Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed on 9/20/2022. Claims 2 and 16 have been cancelled.  Claims 18-21 have been added as New. Claims 1, 3-15 and 17-21 are pending. This Office Action is Final.

Response to Arguments
	A) Applicant’s amendments and arguments regarding 35 USC 101 rejection of claims 1, 9 and 17 for being an Abstract Idea have been considered and deemed NOT persuasive. 
	The amended claim still is reciting an Abstract Idea.  While the claim is reciting a process, the preprocessing and calculating steps can be performed as mental steps.  The providing step can also be performed without a computer.  For example, the claim does not recite displaying on a device, it recites “providing a visual,” which in the broadest reasonable interpretation can equate to drawing a picture and presenting it to a person.  Lastly, the Applicant’s limitations recite a visual in a tower shape with additional detail and is equating it to a GUI, where the effective summarizing of information (with GUI) is not an abstract idea.  While the effective summarizing of information (with GUI) is not an abstract idea in Core Wireless Licensing SARL V. LG Elecs, that is not the same case with the instant application.  The Federal Circuit began its analysis by determining that the claimed invention was an improved user interface, rather than the abstract idea of an index, as proposed by LG.  The Court noted that the claims "are directed to a particular manner of summarizing and presenting information in electronic devices."  For instance, claim 1 requires "an application summary that can be reached directly from the menu," and specifies a particular manner by which the summary window must be accessed.  The instant Application, is NOT reciting an improved user interface.  As recited, the claims are merely reciting a display shape for data and does not show any user interaction, nor even suggest how this particular display can show an improved interaction.  
	Overall, the preprocessing and calculating limitations, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. The visualization limitations, as drafted, is also a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. The claim encompasses the user thinking that certain IP addresses should be ranked higher than other IP addresses in a tower shape. Thus, this limitation is also a mental process.  As a result, this 35 USC 101 rejection Stands.

	B) Applicant’s amendments and arguments regarding 35 USC 101 rejection of claims 17 for a transitory media have been considered and deemed persuasive.   As a result, this rejection has been withdrawn.
	
	C) Applicant’s arguments with respect to claim(s) 1, 9 and 17 have been considered but are moot because the new ground of rejection does not rely on the same exact combinations of references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “manager” and “visualizer” in claim 9.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.





Claim Rejections - 35 USC § 101
	35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 3-15 and 17-21 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.
	Regarding claim 1, the claim is directed to an abstract idea as reciting the limitations “preprocessing log data,” “calculating period data” and “providing visualization.”  The aforementioned steps are “re-arranging human activities” as broadly interpreted said steps could be performed in the human mind. Therefore, the claim recites an abstract idea.  
	Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing system).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of obtaining, constructing, computing or applying etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.  
	The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Applications 2013/0254535, 2015/0156194 and 2011/0154027.  As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter.
Regarding claims 9 and 17, claims 9 and 17 are directed to a device and a storage medium associated with the method of claim 1. Claims 9 and 17 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	Regarding claims 3-8, 10-15 and 17-21; the dependent claims are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea without being integrated into a practical application or significantly more.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.



Claim(s) 1-7, 9 and 11-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,904,277) in view of Graham et al. (US 201700257397) and Meissner (US 2014/0237377). 

	As per claim 1, Sharifi Mehr teaches a method for visualizing security information, comprising: preprocessing log data extracted from a security device; calculating period data of element information related to internet protocol (IP) address information about a security action based on the preprocessed log data (Sharifi Mehr Col. 4 Lines 17- 22 recites “As described below, the threat intelligence system can receive log information describing network activity between each VCE (or, for example, each virtual machine instance in a VCE) and each activity source (e.g., IP address, ISP, or other network identifier) that communicates with the VCE during a logging period.”).
	But fails to teach providing visualization information obtained by visualizing the IP address information and the calculated period data of the element information and wherein the visualization information lists IP address information objects based on a degree of security danger which is determined by an evaluation of danger in the IP address information.
	However, in an analogous art Graham teaches providing visualization information obtained by visualizing the IP address information and the calculated period data of the element information (Graham, Fig. 6 and 0074 recites “The login activity may be displayed in a table format, which includes columns such as login time, source IP address, the application the user is trying to access, the login event type, and whether or not that event was successful or not. Examples of login event types may include a password challenge, a one-time password challenge, a username challenge, or any commonly accepted method of login and authentication.”) and
	wherein the visualization information lists IP address information objects based on a degree of security danger which is determined by an evaluation of danger in the IP address information (Graham, Fig. 6 and Paragraph 0070-0071 recites “ The Alert Source Column 606 may show the source of the issued alert, such as from a third-party threat detection device, service, application, or provider. In the examples shown, the alert sources include FireEye NX, Palo Alto Wildfire, and Cisco AMP. Other threat detection or threat protection services may be used as alert sources. The specific alert source may be factored into a security policy or method of classifying an alert into an appropriate risk level, for determining the appropriate action to take with a user identity associated with the alert. The alert source. The type of alert may provide information on how, or why, the alert was generated and issued. For example, the figure has the alert types: “Network-Malware” and “Email-Malware.” The “Network-Malware” alert type may signify that the alert was generated as a result of the user identity being compromised by malware while accessing a network. The “Email-Malware” alert type may signify that the alert was generated as a result of identifying malware being sent to the user identity through email.” Fig. 6 displays an alert type which is based on a degree of risk of the identified activity.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Graham’s identity security and containment based on detected threat events with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data helps to visualize to data for users interested in analyzing data.
	And fails to teach the IP address information objects are listed up, in a tower-shape, based on the degree of security danger, the log ring object is provided in a circular-shape around at least one of the IP address information objects, and a circumferential direction of the log ring object represents a set time information, and a vertical direction of the log ring object represents a corresponding amount of the log data.
	However, in an analogous art Meissner teaches the IP address information objects are listed up, in a tower-shape, based on the degree of security danger, the log ring object is provided in a circular-shape around at least one of the IP address information objects, and a circumferential direction of the log ring object represents a set time information, and a vertical direction of the log ring object represents a corresponding amount of the log data (Meissner Fig. 3 and Paragraph 0030 recites “A pyramid type GUI is depicted in FIG. 3. The pyramid 301 has offerings depicted within it 302-306 ordered by popularity ranking. The most popular offering 302 is at the top of the pyramid 301, with less popular offerings 303-306 descending below. This makes it clear which offering is absolutely the most popular with less popular offerings arranged in lower hierarchical fashion around the top offering. For example, in a pyramid the top offering will be at the top of the pyramid and less popular offerings will be in successively lower rows.”  While a pyramid is not a tower, Meissner is showing how data can be arranged in different shapes depending on user’s preferences. So, while this is in pyramid shape, one could use in a tower shape or any other similar shape.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Meissner’s graphical user interface methods to determine and depict relative popularity of internet offerings with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data in different shapes is customizable to user’s preferences.
 
	As per claim 3, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, Graham further teaches wherein the visualization information periodically indicates at least one of the amount of log data of at least one IP address information object among the IP address information objects according to an inbound-allow policy of the security device, the amount of log data of the at least one IP address information object according to an inbound-deny policy, the amount of log data of the at least one IP address information object according to an outbound-allow policy, or the amount of log data of the at least one IP address information object according to an outbound-deny policy (Graham, Fig. 6 And Paragraph 0073 recites “The Identity Action Column 612, may be the action dictated according to a security policy, such as Security Policy 512 shown in FIG. 5. For example, the figure shows the actions of “Stepped-Up” and “Denied.” The “Stepped-Up” identity action may represent that the identity provider should request additional security factors from a user identity corresponding to the derived identity. So based on the first alert shown, if a user using the “jsmith” identity attempts to access the secure resource that is secured by the identity provider, the identity provider will request additional security factors before that user is provided access to the secure resource. The “Denied” identity action may represent that the identity provider should deny access to any user identity corresponding to the derived identity. So based on the second alert shown, if a user using the “bdavis” identity attempts to access the secure resource, the identity provider will deny access to the user completely.”). 
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Graham’s identity security and containment based on detected threat events with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data helps to visualize to data for users interested in analyzing data.  

	As per claim 4, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, Graham further teaches wherein the visualization information provides option information for a period of the period data (Graham, Paragraph 0065 recites “User Interface 510 may be able to filter alerts to be viewed based on a time frame, so that a user may view alerts that have just been received. An example of how User Interface 510 may look is shown in FIG. 6.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Graham’s identity security and containment based on detected threat events with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data helps to visualize to data for users interested in analyzing data.  

	 As per claim 5, Sharifi Mehr in combination with Graham and Meissner  teaches the method of claim 1, Graham further teaches wherein the visualization information provides search option information for searching for the IP address information (Graham, Paragraph 0069 recites “The IP Address Column 604 may show an IP Address associated with the alert. For example, a user may use an identity with an endpoint device, and the endpoint device may be connected to a network with an IP Address. IP Address Column 604 would show the IP Address of that connection. In FIG. 6, the IP Address Column 604 shows IP Addresses, all with the similar IP of “128.134.X.X” which signifies that all the alerts shown are associated with devices on the same local area network.” It would be an obvious variation of display to search/sort the IP addresses.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Graham’s identity security and containment based on detected threat events with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data helps to visualize to data for users interested in analyzing data.  

	 As per claim 6, Sharifi Mehr in combination with Graham and Meissner  teaches the method of claim 1, Graham further teaches wherein the visualization information includes a relationship between a specific period unit and a log data amount for a time unit according to the specific period unit for a first IP address information object among the IP address information objects (Graham, Paragraph 0065 recites “User Interface 510 may be able to filter alerts to be viewed based on a time frame, so that a user may view alerts that have just been received. An example of how User Interface 510 may look is shown in FIG. 6.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Graham’s identity security and containment based on detected threat events with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data helps to visualize to data for users interested in analyzing data.  

	As per claim 7, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, Graham further teaches wherein the visualization information provides a change in the amount of the log data over time for a specific periodic section or a specific aperiodic section in the period data (Graham, Paragraph 0065 recites “User Interface 510 may be able to filter alerts to be viewed based on a time frame, so that a user may view alerts that have just been received. An example of how User Interface 510 may look is shown in FIG. 6.” A change in time the amount of time would be like adjusting the time frame.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Graham’s identity security and containment based on detected threat events with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the ability to display and organize data helps to visualize to data for users interested in analyzing data.  

Regarding claims 9 and 17, claims 9 and 17 are directed to a device and a storage medium associated with the method of claim 1. Claims 9 and 17 are of similar scope to claim 1, and are therefore rejected under similar rationale.

	Regarding claim 11, claim 11 is directed to a similar device associated with the method of claim 7 respectively. Claim 11 is similar in scope to claim 7, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 12, claim 12 is directed to a similar device associated with the method of claim 6 respectively. Claim 12 is similar in scope to claim 6, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 13, claim 13 is directed to a similar device associated with the method of claim 5 respectively. Claim 13 is similar in scope to claim 5, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 14, claim 14 is directed to a similar device associated with the method of claim 4 respectively. Claim 14 is similar in scope to claim 4, respectively, and are therefore rejected under similar rationale. 

	Regarding claim 15, claim 15 is directed to a similar device associated with the method of claim 3 respectively. Claim 15 is similar in scope to claim 3, respectively, and are therefore rejected under similar rationale. 


Claim(s) 8 and 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,904,277), Graham et al. (US 201700257397) and Meissner (US 2014/0237377) and in further view of Donahue et al. (US 2017/0366576).

	As per claim 8, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, but fails to teach wherein the visualization information provides a user with information about an IP address suspected of an attack according to a change in the amount of the log data.
	However, in an analogous art Donahue teaches wherein the visualization information provides a user with information about an IP address suspected of an attack according to a change in the amount of the log data (Donahue, Paragraph 0033 recites “However, if the suspicious activity count exceeds or equals the first threshold value, the proxy server 204 may transmit or otherwise provide a report or alert to a system administrator indicating the IP address associated with the suspicious activity in operation 408. In one embodiment, the reporting of the suspicious IP address includes generating and transmitting an electronic mail to the system administrator. In another embodiment, the reporting includes logging the IP address into a list of suspicious IP addresses that is accessible by the system administrator.” Exceeding a threshold would read on change in log data. For example, attempting to access from the same IP address.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Donahue’s systems and methods for preventing denial of service attacks utilizing a proxy server with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because an increase in log activity could be a DDOS attack and preventing them would protect the system.  

	Regarding claim 10, claim 10 is directed to a similar device associated with the method of claim 8 respectively. Claim 10 is similar in scope to claim 8, respectively, and are therefore rejected under similar rationale. 

Claim(s) 18-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharifi Mehr (US 10,904,277), Graham et al. (US 201700257397) and Meissner (US 2014/0237377) and in further view of Pereira et al. (US 10,924,503).

	As per claim 18, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, but fails to teach wherein when the log data is extracted, the log data includes information of a number and a size of packets sent and received through the security device, the log data further includes information of an active duration time related to an access action, and statistical information of the log data is generated based on the IP address information.
	However, in an analogous art Pereira teaches wherein when the log data is extracted, the log data includes information of a number and a size of packets sent and received through the security device, the log data further includes information of an active duration time related to an access action, and statistical information of the log data is generated based on the IP address information (Pereira, Col. 12 Line 65 – Col. 13 Line 14 recites “For example, the threat processing engine 310 may compare one or more features of the VPC flow log data, such as port number data, to determine whether the VPC flow log data corresponds to malicious or non-malicious network traffic. In some instances, analysis of known malicious network traffic may result in identification of certain source or destination ports that are frequently used, which may then be used to determine whether subsequent network traffic is malicious (e.g., whether the same ports are used, etc.). For example, the threat processing engine 310 may compare first source port data, first destination port data, first packet size data, and/or first session duration data from the VPC flow log data 360 to second source port data, second destination port data, second packet size data, and/or second session duration data from the known malicious and non-malicious network traffic data 370 (or corresponding VPC flow log data).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pereira’s Identifying False Positives In Malicious Domain Data Using Network Traffic Data Logs with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the more specific the log data is, the better a system can analyze for any threats.  

	As per claim 19, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, but fails to teach wherein the element information includes the IP address information, a port information, a protocol identification information, and an access policy information, which are relevant to a security related danger action.
	However, in an analogous art Pereira teaches wherein the element information includes the IP address information, a port information, a protocol identification information, and an access policy information, which are relevant to a security related danger action (Pereira, Col. 12 Line 65 – Col. 13 Line 14 recites “For example, the threat processing engine 310 may compare one or more features of the VPC flow log data, such as port number data, to determine whether the VPC flow log data corresponds to malicious or non-malicious network traffic. In some instances, analysis of known malicious network traffic may result in identification of certain source or destination ports that are frequently used, which may then be used to determine whether subsequent network traffic is malicious (e.g., whether the same ports are used, etc.). For example, the threat processing engine 310 may compare first source port data, first destination port data, first packet size data, and/or first session duration data from the VPC flow log data 360 to second source port data, second destination port data, second packet size data, and/or second session duration data from the known malicious and non-malicious network traffic data 370 (or corresponding VPC flow log data).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pereira’s Identifying False Positives In Malicious Domain Data Using Network Traffic Data Logs with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the more specific the log data is, the better a system can analyze for any threats.  


	As per claim 20, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, but fails to teach wherein the evaluation of danger is performed based on a periodicity or an aperiodicity of the log data in a statistical procedure for an amount of the log data, and the visualization information numerically indicates a number or a frequency of the periodicity or the aperiodicity of the log data and a degree of security danger.
	However, in an analogous art Pereira teaches wherein the evaluation of danger is performed based on a periodicity or an aperiodicity of the log data in a statistical procedure for an amount of the log data, and the visualization information numerically indicates a number or a frequency of the periodicity or the aperiodicity of the log data and a degree of security danger (Pereira, Col. 5 Lines 50-64 recites “For example, VPC flow log data corresponding to network traffic directed to or from the respective IP addresses may be extracted from a set of flow log data. The extracted VPC flow log data may be for a certain period of time, such as a preceding 24 hours, 1 week, etc. The false positive detection server 110 may determine a first VPC flow log for a first VPC that includes network traffic corresponding to the first IP address. The first VPC flow log may include flow log records representing network flow for one or more, or each, network interface in the first VPC. The false positive detection server 110 may determine a second VPC flow log for a second VPC that includes network traffic corresponding to the second IP address. The second VPC flow log may include flow log records representing network flow for one or more, or each, network interface in the second VPC.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pereira’s Identifying False Positives In Malicious Domain Data Using Network Traffic Data Logs with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the more specific the log data is, the better a system can analyze for any threats.  

	As per claim 21, Sharifi Mehr in combination with Graham and Meissner teaches the method of claim 1, but fails to teach wherein a periodicity or an aperiodicity of the log data is calculated based on a degree of change in the log data, and the degree of change includes: a change of ports of actions related to the log data; a change in the log data produced outside of a predetermined hour; and a change in the log data related to blocked actions.
	However, in an analogous art Pereira teaches wherein a periodicity or an aperiodicity of the log data is calculated based on a degree of change in the log data, and the degree of change includes: a change of ports of actions related to the log data; a change in the log data produced outside of a predetermined hour; and a change in the log data related to blocked actions (Pereira, Col. 5 Lines 50-64 recites “For example, VPC flow log data corresponding to network traffic directed to or from the respective IP addresses may be extracted from a set of flow log data. The extracted VPC flow log data may be for a certain period of time, such as a preceding 24 hours, 1 week, etc. The false positive detection server 110 may determine a first VPC flow log for a first VPC that includes network traffic corresponding to the first IP address. The first VPC flow log may include flow log records representing network flow for one or more, or each, network interface in the first VPC. The false positive detection server 110 may determine a second VPC flow log for a second VPC that includes network traffic corresponding to the second IP address. The second VPC flow log may include flow log records representing network flow for one or more, or each, network interface in the second VPC.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pereira’s Identifying False Positives In Malicious Domain Data Using Network Traffic Data Logs with Sharifi Mehr’s Threat Intelligence System Measuring Network Threat Levels because the more specific the log data is, the better a system can analyze for any threats.  









Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439