Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after allowance or after an Office action under Ex Parte Quayle, 25 USPQ 74, 453 O.G. 213 (Comm'r Pat. 1935). Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, prosecution in this application has been reopened pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/27/2022 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 7/27/2022 was filed after the mailing date of the Notice of Allowance on 4/27/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Allowable Subject Matter
Claims 1-6, 8-21, and 43 are allowed.
Regarding independent claim 1, the closest prior art are the following:
1. The previously cited reference Lang (US 2015/0269383) teaches (see the Office Action (“OA”) dated 9/28/2021, pages 3-9) A method for monitoring security policy violations in a computer network, the method comprising: 
creating a rule corresponding to a security policy; 
generating a security event corresponding to the rule violation; 
recording information representing the security event to a computer-readable storage medium.

2. A new reference Qureshi (US 7,490,073) teaches determining a plurality of variables from the rule, wherein at least one variable of the plurality of variables is enabled to be set to one of a plurality of values, and wherein the rule is violated or not violated conditional on values of the plurality of variables (see col. 77, lines 43-63 and FIGS. 22A and 22B: “The knowledge base 22 of the meta-application 20 includes a logic rule that describes this problem. The rule includes two inexpensive feature predicates corresponding to the warning log messages, two inexpensive feature predicates describing the denied permissions of the "Everyone" group on the two listed objects, and one more expensive predicate comprising a "unit test" that tests whether email messages can be sent to public folders”. The Examiner interprets two inexpensive feature predicates corresponding to the warning log messages, two inexpensive feature predicates describing the denied permissions of the "Everyone" group on the two listed objects, and one more expensive predicate comprising a "unit test" that tests whether email messages can be sent to public folders as a plurality of variables. And see col. 78, lines 4-10: “Once the rule is loaded, Problem Logic analyzes the rule and determines that, in order to evaluate the rule for the given deployment 10, multiple feature detectors need to be started (using the procedure detailed above). Accordingly, Problem Logic initiates these feature detectors, which then notify the appropriate monitors 14 to look for the events and other features of the rule”); 
parsing a first log of the plurality of logs to determine a value of a first variable of the plurality of variables (see col. 78, lines 14-22: “the managed application 10 registers the two warning messages in the Exchange.TM. application log. These new log entries and picked up by a monitor 14 (FIG. 1) and sent to the meta-application 20 server 60 (FIG. 3) as telemetry. The telemetry data becomes stored in the telemetry database 26, and the feature detector 36 interprets the two error log entries as features. So two new "event" features are generated with the correct "event IDs" and other appropriate error information”); 
evaluating the rule conditional on the value of the first variable and the value of the second variable (see col. 77, lines 63-67: “The rule's specific logical combination of these predicates depending upon the relationships of the predicates to the problem. However, for simplicity suppose that the rule requires all five predicates to be true (e.g., all five predicates are inputs to an AND gate)”. The Examiner interprets the true values of two of the five predicates as the value of the first variable and the value of the second variable); 
identifying a rule violation corresponding to the value of the first variable, the value of the second variable, and the rule (see col. 78, lines 14-52: “the managed application 10 registers the two warning messages in the Exchange.TM. application log. These new log entries and picked up by a monitor 14 (FIG. 1) and sent to the meta-application 20 server 60 (FIG. 3) as telemetry. The telemetry data becomes stored in the telemetry database 26, and the feature detector 36 interprets the two error log entries as features…. After some time, the final feature predicate triggers. This causes another feature to be generated and passed to Problem Logic. Then the discrimination network identifies Problem Logic rules to update. At this point, the rule for the illustrated article has been matched because all five feature predicates have become "true." Thus, Problem Logic generates a corresponding problem”). 

3. A new reference Fujishima (US 2016/0337385) teaches receiving a plurality of logs representing packets of traffic transmitted via the computer network (see [0006]: “a network monitoring device includes a memory and a processor coupled to the memory and configured to accumulate a plurality of logs in the memory, by repeating a capturing process of capturing a packet transmitted over the network”);
parsing a first log of the plurality of logs to determine a value of a first variable of the plurality of variables (see abstract: “the detection process including extracting a first destination identifier and a first attribute parameter, from a first log having an identifier of the infected computer in the source identifier”); 
parsing a second log of the plurality of logs to determine a value of a second variable of the plurality of variables (see abstract: “extracting a second source identifier and a second destination identifier, from a second log having the first attribute parameter in the attribute parameter”); 

4. The previously cited reference Richards (US 2017/0054854) teaches (see the OA dated 9/28/2021, pages 11 and 12) assigning the security event into a time bin of a plurality of time bins (see [0096] and Fig. 17: “Referring now to FIG. 17 in the country callout configuration, at step 1702, the cumulative minutes from a carrier network to a specific country are first detected and inquiry step 1704 determines whether these cumulative minutes exceed a predetermined threshold within a defined time limit. If so, a further determination is made at step 1706 whether the cumulative minutes involve an excessive call count threshold within a defined time period….If the threshold call limit or call count are not exceeded at step 1704 and 1706, respectively, control passes back to step 1710 to continue monitoring for issues”. The Examiner interprets calls placed to a specific country as security events because they could relate to “international revenue share (country or number callout) fraud”. The Examiner further interprets “a defined time period” as a time bin of a plurality of time bins ); 
determining that a count of security events in the time bin does not fall within a predicted event range (see [0094]: “In the "country callout" scenario a high number of calls are suddenly placed to a specific country. These calls exceed the normal baseline call rates and the calls are placed from within the carrier network”. And see [0096]: “Referring now to FIG. 17 in the country callout configuration, at step 1702, the cumulative minutes from a carrier network to a specific country are first detected and inquiry step 1704 determines whether these cumulative minutes exceed a predetermined threshold within a defined time limit. If so, a further determination is made at step 1706 whether the cumulative minutes involve an excessive call count threshold within a defined time period”. And see [0085]: “The system described herein above with respect to FIGS. 1-13 may be implemented in a number of manners in order to provide real-time monitoring of live-data flowing through such associated live-data sources and other network elements. Various applications in which the methodology may be utilized include business assurance applications, customer experience applications, network operations applications and network security applications. Various business assurance applications include ways for monitoring and confirming that a business model implemented by a system is operating in a known and desired manner. These applications include …international revenue share (country or number callout) fraud”. The Examiner interprets calls placed to a specific country as security events because they could relate to “international revenue share (country or number callout) fraud”. The Examiner further interprets “determination … at step 1706 whether the cumulative minutes involve an excessive call count threshold within a defined time period” taught in [0096] (exceed the normal baseline call rates as taught in [0094]) as determining that a count of security events in the time bin does not fall within a predicted event range); and 
in response to the count of security events not falling within the predicted event range, generating a security alert (see [0096] and Fig. 17: “a further determination is made at step 1706 whether the cumulative minutes involve an excessive call count threshold within a defined time period. If so, this causes the generation of alerts and reports at step 1708”).

Independent claim 1 is allowable for the following reason: before the effective filing date of the claimed invention, it would not have been obvious to a person of ordinary skill in the art 
first to improve the method of Lang by adding the steps of determining a plurality of variables from the rule, wherein at least one variable of the plurality of variables is enabled to be set to one of a plurality of values, and wherein the rule is violated or not violated conditional on values of the plurality of variables; evaluating the rule conditional on the value of the first variable and the value of the second variable;  and identifying a rule violation corresponding to the value of the first variable, the value of the second variable, and the rule, as taught by Qureshi, 
second to improve the method of Lang modified in view of Qureshi by adding the steps of receiving a plurality of logs representing packets of traffic transmitted via the computer network; parsing a first log of the plurality of logs to determine a value of a first variable of the plurality of variables; and parsing a second log of the plurality of logs to determine a value of a second variable of the plurality of variables, as taught by Fujishima, and
finally to improve the method of Lang modified in view of Qureshi and Fujishima by adding the steps of assigning the security event into a time bin of a plurality of time bins; determining that a count of security events in the time bin does not fall within a predicted event range ; and in response to the count of security events not falling within the predicted event range, generating a security alert, as taught by Richards.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990. The examiner can normally be reached 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZHIMEI ZHU/Examiner, Art Unit 2495           

/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495