DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	This communication is in response to amendments filed on 06/14/2022.
	Claims 1 and 13 have been amended, claim 12 has been cancelled, and claim 7 was previously cancelled.
	Claims 1-6, 8-11 and 13 remain pending.


Claim Rejections - 35 USC § 101

2.	Applicant’s cancellation of claim 12 obviates the previously rejection of claim 12 under 35 U.S.C. 101, and therefore the rejection is hereby withdrawn.


Response to Arguments

3.	Applicant's arguments asserting that the Collazo reference does not disclose collecting user information based on pre-defined user input (trigger log) as amended in independent claims 1 and 13 have been fully considered but they are not persuasive. 
	Specifically, it is first noted that the amended limitation specifying that the trigger log is based on a pre-set user input from the user terminal is associated with the detecting log data limitation, not the collecting limitation, as argued by Applicant. Applicant’s basis for asserting that Collazo does not teach the newly added limitation is that Collazo discloses collecting all information associated with a user behavior session, however it is submitted that the claim language similarly recites collecting log data corresponding to behavior performed by the user terminal in the session in real time from the web server as the log data is generated by the web server, without any limitation on which log data of the session is being collected. The amended claims now specify that the detecting of log data corresponding to a trigger log is based on a pre-set user input from the user terminal. It is submitted that the teachings of Collazo corresponding to the detecting of log data corresponding to a trigger log is also based on pre-set user input from the user terminal. This is supported throughout the specification. For example, paragraph [0009] discloses real-time analysis of behavior patterns in relation to threat signatures and expressly recites that functional user behavior may include a timestamped user click on a button, text input in a form field, and sequence of pages visited by the user. Paragraphs [0016] and [0017] teach tracking mouse movements and clicks on a web during a user behavior session. Paragraphs [0050]-[0053], [0067], and [0071] provide additional support for tracking functional user behavior during a session including a web page or screen sequence navigated by the user, user clicks, and text inputs, and tagging the functional behavior by context, with paragraph [0053] expressly disclosing that the behavior analysis engine tracks and stores a predefined set of various kinds of functional behavior. It is evident that detected triggers in Collazo are based on input from the user terminal corresponding to a predefined, or pre-set, set of various behavior. Similarly to the claimed invention, Collazo subsequently extracts these continually updated behavior patterns including triggers which are based on predefined user input behavior in order to perform pattern analysis in real-time during the session. It is submitted that the pre-set user input from the user terminal in the claims corresponds with the click or text user input analyzed in Collazo correlating with the predefined set of various kinds of functional user behavior and threat signatures disclosed in Collazo.
	It is therefore submitted that the teachings of Collazo, in view of Martin, are within the scope of the broadest reasonable interpretation of each and every limitation of amended independent claims 1 and 13, and the rejection is therefore maintained.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

4.	Claims 1-6, 11, and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Collazo (US 2010/0299292) in view of Martha et al. (US 2016/0212231).

Regarding claim 1, Collazo teaches a method for analyzing an online behavior of a user accessing a web server through a user terminal, the method comprising: 
collecting, when the user terminal accesses the web server and forms a session (Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 respectively, [0049]), log data corresponding to a behavior performed by the user terminal in the session in real time from the web server as the log data is generated by the web server (Web server 204 and/or web server 206 may use network 202 to communicate data about functional user behavior to the behavior analysis engine 216. In some embodiments, the data about functional user behavior is captured on the server-side, [0047]; The information captured by server object 224 (or a client-side script) may be communicated to behavior analysis engine 216 over network 202, [0052]; As user 402 is using the application, qualitative and/or quantitative information about the functional user behavior is collected in step 404, as described in relation to server object 224, and behavior analysis engine 216, [0071]); 
detecting log data corresponding to a trigger log among the log data (The information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page. Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples may include timestamped user clicks or touch strokes within a web page or screen of the application. The functional user behavior may be processed and tagged by the context of the behavior, [0050]; User clicks, navigation to a different web page, activating a script or program to send a communication, or any other suitable user activity, may be functional user behavior tracked and monitored by behavior analysis engine 216. Clicks on a button that activates script, program, or sends a request, may be a potential vulnerability which attackers may use repetitively to slow down the server and perform a denial of service attack, [0067]), wherein the trigger log is based on a pre-set user input from the user terminal (real-time analysis and correlation of behavior patterns (e.g., in a browser session) in relation to other behavior patterns of the application, threat signatures, and overall usage of the web application, [0009]; track user clicks and or text input or any functional user behavior. The behavior tracker script and behavior analysis engine 216 may be configured to track and store a predefined set of various kinds of functional user behaviors, [0053]); 
extracting, when the trigger log is detected, log data cumulated up to a detection of the trigger log from a start of the session and generating cumulative log data (a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain, [0055]; Based on the attributes of the set of known frames and application-specific evaluation patterns, the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily, [0080]); and 
performing pattern analysis on the cumulative log data (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E, [0059]; The process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218, [0071]) in real time during the session (correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by behavior analysis engine 216 over a browser session) with a set of evaluation patterns (e.g., a set of known behavior profiles), [0056]; collect information about functional user behavior during the user behavior session, continue to update behavior pattern, and continue to correlate the updated behavior pattern with evaluation patterns, [0073]) and generating behavior information corresponding to the behavior of the user terminal (A match with an evaluation pattern associated with malicious activity may invoke a remediative action, such as session termination, [0059]; For instance, the remediative action comprises contacting a system administrator about the security threat by email, [0028]).  
However, Collazo does not explicitly disclose a detection time point or a start time point of the session.
Martha teaches log data cumulated up to a detection time point of a trigger log (e.g., Timestamp 2005-10-30T 10:50 of FIG. 11) from a start time point of a session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11; a webpage record may include a web browser identifier, a timestamp ID, a webpage ID, a referral ID, page type, page data, outgoing links, and/or incoming links, [0042]; The timestamp ID includes a time identifier that is associated with a time at which the corresponding web page is being accessed by the user via the web browser, [0042]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed record of a time when the user first accesses a web page and the timing between each subsequent action, allowing for thorough activity and pattern analysis.

Regarding claim 2, Collazo teaches the method of claim 1, wherein the log data includes at least one of 
a uniform resource locator (URL) address and a page identifier (ID) of a web page which the user terminal accesses in the web server, 
an input type and an input coordinate of an input which the user terminal applies in the web page, and 
log-in information of the user terminal (A user may provide text input for login fields 306, or text input for search field 308. The input provided along with an identification of the text field may be tracked by server object 224 in web server 204 and may be transmitted to behavior analysis engine 216, [0068]; The text input and the timestamped sequence of login attempts may be tracked by behavior analysis engine 216, [0068]).  

Regarding claim 3, Collazo teaches the method of claim 1, wherein the trigger log includes at least any one of an upload log corresponding to a behavior of uploading contents to the web server by the user terminal, a preference log corresponding to a behavior of inputting a 2preference for contents provided by the web server by the user terminal, a shopping access log corresponding to a behavior of accessing a shopping web page provided by the web server by the user terminal (For an e-commerce web site that offers a $10 (ten dollar) gift certificate to every one who registered for the web site, multiple account registrations may be problematic and costly, [0069]), and a settlement log corresponding to a cost settlement performed by the user terminal.  
	
Regarding claim 4, Collazo does not explicitly disclose the method of claim 1, wherein in the generating of the cumulative log data, when a plurality of trigger logs are detected in one session, cumulative log data corresponding to respective trigger logs are individually generated.  
	Martha teaches wherein in generating of cumulative log data, when a plurality of trigger logs are detected in one session, cumulative log data corresponding to respective trigger logs are individually generated (If multiple pages are led by a single page, then multiple activity paths are created with the single page as a starting page, [0035]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to recognize a plurality of distinct webpage records in the system/method of Collazo as suggested by Martha to periodically and thoroughly track each activity of a user. One would be motivated to combine these teachings in order to maintain a complete and comprehensive record of each user activity and trigger event.

Regarding claim 5, Collazo teaches the method of claim 4, wherein the log data cumulated from the start of the session up to the detection of a most recent trigger log among the plurality of trigger logs becomes the cumulative log data (a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain, [0055]; Based on the attributes of the set of known frames and application-specific evaluation patterns, the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily, [0080]).  
	However, Collazo does not explicitly disclose the start time point or a detection time point.
	Martha teaches the log data cumulated from the start time point of the session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11) up to the detection time point of a most recent trigger log (e.g., Timestamp 2005-10-30T 11:23 of FIG. 11).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of the most recent user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed record of a time when the user first accesses a web page and the timing between each subsequent action, allowing for thorough activity and pattern analysis.

Regarding claim 6, Collazo teaches the method of claim 1, further comprising: 
determining whether the user terminal performs an abnormal behavior in the session by comparing the cumulative log data (An example of a behavior pattern is: Q=[0, 1, 1, 0, 1, 1, 0, 0, 0], [0057]-[0058]) with an abnormal operation pattern (An example of an evaluation pattern representing a malicious profile is: E=[0, 1, 1, 0, 1, 1, 0, 0, 1], [0058]-[0059]; Correlation engine 218 may use the vector to find the dot product of the two vectors (Q.E) to determine the similarity between the two vectors, [0059]; Correlation engine 218 correlates current behavior patterns with known evaluation patterns, [0060]), 
wherein abnormal behavior information corresponding to the abnormal behavior performed by the user terminal is included in the behavior information when the abnormal operation pattern corresponds to the cumulative log data. (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E. A match with an evaluation pattern associated with malicious activity may invoke a remediative action, [0059]; results of correlations are tracked and reported to system administrators for further inspection and analysis, [0061]).  

Regarding claim 11, Collazo-Martha teach a non-transitory computer readable recording medium storing a computer program for executing, by a processor, the method for analyzing the online behavior of the user of claim 1 (see rejection of claim 1).  

Regarding claim 13, Collazo teaches an apparatus for analyzing an online behavior of a user accessing a web server through a user terminal, the apparatus comprising: 
a processor; and 
a memory coupled to the processor, 
wherein the memory includes one or more modules configured to instruct the processor to execute steps including: 
collecting, when the user terminal accesses the web server and forms a session (Client 208 and client 212 may be configured to establish a user behavior session, user behavior session 210 and user behavior session 214 respectively, [0049]), log data corresponding to a behavior performed by the user terminal in the session in real time from the web server as the log data is generated by the web server (Web server 204 and/or web server 206 may use network 202 to communicate data about functional user behavior to the behavior analysis engine 216. In some embodiments, the data about functional user behavior is captured on the server-side, [0047]; The information captured by server object 224 (or a client-side script) may be communicated to behavior analysis engine 216 over network 202, [0052]; As user 402 is using the application, qualitative and/or quantitative information about the functional user behavior is collected in step 404, as described in relation to server object 224, and behavior analysis engine 216, [0071]), 
detecting log data corresponding to a trigger log among the log data (The information that security system 200 keeps track of during a user behavior session may include a web page or screen sequence navigated by the user, along with the time intervals associated with each page. Other information about functional user behavior may include input in web pages, screens, or forms of the application. Other examples may include timestamped user clicks or touch strokes within a web page or screen of the application. The functional user behavior may be processed and tagged by the context of the behavior, [0050]; User clicks, navigation to a different web page, activating a script or program to send a communication, or any other suitable user activity, may be functional user behavior tracked and monitored by behavior analysis engine 216. Clicks on a button that activates script, program, or sends a request, may be a potential vulnerability which attackers may use repetitively to slow down the server and perform a denial of service attack, [0067]), wherein the trigger log is based on a pre-set user input from the user terminal (real-time analysis and correlation of behavior patterns (e.g., in a browser session) in relation to other behavior patterns of the application, threat signatures, and overall usage of the web application, [0009]; track user clicks and or text input or any functional user behavior. The behavior tracker script and behavior analysis engine 216 may be configured to track and store a predefined set of various kinds of functional user behaviors, [0053]), 
extracting, when the trigger log is detected, log data cumulated up to a detection of the trigger log from a start of the session and generating cumulative log data (a Markov chain may model a page sequence in a user behavior session, and at each page request, behavior analysis engine 216 may update the current state of the Markov chain, [0055]; Based on the attributes of the set of known frames and application-specific evaluation patterns, the raw data collected about the functional user behavior may be transformed by behavior analysis engine 212 into a behavior pattern in a way such that the behavior pattern can be processed and correlated easily, [0080]); and 
performing pattern analysis on the cumulative log data (If the result of the dot product is greater than a certain threshold (e.g., threshold=3), correlation engine 218 considers the behavior pattern Q as a match with evaluation pattern E, [0059]; The process 400 then proceeds to step 408 where the behavior pattern is correlated with evaluation patterns in correlation engine 218, [0071]) in real time during the session (correlation engine 218 is implemented to correlate behavior patterns associated with functional user behavior during a particular behavior session (e.g., aggregated by behavior analysis engine 216 over a browser session) with a set of evaluation patterns (e.g., a set of known behavior profiles), [0056]; collect information about functional user behavior during the user behavior session, continue to update behavior pattern, and continue to correlate the updated behavior pattern with evaluation patterns, [0073]) and generating behavior information corresponding to the behavior of the user terminal (A match with an evaluation pattern associated with malicious activity may invoke a remediative action, such as session termination, [0059]; For instance, the remediative action comprises contacting a system administrator about the security threat by email, [0028]).  
However, Collazo does not explicitly disclose a detection time point or a start time point of the session.
Martha teaches log data cumulated up to a detection time point of a trigger log (e.g., Timestamp 2005-10-30T 10:50 of FIG. 11) from a start time point of a session (e.g., Timestamp 2005-10-30T 10:45 of FIG. 11; a webpage record may include a web browser identifier, a timestamp ID, a webpage ID, a referral ID, page type, page data, outgoing links, and/or incoming links, [0042]; The timestamp ID includes a time identifier that is associated with a time at which the corresponding web page is being accessed by the user via the web browser, [0042]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize timestamp data in the system/method of Collazo as suggested by Martha in order to efficiently track sequence, order and timing of user behavior. One would be motivated to combine these teachings because including time information associated with each user activity would provide a detailed record of a time when the user first accesses a web page and the timing between each subsequent action, allowing for thorough activity and pattern analysis.


5.	Claims 8 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Collazo-Martha in view of Wiener et al. (US 2016/0092914).

Regarding claim 8, Collazo-Martha do not explicitly disclose the method of claim 1, wherein when a shopping access log of accessing a shopping web page by the user terminal is included in the cumulative log data, the behavior information further includes product recommendation information corresponding to the shopping access log.  
	Wiener teaches wherein when a shopping access log of accessing a shopping web page by a user terminal is included in the cumulative log data (Data management server 111 will then analyze the data and events (see operation 204) to determine user attributes (e.g., gender, income range, interests, location, purchases, etc.) by mapping the data and event information to available taxonomies established by data providers, [0038]; questions pertaining to user behaviors that an advertiser might want to observe (and derive aggregate statistics) include, “What segment of users scroll fast?”, “What segment of users scroll slowly?”, “What segment of users hover over the shopping cart icon?”, [0042]), behavior information further includes product recommendation information corresponding to the shopping access log (an advertiser establishes business logic to serve specific content (e.g., a luxury vacation package advertisement), [0038];  When there is a match, data management server 111 can send the user profile 217 to the ad server to determine the content (e.g., a selection of targeted advertisements) to send to the user, [0038]).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to provide ads based on user inputs and/or events associated with a user in the system/method of Collazo-Martha as suggested by Wiener in order to utilize specified criteria to offer the user relevant and targeted advertising. One would be motivated to combine these teachings because one would recognize that there is a higher probability that a user will be more interested in particular content based on previous purchasing activity and personal information.

Regarding claim 9, Collazo-Martha do not explicitly disclose the method of claim 8, wherein when a search log, performed by the user terminal before the shopping access log, is included in the cumulative log data, product recommendation information corresponding to the search log is included in the behavior information.  
Wiener teaches wherein when a search log, performed by a user terminal before a shopping access log, is included in a cumulative log data (capture subsequent user input and events at the client device 106 (e.g., login credentials, search criteria, etc.). Certain inputs and/or events (e.g., search button click) will send user data and events 203 (e.g., search criteria, cookie information, login credentials, etc.) to the data management server 111, [0038]; following certain activity (e.g., entering search form data) and triggering events (e.g., clicking search button) as may be initiated by a user, [0054]), product recommendation information corresponding to the search log is included in behavior information (data management server 111 can send the user profile 207 to the ad server 112 to determine the content (e.g., a selection of targeted advertisements) to send to the user (see operation 208), [0038]; Ad tag request 4021 is further structured to include certain information from the web page or “phints” (e.g., “type=flight”, “dest=SFO”, “departure=JFK”) in the request to potentially be sued in determining the response, [0054]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to provide ads based on search inputs in the system/method of Collazo-Martha as suggested by Wiener in order to utilize user specified criteria to provide relevant and targeted advertising. One would be motivated to combine these teachings because one would recognize that there is a high probability that a user is currently interested in content related to a search criterion input by the user.


6.	Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Collazo-Martha-Wiener in view of Harper et al. (US 2012/0296745).

Regarding claim 10, Collazo-Martha-Wiener do not explicitly disclose the method of claim 9, wherein when there is no search log performed before the shopping access log in the cumulative log data, a search log performed in a previous session by the user terminal is extracted to generate product recommendation information corresponding to the search log performed in the previous session.  
Harper teaches wherein when there is no search log performed before shopping access log in cumulative log data, a search log performed in a previous session by a user terminal is extracted to generate product recommendation information corresponding to the search log performed in the previous session (a content server could be linked to a database that connects the user of the media content receiver 200 to their previous purchases or Internet browsing. Such a feature would enable the system to recommend or suggest products, services, or content based on historical purchases or browsing habits, [0035]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize previous browsing history in the system/method of Collazo-Martha-Wiener as suggested by Harper to look up and determine user interests. One would be motivated to combine these teachings because maintaining this information would be a useful way to access user interest data when determining relevant recommendations to present to a user.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Kozine et al.		US 8,832,265 – reports of monitored web activity are generated to identify outliers.

Vines et al.		US 10,326,789 – web bot detection based on analysis of web activity.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHU WOOLCOCK whose telephone number is (571)270-3629. The examiner can normally be reached Tuesday, Thursday 9-6 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chris Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHU WOOLCOCK
Examiner
Art Unit 2451



/MADHU WOOLCOCK/Primary Examiner, Art Unit 2451