Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to the communication filed on 12/19/2019.
Claims 1-18, 22, and 23 have been examined.


Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/19/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.

The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words.  The form and legal phraseology often used in patent claims, such as "means" and "said," should be avoided.  The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.

The language should be clear and concise and should not repeat information given in the title.  It should avoid using phrases which can be implied, such as, "The disclosure concerns," "The disclosure defined by this invention," "The disclosure describes," etc.

The abstract of the disclosure is objected to because it contains phrases which can be implied (e.g. “the purpose of the present invention is to provide”).  Correction is required.  See MPEP § 608.01(b).

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-17, 22, and 23 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Apostolescu et al. (US Patent Application Publication Number 2016/0277423).
Regarding claim 1, Apostolescu disclosed an analysis device comprising: a memory storing instructions (Apostolescu Fig. 7 and Paragraphs 0103-0109); and one or more processors configured to execute the instructions (Apostolescu Fig. 7 and Paragraphs 0103-0109) to: 
be able to, 
by use of a first feature value extracted from a first log entry being a log entry in which information indicating an action of a software program is recorded and a second feature value being different from the first feature value and being extracted from one or more second log entries being log entries, generate feature information related to the first log entry (Apostolescu Paragraphs 0042-0097 for example extracting the behaviors from the execution traces into a list); and 
by use of learning data including one or more sets of the feature information related to the first log entry and importance level information indicating an importance level assigned to the first log entry, generate an analysis model capable of determining an importance level related to another log entry (Apostolescu Paragraphs 0042-0097 for example determines the importance level of the behaviors and uses the behaviors and their importance level to generate and modify the model).  
(Note that any general purpose device with a CPU and memory can “be able to” perform the claimed steps and would also read on the claim language).
Regarding claim 22, Apostolescu disclosed a log analysis method comprising: 
by use of a first feature value extracted from a first log entry being a log entry in which information indicating an action of a software program is recorded and a second feature value being different from the first feature value and being extracted from one or more second log entries being log entries, generating feature information related to the first log entry(Apostolescu Paragraphs 0042-0097 for example extracting the behaviors from the execution traces into a list); and, 
by use of learning data including one or more sets of the feature information related to the first log entry and importance level information indicating an importance level assigned to the first log entry, generating an analysis model capable of determining an importance level related to another log entry(Apostolescu Paragraphs 0042-0097 for example determines the importance level of the behaviors and uses the behaviors and their importance level to generate and modify the model).
Regarding claim 23, Apostolescu disclosed a non-transitory recording medium having an analysis program recorded thereon, the analysis program causing a computer to execute: 
processing of, by use of a first feature value extracted from a first log entry being a log entry in which information indicating an action of a software program is recorded and a second feature value being different from the first feature value and being extracted from one or more second log entries being log entries, generating feature information related to the first log entry (Apostolescu Paragraphs 0042-0097 for example extracting the behaviors from the execution traces into a list); and 
processing of, by use of learning data including one or more sets of the feature information related to the first log entry and importance level information indicating an importance level assigned to the first log entry, generating an analysis model capable of determining an importance level related to another log entry (Apostolescu Paragraphs 0042-0097 for example determines the importance level of the behaviors and uses the behaviors and their importance level to generate and modify the model).

Regarding claim 2, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to extract, as the second feature value, context information being information generated by counting pieces of information respectively recorded in the second log entries (Apostolescu Paragraph 0032 for example).
Regarding claim 3, Apostolescu disclosed that a log type allowing identification of a type of processing concerning which the log entry is recorded is recorded in the log entry (Apostolescu Paragraphs 0042-0097 for example), and, the one or more processors are further configured to execute the instructions to, by use of information recorded in all the second log entries recorded with respect to the software program, generate the context information by calculating one or more of: information related to a number of the second log entries for each process executed in an execution of the software program; information indicating a histogram in which a number of the second log entries is totalized for each of the log types; and information related to a number of resources accessed in an execution of the software program, the number being totalized for each of the log types (Apostolescu Paragraph 0032 for example).
Regarding claim 4, Apostolescu disclosed that a log type allowing identification of a type of processing concerning which the log entry is recorded is recorded in the log entry (Apostolescu Paragraphs 0042-0097 for example), and, the one or more processors are further configured to execute the instructions to, by use of information recorded in a plurality of the second log entries recorded with respect to the same process as a process in which the first log entry is recorded, generate the context information by calculating one or more of: information indicating a histogram in which a number of the second log entries is totalized for each of the log types; information related to a number of resources accessed in an execution of the software program, the number being totalized for each of the log types; and information related to a ratio between a total number of the log entries recorded in an execution of the software program and a total number of the second log entries recorded with respect to the same process as a process in which the first log entry is recorded (Apostolescu Paragraph 0032 for example).
Regarding claim 5, Apostolescu disclosed a log type allowing identification of a type of processing concerning which the log entry is recorded is recorded in the log entry (Apostolescu Paragraphs 0042-0097 for example), and, the one or more processors are further configured to execute the instructions to, by use of information recorded in a plurality of the second log entries recorded within a specific range in a time series from a timing at which the first log entry is recorded, generate the context information by calculating one or more of: information indicating a histogram in which a number of the second log entries is totalized for each of the log types; and information related to a ratio between a total number of the plurality of the second log entries recorded within the specific range in the time series from the timing at which the first log entry is recorded and a total number of the second log entries recorded with respect to the same process as the first log entry out of the plurality of the second log entries recorded within the specific range in the time series from the timing at which the first log entry is recorded (Apostolescu Paragraph 0032 for example).
Regarding claim 6, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to extract, as the second feature value, context information being information generated by use of a feature value extracted from information recorded in each of the second log entries (Apostolescu Paragraph 0032 for example).
Regarding claim 7, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to: extract a feature value similar to the first feature value for the first log entry from each of the second log entries and generate the second feature value by use of the feature value extracted from each of the second log entries (Apostolescu Paragraph 0032 for example).
Regarding claim 8, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to: extract the first feature value from data expressing, by use of at least either of a character string and a numerical value, information recorded in the first log entry, and generate integrated data by integrating data expressing, by use of at least either of a character string and a numerical value, information recorded in the second log entry for all the second log entries and generates the second feature value by extracting, from the integrated data, a feature value similar to the first feature value for the first log entry (Apostolescu Paragraphs 0032 and 0052 for example).
Regarding claim 9, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to extract the second feature value from summary information indicating a result of analyzing the action of the software program by an analysis device capable of analyzing the action of the software program (Apostolescu Paragraph 0032 for example).
Regarding claim 10, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to extract, as the second feature value, information being included in the summary information and indicating whether or not the software program executes one or more specific activities (Apostolescu Paragraph 0032 for example).
Regarding claim 11, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to: acquire, from an information source, information related to information recorded in the first log entry, as external context information, extract a third feature value, based on external context information, and generate the feature information related to the first log entry by use of at least either of the second feature value and the third feature value, and the first feature value (Apostolescu Paragraph 0039 for example).
Regarding claim 12, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to collect, from the information source, information indicating a security-related reputation of a resource accessed in an execution process of the software program, as the external context information (Apostolescu Paragraphs 0039 and 0051-0055 for example).
Regarding claim 13, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to, when access to a file is recorded in the first log entry, acquire, from the information source, one or more of: information indicating whether or not the file is a file detected as malware; information indicating an acquisition count of the file; and information indicating a confidence level of the file, as the external context information (Apostolescu Paragraph 0039 for example).
Regarding claim 14, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to, when access to a registry is recorded in the first log entry, acquire, from the information source, information indicating whether or not the registry is accessed by malware, as the external context information (Apostolescu Paragraphs 0018-0026, 0034, and 0039 for example).
Regarding claim 15, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to, when a communication to a communication destination is recorded in the first log entry, acquire, from the information source, information indicating a security-related reputation of the communication destination, as the external context information (Apostolescu Paragraphs 0039 and 0051-0055 for example).
Regarding claim 16, Apostolescu disclosed that a log type allowing identification of a type of processing concerning which the log entry is recorded is recorded in the log entry (Apostolescu Paragraphs 0042-0097 for example), and the one or more processors are further configured to execute the instructions to individually generate the analysis model for each of the log types by use of the feature information generated for the log entry corresponding to each of the log types(Apostolescu Paragraphs 0042-0097 for example).
Regarding claim 17, Apostolescu disclosed that the one or more processors are further configured to execute the instructions to: calculate an importance level related to the log entry by use of the analysis model (Apostolescu Paragraphs 0042-0097 for example); and generate a user interface allowing control of a display method of the log entry, based on an importance level calculated for the log entry (Apostolescu Paragraph 0098 for example).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Apostolescu.
While Apostolescu taught determining whether a file is a threat or not (i.e. important or not important), Apostolescu did not explicitly teach generating the user interface including a control element allowing setting of a threshold indicating an importance level of the displayed log entry, and the user interface displays the log entry whose importance level is calculated to be equal to or greater than the threshold and the log entry whose importance level is calculated to be less than the threshold, by use of display methods different from each other (although text saying malicious is a different display method than text saying benign).
However, it was well known in the art of malware detection before the effective filing date of the invention that determinations of malware were made based on a threshold level of certainty configurable by a user, and it was further well known when displaying indications of malware or not to display indications of malware differently than indications of a file being benign, such as using different colors.  As such, it would have been obvious to the person having ordinary skill in the art before the effective filing date of the invention to have employed these well known features of malware determination and alerting in the malware detection system of Apostolescu. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide a known means for adjusting the level of false positive vs false negative indications, as well as to provide a known means for presenting malware indications to the user.


Conclusion
Claims 1-18, 22 and 23 have been rejected.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2014/0337862 taught a log analysis system for analyzing logs to train a malware detection model including extracting various features from behavior logs and using the features to train the model.
US 2018/0324193 taught a system for detecting malicious behavior including extraction of features and their importance values and using the extracted features and importance values to train a model for detecting malware.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHEW T HENNING whose telephone number is (571)272-3790. The examiner can normally be reached Monday- Thursday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MATTHEW T HENNING/            Primary Examiner, Art Unit 2491