DETAILED ACTION
This Office Action is in response to the application 17/479,850 filed on 09/20/2021.
Claims 1-20 have been examined and are pending in this application.
This application claims priority under 35 USC §120 to U.S. Patent Application Serial No. 16/125,256, filed on September 7, 2018, titled "SYSTEMAND USER CONTEXT IN ENTERPRISE THREAT DETECTION"; (Attorney Docket No.: 22135-0889002 /150181US02); which claims priority under 35 USC § 120 to U.S. Patent Application Serial No.14/978,984, filed on December 22, 2015, titled "SYSTEM AND USER CONTEXT IN ENTERPRISE THREAT DETECTION"; (Attorney Docket No.: 22135-0889001 /150181US01); now issued as U.S. Patent No. 10,075,462 issued on September 11, 2018.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Election/Restrictions
For the record, the Examiner acknowledges that NO restrictions warranted at applicants initial time of filing for patent.

Priority
For the record, the Examiner acknowledges that NO foreign priority claimed at applicant’s initial time of filing for patent.


Information Disclosure Statement
The information disclosure statement (IDS), submitted on 09/20/2021 and 11/03/2021, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
For the record, the Examiner acknowledges that the Oath/Declaration submitted on 09/20/2021 has been accepted.

Drawings
For the record, the Examiner acknowledges that the drawings filed on 09/20/2021 has been accepted.

Specification
For the record, the Examiner acknowledges that the Applicant's specification filed on 09/20/2021 has been accepted.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Song, Patent No.: US 9,582,495 in view of Buys, “Log Analysis Aided by Latent Semantic Mapping”, 2013.

Referring to claim 1, Song teaches a computer-implemented method, comprising: accessing a log file including a plurality of log entries (8:14-20 and figs. 5A and 5B, “In a second step 512 the engine is caused to receive a heterogeneous input comprising an element.”; heterogeneous input data 501/A, B and C corresponding to a plurality of log entries/log file); 
determining semantic meaning of the semantic event associated with the particular log entry, wherein a mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components to derive, as derived semantic meaning, semantic meaning for the particular log entry, and wherein deriving semantic meaning for the particular log entry further comprises annotating, as an annotated action, an action of a particular identified component of the particular log entry and, as annotated semantic roles, sematic roles of the action (fig. 5E, shows the mapping performed is related to a particular event. 8:20-23 and fig. 5B, “In a third step 513 the engine is caused to reference a schema of a knowledge model created by a domain expert, to produce a mapping of the element with a class of the mapping schema.”, a schema of a knowledge model corresponding to the mapping from one or more semantic models stored in a knowledgebase; 7:60-62 and fig. 5A, “The Resource Model 504 is a semantic model aiming to provide a comprehensive representation for the information input from heterogeneous data sources.”; 8:59-61: “The appropriate semantic attributes are associated with these characteristics in the raw data metrics.” ); 
modeling the derived semantic meaning for the particular log entry (9:8-11, “Pursuant to the expert-defined semantic attribute schema, the information is extracted by annotating characteristics of data stream and modelled into corresponding semantic attributes.”; 8:23-26 and fig. 5B, “In a fourth step 514, the engine is caused to output a resource model comprising the mapping and a relationship between the element and the data type.”, the engine is caused to output a resource model corresponding to modeling the derived semantic meaning for the particular log entry.); and 
recording the modeled semantic meaning in the knowledgebase as a new semantic meaning model for future use (9:58-60, “The semantic entities in the entity pool are then maintained for use in other approaches.”, maintaining semantic entities corresponding to recording… of new semantic meaning model for future use).

Song does not explicitly disclose analyzing each log entry of the plurality of log entries to identify, as identified components, components of each log entry, wherein the identified components of a particular log entry indicate a semantic event, wherein the semantic event is associated with semantic roles, and wherein each semantic role is associated with one or more attributes.

However, in an in an analogous art, Buys teaches analyzing each log entry of the plurality of log entries to identify, as identified components, components of each log entry, wherein the identified components of a particular log entry indicate a semantic event, wherein the semantic event is associated with semantic roles, and wherein each semantic role is associated with one or more attributes (Page 7, sec. event, states: “An event as … the smallest collection of data … ‘Event’ is the chosen term to represent a single log entry or line in a log file. Events [plural] can be contained within a single line of a log file, such as with syslog events, or may consists of multiple lines...”; Page 7, sec. event source also states: “An event source is an actual collection of events [plural], normally found in the form of a log file.... There can be many different event sources, each emitting events. In large enterprises, it would not be unusual to have thousands of event sources. In information retrieval terms, an event source would be analogous to a corpus of documents.”, Further Page 8, sec. eventtypes, states: “...the type of event. Whereas sourcetype is the complete set of or a subset of events associated with an event source [Such as a log file], eventtype deals with the classification of the actual event, so a sourcetype many contain many different eventtypes. Eventtypes address the action or outcome described by an event.”  Further Page. 9, sec. identification, states: “’Identification’, an integral part of the process that results in classification... identification is the result of the process whereby an event has been identified as a certain pre-determine eventtype or sourcetype. For example, an event within a new data set may be identified as a “logon” eventtype.” Further see also, Page 20-21, figs. 2.1-2.4 note that in each, at least one of the fields of the event is username. The examiner notes that receiving, extracting, or otherwise determining a “username” associated with a particular event teaches the claimed “associated with a role”. Also note that any or all of Figures 2.1-2.4 show that the role is associated with one or more attributes (e.g. Figure 2.1 shows “Logon ID”, “Authentication Package”, “Record Number’, etc.) The examiner notes that any or all of the “attributes” show in the event file teach the claimed “wherein each role is associated with one or more attributes.” Finally, the examiner notes that because Buys describes that “identification” is an “integral part” of the process and that identification results in an eventtype, Buys necessarily teaches that 1) each log entry is analyzed (e.g. identified) and 2) components of each log entry are identified (e.g. username, eventtype, etc.) and thus teaches the claim language. Additionally, or in the alternative, Pg. 9 definition of disambiguation “Disambiguation within the context of this research is the ability of a security practitioner to different events from each other, an integral part of the identification processing... The research will attempt to use LSM (Latent Semantic Mapping) to disambiguate large collection of events.”).

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention (AIA ) to combine the teachings of Song with the method and system of Buys, wherein analyzing each log entry of the plurality of log entries to identify, as identified components, components of each log entry, wherein the identified components of a particular log entry indicate a semantic event, wherein the semantic event is associated with semantic roles, and wherein each semantic role is associated with one or more attributes to provide users with a means for operational security practitioners are becoming increasingly aware of the value of the information captured in log events. Analysis of these events is critical during incident response, forensic investigations related to network breaches, hacking attacks and data leaks. Such analysis has led to the discipline of Security Event Analysis, also known as Log Analysis (Buys: Abstract). 

Referring to claim 2, Song and Buys teach the computer-implemented method of claim 1. Buys further teaches wherein a particular identified component of the identified components of the particular log entry comprises a process identification (ID), and wherein the process ID becomes an attribute of a remote function call (RFC) gateway (Page. 9, sec. identification and figs. 2.1-2.4, “’Identification’, an integral part of the process that results in classification... identification is the result of the process whereby an event has been identified as a certain pre-determine eventtype or sourcetype.).

Referring to claim 3, Song and Buys teach the computer-implemented method of claim 1. Song further teaches comprising generating an annotated sentence associated with the particular log entry based on the annotated action of the particular identified component of the particular log entry and the annotated semantic roles of the action (Song: 8:20-23; figs. 5B and 5E, shows the mapping performed is related to a particular event.). 

Referring to claim 4, Song and Buys teach the computer-implemented method of claim 3. Song further teaches comprising generating a generalized sentence associated with the particular log entry based on the annotated sentence (Song: 9:8-11, “Pursuant to the expert-defined semantic attribute schema).

Referring to claim 5, Song and Buys teach the computer-implemented method of claim 4. Song further teaches wherein modeling the derived semantic meaning for the particular log entry utilizes the annotated sentence and the generalized sentence (Song: 9:8-11, “Pursuant to the expert-defined semantic attribute schema).

Referring to claim 6, Song and Buys teach the computer-implemented method of claim 4. Song further teaches comprising creating relationships between semantic events utilizing the generalized sentence (Song: 9:8-11, “Pursuant to the expert-defined semantic attribute schema).

Referring to claim 7, Song and Buys teach the computer-implemented method of claim 3. Song further teaches wherein semantic events are related using semantic event relations of varying semantic event relation types (Songs: 7:60-62; 8:20-23; 8:59-61 and figs. 5).

Referring to claim 8, This claim is similar in scope to claim 1, and is therefore rejected under similar rationale.

Referring to claim 9, This claim is similar in scope to claim 2, and is therefore rejected under similar rationale.

Referring to claim 10, This claim is similar in scope to claim 3, and is therefore rejected under similar rationale.

Referring to claim 11, This claim is similar in scope to claim 4, and is therefore rejected under similar rationale.

Referring to claim 12, This claim is similar in scope to claim 5, and is therefore rejected under similar rationale.

Referring to claim 13, This claim is similar in scope to claim 6, and is therefore rejected under similar rationale.

Referring to claim 14, This claim is similar in scope to claim 7, and is therefore rejected under similar rationale.

Referring to claim 15, This claim is similar in scope to claim 1, and is therefore rejected under similar rationale.

Referring to claim 16, This claim is similar in scope to claim 2, and is therefore rejected under similar rationale.

Referring to claim 17, This claim is similar in scope to claim 3, and is therefore rejected under similar rationale.

Referring to claim 18, This claim is similar in scope to claim 4, and is therefore rejected under similar rationale.

Referring to claim 19, This claim is similar in scope to claim 5, and is therefore rejected under similar rationale.

Referring to claim 20, This claim is similar in scope to claim 6, and is therefore rejected under similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please see attached PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YONAS A BAYOU whose telephone number is (571)272-7610. The examiner can normally be reached Monday-Friday 7AM-4PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/YONAS A BAYOU/Primary Examiner, Art Unit 2499                                                                                                                                                                                                        12/10/2022