DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 11/16/2020.
Claims 1-4 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. JP2020-093234, filed on 5/28/2020.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/16/2020 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Examiner Notes
Claim 1 recites “An information processing apparatus comprising a processor configured to detect ...”. It is noted that paragraphs (on pages 13, 31) of the specification of the instant application discloses: “The processor 36 refers to hardware in a broad sense …”; “the term “processor” refers to hardware in a broad sense". The office takes note of the estoppel introduced by the applicant and that the term "processor", as explicitly used in claims 1, is not to be construed as "software per se" which would otherwise render this claim non-statutory under35 U.S.C. § 101.
Claim Interpretation(s) - 35 USC § 112(f)
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.


The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “means for detecting …” in claim 4.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 4 is rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, because the claim purports to invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, but fails to recite a combination of elements as required by that statutory provision and thus cannot rely on the specification to provide the structure, material or acts to support the claimed function.  As such, the claim recites a function that has no limits and covers every conceivable means for achieving the stated function, while the specification discloses at most only those means known to the inventor.  Accordingly, the disclosure is not commensurate with the scope of the claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over Koral et al (US20200112574A1, hereinafter, "Koral"), in view of Sudo et al (US20170155669A1, hereinafter, “Sudo”).
Regarding claim 1, Koral teaches:
An information processing apparatus (Koral, discloses device and method to detect malicious activity by processing domain name system traffic records based on unsupervised encoder-decoder neural network security event detection, see [Abstract], [Title]. And See Fig. 1, Processing System 104 (i.e. information processing apparatus)) comprising a processor (Koral, Fig. 7 Processor) configured to detect an unauthorized communication from an originating terminal (Koral, [0017] A first cluster may represent “normal” network traffic, while one or more additional clusters may each represent a type of attack or other malicious and/or anomalous activities (i.e. unauthorized communication). Thereafter, compressed vector representations of input vectors for subsequent network traffic data that fall within a cluster may further be identified as a particular type of anomaly. And [0034] The DNS traffic records may relate to DNS queries from devices 110, 112, and/or 114, or server(s) 116 (i.e. originating terminal) to any one or more of DNS resolvers 181-183, may relate to DNS queries forwarded by DNS resolvers 181-183 to any one or more of DNS authoritative servers 191-193, and so forth) by inputting a target [query type string] of the originating terminal serving as a detection target to a learner (Koral, [0015] the present disclosure includes an unsupervised encoder-decoder neural network (i.e. learner, further shown in Fig. 2) learning approach, which assumes no prior knowledge of the nature of the analyzed network traffic. Initially, examples of the present disclosure may build an encoder-decoder neural network (e.g., an autoencoder) that learns the characteristics of “normal” network traffic from a plurality of input vectors. And See Fig. 5 step 515, and [0063] At optional step 515, the processing system may generate a plurality of aggregate vectors from the plurality of DNS traffic records. For instance, each of the plurality of aggregate vectors may comprise a plurality of features derived from the second plurality of DNS traffic records) that has learned a feature of a [query type string] of the originating terminal through unsupervised learning with the [query type string] used as learning data (Koral, Fig. 5 step 520-535, e.g. [0064] At optional step 520, the processing system may train an encoder-decoder neural network (e.g., an autoencoder) with the plurality of aggregate vectors (i.e. learning data). And [0065] At step 525, the processing system obtains a plurality of DNS traffic records (e.g., a “first” plurality of DNS traffic records). And [0066] At step 530, the processing system generates an input aggregate vector from the first plurality of DNS traffic records. For instance, the input aggregate vector may include a plurality of features derived from the first plurality of DNS traffic records. And [0068] At step 535, the processing system applies an encoder-decoder neural network to the input aggregate vector to generate a reconstructed vector. In one example, the encoder-decoder neural network is trained with a plurality of aggregate vectors generated from the second plurality of DNS traffic records), the [query type string] including [query types] arranged in time sequence and included in an information request signal that is transmitted to a domain name system (DNS) server in response to a request of the originating terminal (Koral, [0018] network traffic records are aggregated (e.g., by one minute time intervals, or another time interval, by DNS resolver or by some other criteria, etc.), and [0034] The DNS traffic records may relate to DNS queries from devices 110, 112, and/or 114, or server(s) 116 to any one or more of DNS resolvers 181-183… And [0062] At optional step 510, the processing system may obtain a plurality of DNS traffic records (e.g., a “second” plurality of DNS traffic records). For instance, the DNS traffic records may relate to DNS queries and replies between a client and a DNS resolver, between DNS resolvers of different layers, between a DNS resolver and a DNS authoritative server). (See Sudo below for teaching of limitation query type string in bracket)
	While Koral teaches detecting malicious activities by analyzing DNS traffic records using unsupervised learning by generating input aggregate vector from the DNS traffic records of request traffic, but does not expressly teach using query type string of the request traffic, in the same field of endeavor Sudo teaches:
	query type string (Sudo, discloses device and method to detect unauthorized access of request transmitted from terminal operated by a user to a service server by comparing detected query to a normal query pattern, see [Abstract]. And [0063] The body text pattern of the request is such that a character string of a portion predetermined according to the type of the request such as a log-in request and a data registration request, of the character strings of the request, is patterned. The body text pattern of the query is such that a character string of a portion predetermined according to the type of the query, of the character strings of the query (i.e. query type string) to be transmitted from the service server 10 to the DB 20 when the corresponding request is received by the service server 10, is patterned. It is assumed that the information to be stored in the body-text pattern storage unit 52 is registered beforehand by the administrator of the unauthorized-access detection device 50).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Sudo in the method of unsupervised encoder-decoder neural network security event detection of Koral to detect unauthorized access (to DB, database) by using information regarding request query from originating terminal by comparing body-text patterns. This would have been obvious because the person having ordinary skill in the art would have been motivated to apply body-text pattern of Sudo as query type string in the detection of malicious activity of Koral to detect unauthorized access (request communication) (Sudo, [Abstract], [0038]). 

Regarding claim 3, Koral-Sudo combination teaches:
A non-transitory computer readable medium (Koral, discloses device, method and computer-readable medium to detect malicious activity by processing domain name system traffic records based on unsupervised encoder-decoder neural network security event detection, see [Abstract], [Title]. And [Claim 19] A non-transitory computer-readable medium) storing a program causing a computer to execute a process for processing information, the process comprising method performed by the information processing apparatus of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 4, Koral-Sudo combination teaches:
An information processing apparatus (Koral, discloses device and method to detect malicious activity by processing domain name system traffic records based on unsupervised encoder-decoder neural network security event detection, see [Abstract], [Title]. And See Fig. 1, Processing System 104 (i.e. information processing apparatus)) comprising means for performing method of the information processing apparatus of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Koral-Sudo combination as applied above to claim 1, further in view of Kelton et al (US20210350487A1, hereinafter, “Kelton”).
Regarding claim 2, Koral-Sudo combination teaches:
The information processing apparatus according to Claim 1, 
The combination of Koral-Sudo does not expressly teach the following limitation(s), in the similar field of endeavor Kelton teaches:
wherein the processor is configured to, in response to a time period between a transmission time of a first information request signal and a transmission time of a second information request signal being equal to or longer than a specific time period, insert in the query type string and the target query type string an element having a blank time between a first query type included in the first information request signal and a second query type included in the second information request signal (Kelton, discloses detecting behavior patterns in transaction histories using computer vision and deep learning techniques, see [Abstract]. And [0044] The transaction timeline is normalized according to the particular parameters set for this system 96. As noted above, normalizing can include fixing the timeline to a common time scale. If the current timeline is unusually short then blank space can be added to fill in the relevant time period, or if the current timeline is longer than necessary it can be cropped. A graphic image for the normalized timeline is constructed 98).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kelton in the method of unsupervised encoder-decoder neural network security event detection of Koral-Sudo to detect behavior patterns by normalizing transaction timeline by adding blank space. This would have been obvious because the person having ordinary skill in the art would have been motivated to normalize transaction timeline in order to detect behavior patterns for suspicious activity reporting (Kelton, [Abstract], [0044]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Nguyen et al (US20160065597A1) discloses method for domain name scoring to represent a probability that the domain name is associated with malicious activity.
	Manadhata et al (US20190238573A1) discloses method and system to count number of digits in a domain name to indicate malware.
	Fakeri-Tabrizi et al (US20160065611A1) discloses method for detecting anomalies in DNS requests.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436