DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the remarks entered on 3/28/2022. 
Status of Claims
The following claim(s) is/are pending in this Office action: 1-9, 11-21. Claim 10 is cancelled. Claim 21 is newly added. Claims 1, 4, 11, 14, 20 are amended.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-9 and 11-21 stand rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception without significantly more.
Step 1 analysis:
In the instant case, the claims are directed to a system (1-9),a method (11-19) and a computer program product (20-21). Thus, each of the claims falls within one of the four statutory categories (i.e., process, machine, manufacture, or composition of matter).
Step 2A analysis:
Based on the claims being determined to be within of the four categories (Step 1), it must be determined if the claims are directed to a judicial exception (i.e., law of nature, natural phenomenon, and abstract idea), in this case the claims fall within the judicial exception of an abstract idea. Specifically the abstract idea of  Mental Processes-“Concepts performed in the human mind (including an observation, evaluation, judgment, opinion)” and Mathematical Concepts (mathematical calculations, relationships or formulas/equation). 
Step 2A: Prong 1 analysis:
The claim(s) recite(s):
Claim 1:
“receiving an attack description comprising user instructions to fabricate synthetic log entries according to a format defined in the event log template, the attack description comprising variables and rules for determining values for the variables”- this limitation amounts to observing and evaluating (mental process) instructions to log data (observation and evaluation) which comprises variables and rules (mathematical relationships) for determining values (mathematical calculation);
“automatically generate the attack event log representing an attack scenario and comprising a synthetic log entry that is fabricated by determining a value that satisfies the rules and writing the value into selected fields of the event log template”- this limitation amounts to log data (observation and evaluation) that represents an attack scenario (judgment, opinion) and calculating a value (mathematical calculation) that satisfies the rules (judgment-mental process).
Step 2A: Prong 2 analysis:
This judicial exception is not integrated into a practical application because it only recites these additional elements: 
“a storage device for storing an event log template” – this limitation recites a generic computer component. Merely adding a generic computer, generic computer components, or a programmed computer to perform generic computer functions does not automatically overcome an eligibility rejection (see MPEP 2106.05(b)); 
“a processor”- this limitation recites a generic computer component. Merely adding a generic computer, generic computer components, or a programmed computer to perform generic computer functions does not automatically overcome an eligibility rejection (see MPEP 2106.05(b));
“receive a selection of the event log template”- this limitation recites mere data gathering, being an insignificant extra solution activity (see 2106.05(g));
“automatically generate...”- this part of the limitation amounts to mere instructions to implement an abstract idea or other exception on a computer (see MPEP 2106.05(f)); 
“stream the automatically generated attack event log to a Security Information and Event Management (SIEM) system”- this limitation recite data outputting, being insignificant extra solution activity (see 2106.05(g)).
Accordingly, these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claims are directed to an abstract idea.
Step 2B analysis:
The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements explained above amount to a generic computer components (see MPEP 2106.05(b)), mere instructions to implement an abstract idea or other exception on a computer (see MPEP 2106.05(f)) and insignificant extra solution activity. In addition, the following limitations are also well understood, routine and conventional (see MPEP 2106.05(d)):
“a storage device for storing an event log template” – this limitation recites storing information in memory (see MPEP 2106.05(d) II iv.)
“receive a selection of the event log template”- this limitation recites receiving data (see MPEP 2106.05(d) II i.);
“stream the automatically generated attack event log to a Security Information and Event Management (SIEM) system”- this limitation recites transmitting data (see MPEP 2106.05(d) II i.).
The claims are not patent eligible. 
Independent claims 11 and 20 are analogous claims, therefore the same rejection and rationale applies to them.
Dependent claim(s) 2-9, 12-19, 21 when analyzed as a whole are held to be patent ineligible under 35 U.S.C. 101 because the additional recited limitation(s) fail(s) to establish that the claim(s) is/are not directed to an abstract idea. The claims are reciting further embellishment of the judicial exception.  
Claim 2: this claim recites further embellishment of mathematical calculations/relationships. Claim 12 is analogous to claim 2.
Claim 3: this claim recites further embellishment of mental processes (judgment, evaluation) and mathematical variables. 
Claim 4: this claim recites further embellishment of mental processes (judgment, evaluation). Claim 14 is analogous to claim 4.
Claim 5: this claim recites further embellishment of mathematical  relationships/calculations. Claim 15 is analogous to claim 5.
Claim 6: this claim recites further storing, being well understood routine and conventional (see MPEP 2106.05(d) II iv.). Claim 16 is analogous to claim 6.
Claim 7: this claim recites further mathematical variables, data manipulation (see MPEP 2106.05(g)) and further storing, being well understood routine and conventional (see MPEP 2106.05(d) II iv.). Claim 17 is analogous to claim 7.
Claim 8: this claim recites further receiving information being insignificant extra solution activity (see MPEP 2106.05(g)) and well understood routine and conventional (see MPEP 2106.05(d) II i.). Claim 18 is analogous to claim 8.
Claim 9: this claim recites further data manipulation (see MPEP 2106.05(g)). Claim 19 is analogous to claim 9.
Claim 13: this claim recites knowledge, which is a mental process of observing and evaluating.
Claim 21: this claim recites further data manipulation (see MPEP 2106.05(g)). 
Viewed as a whole, these additional claim element(s) do not provide meaningful limitation(s) to transform the abstract idea into a patent eligible application of the abstract idea such that the claim(s) amounts to significantly more than the abstract idea itself.  Therefore, the claim(s) are rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1-4, 6-9, 11-14, 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over He et al., Experience Report: System Log Analysis for Anomaly Detection (2016) (hereinafter He) in view of Zhai et al., USPGPub 2016/0352759 effectively filed on July 12, 2019 (hereinafter Zhai).
With respect to claim 1, He teaches:
A system for generating an attack event log (see p. 216 section VI: Anomaly Detection- “detect security anomalies to prevent attacks before they compromise a system”) comprising: 
receive a selection of the event log template; (¶ 2, A. Log Parsing, § III Methodology, p. 209: “Finally, event template is generated from each cluster. For heuristic-based approaches, the occurrences of each word on each log position are counted. Next, frequent words are selected and composed as the event candidates.  Finally, some candidates are chosen to be the log events.”  ¶ 3, § II Framework Overview, p. 208: “Logs are unstructured, which contain freeform text. The purpose of log parsing is to extract a group of event templates, whereby raw logs can be structured. More specifically, each log message can be parsed into a[n] event template (constant part) with some specific parameters (variable part).” 
The examiner notes that He’s selecting any of the aforementioned generated event templates for subsequent, supervised and/or unsupervised learning of training data teaches this limitation.)
receive an attack description comprising user instructions to fabricate synthetic log entries according to a format defined in the event log template, the attack description comprising variables and rules for determining values for the variables (¶ 1, § II. Framework Overview, p. 208: “The anomaly detection framework mainly involves four steps: log collection, log parsing, feature extraction, and anomaly detection.” ¶ 3, § II: “Log parsing: Logs are unstructured, which contain free-form text. The purpose of log parsing is to extract a group of event templates”; and “each log message can be parsed into a[n] event template (constant part) with some speciﬁc parameters (variable part). As illustrated in Figure 1, the 4th log message (Log 4) is parsed as ‘Event 2’ with an event template ‘Received block * of size * from *’.” ¶ 1, § III-C: “Supervised learning (e.g., decision tree) is deﬁned as a machine learning task of deriving a model from labeled training data. Labeled training data, which indicate normal or anomalous state by labels, are the prerequisite of supervised anomaly detection.”
The examiner notes that He’s template (e.g., “Received block * of size * from *” shown above) teaches a portion (e.g., “Received block … of size … from” above) of a template that varies from one template to another. For example, the aforementioned portion varies from the above template to another template “Connection from * losed” (see ¶ 1, A. Log Parsing, § III Methodology, p. 209) and thus teaches a global variable.  He’s template further teaches at least a local variable (e.g., “*” in the expression above), a rule that correlates the constant part to the variable, and a format that arranges the constant part and the variable in a specific manner.  Therefore, the aforementioned attack description (e.g., including information the block ID, size, and source ID also includes the variables in the corresponding template for He’s parsing engine to recognize as well as of one or more rules that correlate each of the aforementioned pieces of information to the corresponding variable part in a template for He’s approach to synthesize supervised training log entries. Moreover, at p. 209: “Finally, event template is generated from each cluster”, this corresponds to the fabrication); 
automatically generate the attack event log representing an attack scenario and comprising a synthetic log entry that is fabricated by determining a value that satisfies the rules and writing the value into selected fields of the event log template (see p. 211 section 3)Invariants Mining- “In this execution flow, the system generates a log message at each stage from A to G. Assuming that there are plenty of instances running in the system and they follow the program execution flow in Figure 4, the following equations”  and “[i]ntuitively, Invariants mining could uncover the linear relationships (e.g., n (A) = n (B)) between multiple log events that represent system normal execution behaviors. Linear relationships prevail in real-world system events. For example, normally, a file must be closed after it was opened. Thus, log
with phrase “open file” and log with phrase “close file” would appear in pair. If the number of log events “open file” and that of “close file” in an instance are not equal, it will be marked abnormal because it violates the linear relationship”. Therefore, examiner notes the system generating log messages at each stage corresponds to the claimed “generate the attack event log” and the behaviors and linear relationships in the events not being equal correspond to the claimed “attack scenario”. Furthermore, the linear relationship corresponds to the claimed ‘value into selected field”. In addition, at page 214 section C. Accuracy of Unsupervised methods- “[i]nvariants mining automatically constructs linear correlation patterns to detection anomalies, which fit well with the nature BGL data, where failures are marked through some critical events”).
Even though He implicitly teaches the concept of ‘attack’ as He cites to Venkatakrishnan et al. (Reference [46] at page 217) which detects security anomalies to prevent attacks before they compromise a system, Zhai explicitly teaches the concept of attack (see Zhai at [0004]- “Most of security sensors work by comparing observed activities against pre-existing threat knowledge (“attack signatures”)).
In addition, Zhai further teaches the limitations:
a storage device for storing an event log template; a processor (see [0011]- “the memory has instructions and a plurality of attack signatures stored thereon; and when the instructions are executed by the processor, the processor determines one or more responses to the events based on the signatures or rules”);
stream the automatically generated attack event log to a Security Information and Event Management (SIEM) system (¶ [0041]: “A SIEM system can be regarded as a security sensor running on a higher level of abstraction—a SIEM system monitors and alarms on streams of alerts or events”.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of He with the above teachings of Zhai by generating an attack log representing an attack scenario, as taught by He, and steaming the log to a SIEM system, as taught by Zhai. The modification would have been obvious because one of ordinary skill in the art would be motivated to process a stream of events in real-time and match them against pre-defined correlation rules (see Zhai at [0069].

With respect to claim 2, He modified by Zhai teaches the system of claim 1, and He further teaches:
wherein each of the variables comprises a variable name, a data type, and an output format (He at ¶ 1, § A Log Parsing, § III Methodology, p. 209: “Logs are plain text that consists of constant parts and variable parts, which may vary among different occurrences. For instance, given the logs of ‘Connection from 10.10.34.12 closed’ and ‘Connection from 10.10.34.13 closed’, the words ‘Connection’, ‘from’ and ‘closed’ are considered as constant parts because they always stay the same, while the remaining parts are called variable parts as they are not fixed.”  The examiner notes that the identification of the aforementioned fixed parts teaches a name of the variable, that the “connection from” is associated with an IP address (e.g., the aforementioned address in the IPv4 format) teaches a data type (e.g., network address), and that the IPv4 format of the associated value for the variable teaches an output format).

With respect to claim 3, He modified by Zhai teaches the system of claim 1, and He further teaches:
wherein the rules comprise constraint rules that describe a relationship between the variables and valid ranges for the variables (see He p. 210 section C. Supervised Anomaly Detection- “[l]abeled training data, which indicate normal or anomalous state by labels, are the prerequisite of supervised anomaly detection. The more labeled the training data, the more precise the model would be”. Therefore, these labels corresponding to normal states are interpreted as the “valid ranges for the variables”. In addition, p. 211 section 3) Invariants Mining- “In this execution flow, the system generates a log message at each stage from A to G. Assuming that there are plenty of instances running in the system and they follow the program execution flow in Figure 4, the following equations”  and “[i]ntuitively, Invariants mining could uncover the linear relationships (e.g., n (A) = n (B)) between multiple log events that represent system normal execution behaviors. Linear relationships prevail in real-world system events”).

With respect to claim 4, He modified by Zhai teaches the system of claim 1, and He further teaches:
wherein to determine values that satisfy the rules comprises to obtain at least some of the values from a set of knowledge of known attack scenarios in accordance with the rules, wherein the rules comprise knowledge base rules. (He at ¶ 2, Left-hand column, p. 210: “Supervised learning (e.g., decision tree) is defined as a machine learning task of deriving a model from labeled training data. Labeled training data, which indicate normal or anomalous state by labels, are the prerequisite of supervised anomaly detection. The more labeled the training data, the more precise the model would be. We will introduce three representative supervised methods: Logistic regression, Decision tree, and Support vector machine (SVM)”.  The examiner notes that He’s collection of labeled training data indicating anomalous state by labels teaches a set of knowledge of known attack scenarios, and that the rules upon which such training data is labeled as anomalous teach knowledge base rules. In addition, Zhai teaches at [0004]- “comparing observed activities against pre-existing threat knowledge (“attack signatures”)” which also corresponds to knowledge of known attack scenarios).

With respect to claim 6, He modified by Zhai teaches the system of claim 1, wherein the attack description describes a sub-attack, and wherein the attack event log is stored to a sub attack description (see Zhai at ¶ [0048]: “FIG. 5 schematically shows that a security sensor may include a plurality of attack signatures (e.g., Attack Signatures 1, 2 and 3). Each attack signature may contain features extracted from a potential attack. If an event monitored by the security matches an attack signature, the security sensor may further determine how to handle the event. For the security sensor may log the event”; ¶ [0055]: “A sub-attack signature may be created from an attack signature for brutal force authentication, where the sub-attack signature only applies to this collection of hosts with properly set threshold so it only yields acceptable amount of alerts, while for the rest of the environment, lower threshold can still be applied to maintain proper monitoring.”
The examiner notes that Zhai’s including an attack signature and a sub-attack signature created from an attack signature, which only applies to a limited set of network resources (e.g., a collection of hosts), at a security sensor (e.g., a network intrusion detection system (NIDS) or a host intrusion detection system (HIDS)) teaches this limitation.)

With respect to claim 7, He modified by Zhai teaches the system of claim 6 and He further teaches:
wherein the attack description identifies each of the variables as local variables or global variables, (He at ¶ 1, § III-A: “Logs are plain text that consists of constant parts and variable parts, which may vary among different occurrences. For instance, given the logs of “Connection from 10.10.34.12 closed” and “Connection from 10.10.34.13 closed”, the words ‘Connection’, ‘from’ and ‘closed’ are considered as constant parts because they always stay the same, while the remaining parts are called variable parts as they are not ﬁxed.” ¶ 3, § II Framework Overview, p. 208: “Logs are unstructured, which contain freeform text. The purpose of log parsing is to extract a group of event templates, whereby raw logs can be structured. More specifically, each log message can be parsed into a[n] event template (constant part) with some specific parameters (variable part). As illustrated in Figure 1, the 4th log message (Log 4) is parsed as “Event 2” with an event template ‘Received block * of size * from *’.”  
The examiner notes that He’s training log entry that is clustered into the cluster corresponding to the template “received block * of size * from *” teaches global variables because the portion “received from,” “of size,” and “from”.  More particularly, the aforementioned portion in the above template varies from this template to another template (e.g., “Connection from * closed” cited in claim 2 has a different portion or global variable “connection from closed” that is different from that of the former template to represent the corresponding cluster.  The aforementioned portion of the template thus globally defines the template for its corresponding cluster to distinguish the cluster from other clusters and thus teaches a global variable. The examiner further notes that He’s template also teaches local variables that “may vary among occurrences” such as the values represented by “*” in the citations above and to be determined by He’s approach in order for this training log entry to be correctly clustered as anomalous. Therefore, He teaches the above limitation. )
wherein the local variables are replaced by the determined values and the global variables are stored in the sub attack description. (He at ¶ 1, § IV-A: “Both datasets are collected from production systems, with a total of 15,923,592 log messages and 365,298 anomaly samples, that are manually labeled by the original domain experts. Thus we take these labels (anomaly or not) as the ground truth for accuracy evaluation purposes.”  ¶ 3, § II Framework Overview, p. 208: “Logs are unstructured, which contain freeform text. The purpose of log parsing is to extract a group of event templates, whereby raw logs can be structured. More specifically, each log message can be parsed into a[n] event template (constant part) with some specific parameters (variable part). As illustrated in Figure 1, the 4th log message (Log 4) is parsed as “Event 2” with an event template ‘Received block * of size * from *’.”
The examiner notes that the labels and the training anomalous samples that He treats as ground truth are provided as a part of training He’s “anomaly detection methods” as values for the “*” in the template and thus teaches the claimed limitation pertaining to local variables.  Moreover, in He’s template that is also provided as a part of attack description for training He’s anomaly detection methods, the parts that remain the same (e.g., “Received block,” “of size,” and “from” that remain the same for training samples in the corresponding cluster teaches global variables that are stored in a sub attack description.)

With respect to claim 8, He modified by Zhai teaches the system of claim 7, wherein to generate the attack event log comprises to receive the sub attack description and one or more additional sub attack descriptions, and receive additional rules for the global variables (Zhai at ¶ [0055]: “The classifier 694 classifies a collection of hosts into a cluster of hosts tending to have a high count of authentication failures on a daily basis. A sub-attack signature may be created from an attack signature for brutal force authentication, where the sub-attack signature only applies to this collection of hosts with properly set threshold so it only yields acceptable amount of alerts, while for the rest of the environment, lower threshold can still be applied to maintain proper monitoring.”  ¶ [0060]: “The memory has instructions and a plurality of attack signatures stored thereon. When the instructions are executed by the processor, the processor determines one or more responses to the events based on the attack signatures.” The examiner notes that Zhai’s receiving a sub-attack signature teaches receive the sub attack description, that Zhai’s applying the received sub-attack signature only to a collection of hosts with a properly set threshold in order to yield an acceptable amount of alerts teaches one or more additional rules for the aforementioned global variables (e.g., rules for determining which hosts for the global variable “from” may be considered).  The examiner further notes that Zhai’s applying a lower threshold for the attack signature (from which the aforementioned sub-attack signature is created) for another collection of hosts (e.g., the aforementioned rest of the environment) teaches an additional sub-attack signature, and that Zhai thus teaches the above limitation.)

With respect to claim 9, He modified by Zhai teaches the system of claim 1, and He further teaches:
wherein the event log template is an actual event log previously generated by a specific system, application, or security product. (He at ¶ 2, § II: “Log collection: Large-scale systems routinely generate logs to record system states and runtime information, each comprising a timestamp and a log message indicating what has happened..” ¶ 1, A. Log Parsing, § III Methodology, p. 209: “The purpose of log parsing is to separate constant parts from variable parts and form a well-established log event (i.e., “Connection from * closed” in the example).”  ¶ 2, A. Log Parsing, § III Methodology, p. 209: “Finally, event template is generated from each cluster.”  ¶ 3, § II Framework Overview, p. 208: “Logs are unstructured, which contain freeform text. The purpose of log parsing is to extract a group of event templates, whereby raw logs can be structured. More specifically, each log message can be parsed into a[n] event template (constant part) with some specific parameters (variable part).”  The examiner first notes that the “large-scale systems” that “routinely generate logs” teaches the claimed “specific system, application, or security product”.  The examiner notes that He’s generating event templates by parsing a log file for correctly structuring raw logs teaches that an event template thus generated is an actual event log (e.g., the log file that has been parsed) that is representative of the logs clustered into a cluster, and that He’s anomaly detection methods teach a specific system, application, or security product.)

With respect to claim 11, it is substantially similar to claim 1 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 12, it is substantially similar to claim 2 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 13, He modified by Zhai teaches the method of claim 11, and He further teaches:
wherein the rules comprise knowledge base rules (He at p. 210 section D)-1): “LogCluster requires two training phases, namely knowledge base initialization phase and online learning phase” and “Knowledge base initialization phase contains three steps: log vectorization, log clustering, representative vectors extraction”. In addition, at ¶ 2, Left-hand column, p. 210: “Supervised learning (e.g., decision tree) is defined as a machine learning task of deriving a model from labeled training data. Labeled training data, which indicate normal or anomalous state by labels, are the prerequisite of supervised anomaly detection. The more labeled the training data, the more precise the model would be”. In addition, Zhai teaches at [0004]- “comparing observed activities against pre-existing threat knowledge (“attack signatures”)” which also corresponds to knowledge base rules).

With respect to claim 14, it is substantially similar to claim 4 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 16, it is substantially similar to claim 6 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 17, it is substantially similar to claim 7 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 18, it is substantially similar to claim 8 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 19, it is substantially similar to claim 9 and is rejected in the same manner, the same art and reasoning applying.

With respect to claim 20, it is substantially similar to claim 1 and is rejected in the same manner, the same art and reasoning applying.

Claims 5 and 15 stand rejected under 35 U.S.C. 103 as being unpatentable over He in view of Zhai and further in view of Copty et al., USPGPub US20180232518A1 with publication date of Aug. 16, 2018 (hereinafter Copty).
With respect to claim 5, He modified by Zhai teaches the system of claim 1 but does not appear to explicitly teach:
wherein to determine the values comprises to generate pseudo-random values using a constraint satisfaction problem (CSP) solver.
In an analogous field of endeavor, Copty does, however, teach:
wherein to determine the values comprises to generate pseudo-random values using a constraint satisfaction problem (CSP) solver (¶ [0034]: “a server may obtain a multiplicity of solutions to the constraint satisfaction problem, store the solutions, and when a client requests a reordering, the server may provide one of the stored solutions, whether randomly or in accordance with some rules”; and ¶ [0042]: “[i]n such a case, a solution may be selected from the available solutions. The selection may be random or pseudo random”. The examiner notes that Copty’s pseudo-random selection of a solution by using a constraint satisfaction problem solver teaches this limitation).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of He and Zhai with the above teachings of Copty by generating an attack log representing an attack scenario streaming the log to a SIEM system, as taught by He and Zhai, and generate pseudo-random values using a constraint satisfaction problem (CSP) solver, as taught by Copty. The modification would have been obvious because one of ordinary skill in the art would be motivated to process a stream of events in real-time and match them against pre-defined correlation rules (see Copty at [0069]).

With respect to claim 15, it is substantially similar to claim 5 and is rejected in the same manner, the same art and reasoning applying.

Claim 21 stands rejected under 35 U.S.C. 103 as being unpatentable over He in view of Zhai and further in view of Miller et al. NPL: “Anomalous Network Packet Detection Using Data Stream Mining” (hereinafter Miller).
With respect to claim 21, He modified by Zhai teaches the computer program product of claim 20 but does not appear to explicitly teach wherein the program instructions comprise instructions to cause the processor to integrate the automatically generated attack event log with a benign event log file.
In an analogous field of endeavor, Miller does, however, teach:
wherein the program instructions comprise instructions to cause the processor to integrate the automatically generated attack event log with a benign event log file (see Miller at p. 160, right column, second full paragraph- “[t]o simulate the network traffic in real time, anomalous packets were then sporadically inserted into both the training and testing data after an initial interval consisting of only normal traffic (50 packets for training data and 200 packets for testing data)”. Therefore, Examiner notes that Miller’s anomalous packets corresponds to the claimed attack event log as it is inserted/integrated with normal data (benign) for the purposes of training).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of He and Zhai with the above teachings of Miller by generating an attack log representing an attack scenario streaming the log to a SIEM system, as taught by He and Zhai, and integrate it with benign data, as taught by Miller. The modification would have been obvious because one of ordinary skill in the art would be motivated to create different attack sets of data for training and testing a model that dynamically detects anomalous data streams (see Miller at Abstract and p. 160).
Response to Arguments
The Applicant’s arguments regarding the rejection of above claims have been fully considered.
In reference to Applicant’s arguments about:
Claim objections.
Examiner’s response:
            Objections are withdrawn.
In reference to Applicant’s arguments about:
35 USC 112(b) rejections.
Examiner’s response:
            Rejections are withdrawn.
In reference to Applicant’s arguments about:
Rejections under 35 USC 101.
Examiner’s response:
	Arguments are moot in view of the new updated rejection.
In reference to Applicant’s arguments about:
Rejections under 35 USC 103.
Examiner’s response:
Regarding the 35 USC 103 rejection to claims 1-9 and 11-20, arguments are moot in view of the new grounds of rejection.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LUIS A SITIRICHE whose telephone number is (571)270-1316. The examiner can normally be reached M-F 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann Lo can be reached on (571) 272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/LUIS A SITIRICHE/Primary Examiner, Art Unit 2126