrall US 7,716340 in view of Chipalkatti et al US 2008/0318616.

 	As per claim 1, Wei discloses a log analysis apparatus comprising: a memory; and a processor coupled to the memory, the processor configured to execute a process comprising: 
 	firstly extracting a parameter from an access log pertaining to a request issued from a user terminal to a server ( par 0041 analytic information extracted from the access request to an analysis server for analysis), learning an appearance frequency of the parameter, and storing a learning result in a storage unit as a profile ( par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information and 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information); 
 	secondly extracting a parameter from an access log under analysis, acquiring a similarity by comparing the parameter with the parameter included in the profile stored in the storage unit, and  firstly determining an access in the access log under analysis as an attack when the similarity is lower than a threshold (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212. ); and 
 	user terminals, for each parameter, among access logs under analysis having a similarity lower than the threshold, and  secondly determining, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter (par 0049  [0049] Fourth step: The analysis server determines, in accordance with the cookie contents identified in every access request received (e.g., within a certain duration of time), whether the number of identified cookie contents has reached a threshold value. If the threshold value has been reached, then it is probable that the user terminal that sent the access request containing the same cookie contents is a malicious access terminal, and the fifth step is performed. Otherwise, it determines that the user terminal is not a malicious access terminal and returns to the second step( re-learning ) and 0042] Step 212: it is determined whether to intercept the access request from the user based at least in part on the analysis result. In various embodiments, the network server has interception information that identifies malicious access terminals. In various embodiments, the interception information is based/derived from the analysis results. In some embodiments, the network server will compare the access request against its interception information (e.g., check whether an identifier associated with the user is found among the interception information/malicious access terminals). If a match of (e.g., an identifier of) the access request is found among the interception information, then then control passes to Step 214. Otherwise, if a match of the access request is not found among the interception information, then control passes to Step 210).  
 	Wei does not disclose taking a tally of number of different requesting user terminals.
  	However, Modrall disclose taking a tally of number of different requesting user terminals (col 1, lines 47-55  The first tally includes identification information of the client and a first number of access requests sent from the client to the first server, and the second tally includes the identification information of the client and a second number of access requests sent from the client to the second server. The first and second tallies are collated to determine a total number of access requests made by the client).

 	 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determining the frequency access request from the terminal device of Wei, based on the teaching of tally the IP address of access request of the terminal of Modrall, because doing so would identify the malicious terminal.
 	The combination does not disclose taking a tally of number of a plurality of different requesting user terminals.
 	However, Chipalkatti discloses taking a tally of number of a plurality of different requesting user terminals (par 0027 server 212 may provide tracking, accounting, managing, operating, itemizing, tallying, and/or billing services for devices 202, 204, and 206, wherein the server 212 taking tally the different devices).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determining the frequency access request from the terminal device of Wei, based on the teaching of tally the IP address of access request of the terminal of Modrall, based on the teaching of talling the multiple devices of Chipalkatti, because doing so would provide total number of device in the engaged in the communication and also identify the device for authentication in the communication.


 	 As per claim 2, Wei in view of Modrall in view of Chipalkatti discloses the log analysis apparatus according to claim 1, Wei discloses wherein the process further comprises  thirdly extracting a common part of parameters included in accesses determined as attacks, and generating an attack pattern based on the common part (par 0014 the interception information includes a list of malicious access terminals and identifying attribute information on the malicious access terminals. The attribute information may include, but is not limited to, terminal identifiers, IP address, cookie contents, HTTP header field-setting identifiers, and/or one or more combinations of GET data contents and POST data content).  

 	As per claim 3,  Wei in view of Modrall in view of Chipalkatti discloses the log analysis apparatus according to claim 1, Wei discloses wherein the firstly extracting extracts a parameter from the access log, and abstracts the extracted parameter, and the learning learns an appearance frequency of the abstracted parameter ( par 0022 which data contents from the identified access requests are used as data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information).  

 	As per claim 4, Wei in view of Modrall in view of Chipalkatti discloses the log analysis apparatus according to claim 1, Wei wherein the learning learns an appearance frequency of each parameter, and deletes a parameter with an appearance frequency equal to or lower than a predetermined threshold from the profile (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212 ).  

 	As per claim 5, Wei in view of Modrall in view of Chipalkatti discloses the log analysis apparatus according to claim 1, Mordrall disclose wherein  the taking takes a tally of number of different requesting user terminals, for each parameter included in an access log including a plurality of requests that are issued consecutively within a time period (col 2, lines 17-29   The first server may record, in a least-frequently-recently used (LFRU) queue, a tally associated with the client and send the tally to the third server. Collating the first and second tallies may include adding the first number of requests to the second number of requests. The first number of requests may be subtracted from the total number of requests if no further tallies associated with the client are received from the first server within an expiration period and the first server may send a tally associated with the client if the client requests access to the first server. The dynamic blocking instruction may be deleted from the configuration file if the total number of access requests minus the first number of requests is below the predefined threshold), and
  a time interval between which is shorter than a threshold, among the access logs under analysis having a similarity lower than the threshold, and  the secondly determining determines, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter ( col 5, lines 37-55  Request queue 32 has a fixed size and is therefore limited in how many IP addresses it can record. Request queue 32 deletes existing entries of clients based on both the frequency of requests made by the clients to server 14a and the amount of time that passes before the clients send requests to server 14a. This type of deletion scheme is referred to as a least-recently-frequently used (LRFU) deletion scheme. For example, the collated log file 36 may delete an entry for client 12 if client 12 fails to make a request within a certain time period (e.g. thirty minutes) and if the tally of requests recorded for client 12 is below a given threshold (e.g., five requests). Request queue 32 applies the LRFU queuing mechanism so that the most active clients (i.e., the clients making the most requests over a given time period) filter to the top of request queue 32. The most active clients are of the most interest as they are the most indicative of suspicious behavior. In aggregating the dynamic tallies from the request queues of all the servers in server farm 14, mid-tier server 16 makes the larger determination of which clients are engaged in wholesale pernicious activity.).  

 	As per claim 6, Wei in view of Modrall in view of Chipalkatti discloses the log analysis apparatus according to claim 2, Wei discloses wherein the process further comprises thirdly determining whether a parameter included in an access that is determined as an attack matches an attack pattern having been already generated (par 0043  if the network server determines that the user terminal is found among the interception information, then it will intercept the access request and all subsequent access requests sent by the same user terminal and 0047] Second step: The network server analyzes the received access request and compares the identified cookie contents (e.g., extracted by the network server) in the access request with cookie contents in the interception information. If the identified cookie contents match cookie contents in the interception information, it means that these cookie contents are from an access request sent by a malicious access terminal. When the user terminal is determined to be a malicious access terminal, the network server intercepts the access request ), and deleting the parameter of the access determined as an attack when the parameter is determined to match  (par 0022 analysis server 12 analyzes the analytic information (e.g., obtain via one of the aforementioned methods) according to preset decision principles for determining when a user terminal is a malicious access terminal. Examples of preset decision principles include, but are not limited to, which data contents from the identified access requests are used as data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information).  

 	As per claim 7, Wei discloses  a log analysis method executed by a log analysis apparatus, the log analysis method comprising: 
 	a learning process ( par 0041 an analysis server ) for extracting a parameter from an access log pertaining to a request issued from a user terminal to a server (par 0041 analytic information extracted from the access request to an analysis server for analysis ), learning an appearance frequency of the parameter, and storing a learning result in a storage unit as a profile(par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information and 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information ); 
an analyzing process (par 0041 an analysis server) for extracting a parameter from an access log under analysis, acquiring a similarity by comparing the parameter with the parameter included in the profile stored in the storage unit (par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information ), and determining an access in the access log under analysis as an attack when the similarity is lower than a threshold ( 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information); and 
a re-learning requirement determining process ( par 0049 the second step( re-learning ) ) for taking requesting user terminals, for each parameter, among access logs under analysis having a similarity lower than the threshold (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212 ), and determining, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter ( par 0049  [0049] Fourth step: The analysis server determines, in accordance with the cookie contents identified in every access request received (e.g., within a certain duration of time), whether the number of identified cookie contents has reached a threshold value. If the threshold value has been reached, then it is probable that the user terminal that sent the access request containing the same cookie contents is a malicious access terminal, and the fifth step is performed. Otherwise, it determines that the user terminal is not a malicious access terminal and returns to the second step( re-learning )).  

 	Wei does not disclose taking a tally of number of different requesting user terminals.
  	However, Modrall disclose taking a tally of number of different requesting user terminals (col 1, lines 47-55  The first tally includes identification information of the client and a first number of access requests sent from the client to the first server, and the second tally includes the identification information of the client and a second number of access requests sent from the client to the second server. The first and second tallies are collated to determine a total number of access requests made by the client).

 	 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determining the frequency access request from the terminal device of Wei, based on the teaching of tally the IP address of access request of the terminal of Modrall, because doing so would identify the malicious terminal.
 	The combination does not disclose taking a tally of number of a plurality of different requesting user terminals.
 	However, Chipalkatti discloses taking a tally of number of a plurality of different requesting user terminals (par 0027 server 212 may provide tracking, accounting, managing, operating, itemizing, tallying, and/or billing services for devices 202, 204, and 206, wherein the server 212 taking tally the different devices).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determining the frequency access request from the terminal device of Wei, based on the teaching of tally the IP address of access request of the terminal of Modrall, based on the teaching of talling the multiple devices of Chipalkatti, because doing so would provide total number of device in the engaged in the communication and also identify the device for authentication in the communication.



 	As per claim 8, Wei discloses  A non-transitory computer-readable recording medium having stored therein a log analysis program that causes a computer to execute a process comprising:  
 	firstly extracting a parameter from an access log pertaining to a request issued from a user terminal to a server ( par 0041 analytic information extracted from the access request to an analysis server for analysis), learning an appearance frequency of the parameter, and storing a learning result in a storage unit as a profile ( par 0003  This analysis includes keeping track of the access frequency for each received IP address and determining whether the corresponding user terminal is a malicious access terminal based on this information and 0022 s data contents in the analytic information and under what circumstances (including the frequency of the data's occurrence and its parameter values) are the data contents deemed to be normal parameters or abnormal parameters of the analytic information); 
 	secondly extracting a parameter from an access log under analysis, acquiring a similarity by comparing the parameter with the parameter included in the profile stored in the storage unit, and  firstly determining an access in the access log under analysis as an attack when the similarity is lower than a threshold (0040] Step 208: it is determined whether the frequency of access by the user is greater than a predetermined frequency. If it is determined that the frequency is not greater than the predetermined frequency, then control passes to Step 210. If it is determined that the frequency is greater than the predetermined frequency, then control passes to Step 212. ); and 
 	user terminals, for each parameter, among access logs under analysis having a similarity lower than the threshold, and  secondly determining, when there is any parameter for which the number of such different user terminals is equal to or higher than a threshold, to re-learn the parameter (par 0049  [0049] Fourth step: The analysis server determines, in accordance with the cookie contents identified in every access request received (e.g., within a certain duration of time), whether the number of identified cookie contents has reached a threshold value. If the threshold value has been reached, then it is probable that the user terminal that sent the access request containing the same cookie contents is a malicious access terminal, and the fifth step is performed. Otherwise, it determines that the user terminal is not a malicious access terminal and returns to the second step( re-learning ) and 0042] Step 212: it is determined whether to intercept the access request from the user based at least in part on the analysis result. In various embodiments, the network server has interception information that identifies malicious access terminals. In various embodiments, the interception information is based/derived from the analysis results. In some embodiments, the network server will compare the access request against its interception information (e.g., check whether an identifier associated with the user is found among the interception information/malicious access terminals). If a match of (e.g., an identifier of) the access request is found among the interception information, then then control passes to Step 214. Otherwise, if a match of the access request is not found among the interception information, then control passes to Step 210).  
 	Wei does not disclose taking a tally of number of different requesting user terminals.
  	However, Modrall disclose taking a tally of number of different requesting user terminals (col 1, lines 47-55  The first tally includes identification information of the client and a first number of access requests sent from the client to the first server, and the second tally includes the identification information of the client and a second number of access requests sent from the client to the second server. The first and second tallies are collated to determine a total number of access requests made by the client).
 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determining the frequency access request from the terminal device of Wei, based on the teaching of tally the IP address of access request of the terminal of Modrall, because doing so would identify the malicious terminal.
 	
 	The combination does not disclose taking a tally of number of a plurality of different requesting user terminals.
 	However, Chipalkatti discloses taking a tally of number of a plurality of different requesting user terminals (par 0027 server 212 may provide tracking, accounting, managing, operating, itemizing, tallying, and/or billing services for devices 202, 204, and 206, wherein the server 212 taking tally the different devices).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of determining the frequency access request from the terminal device of Wei, based on the teaching of tally the IP address of access request of the terminal of Modrall, based on the teaching of talling the multiple devices of Chipalkatti, because doing so would provide total number of device in the engaged in the communication and also identify the device for authentication in the communication.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496