DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 04/27/2020. Claims 1-20 are pending.

Priority
This application is a CIP of 16/781,505 filed 02/04/2020 which is a continuation of 14/943,579 filed 11/17/2015, now Patent No. 10594656.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/27/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 4 and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject 
Regarding claims 4 and 11, the phrase “snort-like” renders the claim(s) indefinite, in similar fashion as “or the like” does, because the claim(s) include(s) elements not actually disclosed (those encompassed by "or the like"), thereby rendering the scope of the claim(s) unascertainable.  See MPEP § 2173.05(d).
For examination, the claimed feature is equivalent to any format by which a pattern/signature/syntax/expression is matched. 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-3, 6-7, 9-10, 12, 15-16, 18 and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to abstract idea as defined in 2019 PEG for Electrical Arts without significantly more. 

	In accordance with 2019 PEG:
	Per step 1, claims 1-20 are directed to at least one subject matter eligible category of inventions.
	However, per step 2A, prong one, claims 1, 9 and 16 recite limitations that are construed as abstract idea, i.e., mental processes grouping, because limitations can reasonably be performed mentally, i.e., by a technician. Based on the BRI of the limitations as currently 
Per step 2A, prong two: claims 1, 9 and 16 fail to integrate the abstract idea into a practical application and therefore each claim as a whole remains abstract. 
**To clarify and only as an example, stream-based traffic/flow can be incorporated into the claimed features where appropriate to sufficiently narrow down the functions to specialized computer-implemented functions that are necessarily performed by the “node of a cloud-based security system” because a human cannot reasonably obtain rules from stream-based traffic/flow without specialized computer-implemented functions**
Per step 2B: claims 1, 9 and 16 do not include any additional elements (other than generic processor and generic CRM) that amount to significantly more therefore claims 1, 9 and 16 are patent “ineligible:
Same analysis as explained in steps 2A - 2B nonetheless applies to claims 2-3, 6-7, 10, 12, 15, 18 and 20 and therefore these claim are patent “ineligible” as well.
Claims 4-5, 8, 11, 13-14, 17 and 19 are patent “eligible” because they integrate the abstract idea into a practical application (step 2A, prong two analysis).

Claim Objections
Claims 2, 10 and 17 are objected to because of the following informalities:  
Limitation “processing domains associated with the triggering any of the experimental rules to further develop the experimental rules” appears to have grammatical error which render the scope not readily clear. 
For examination, this limitation is read “processing domains associated with the triggering any of the experimental rules to further develop [training] rules”

Appropriate correction and/or clarification is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1.	Claims 1, 4-9, 11-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Nucci, US Patent 9094288B1 in view of Ranum, US2014/0013434A1.

Per claim 1, Nucci discloses a non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor (Nucci: Fig. 4, elements 401,402,403,406 – Note: embodiments of the invention may be implemented on virtually any 
obtaining a plurality of rules each define via a rule syntax that includes a rule header and rule options, wherein each rule header is used to for a rule database lookup, and each rule options is used to specify details about the associated rule (Each flow-bucket is then forwarded to the threat tagger (309) that extracts the flow identifiers, retrieves the correspondent flow payloads from the flow payload storage (311), and analyzes the flow payloads to automatically extract the threat payload signature.  The treat tagger (309) corresponds to the signature generator (214) depicted in FIG. 1B above…Although successful in extracting the payload signature of the newly discovered malware, the threat tagger (309) will not be able to retrieve the associated label (marked <L=?>).  In order to overcome this limitation, the threat tagger (309) shares specific information with the host module (301).  More specifically, any executable found by the threat tagger (309) in any of the flow in a flow-bucket is forwarded to the host module (301) for retrieving the unknown threat label.  In case no executable can be found, the threat tagger (309) provides the host module (301) with labels of the set of known/bad threats with which the new threat shares the highest level of behavioral structure.  The host module (301) then compares whether such behavioral similarity is shared at the state machine level as well.  If so, the host module (301) generates an internal label to track the new threat until a formal label available, e.g., formally recognized by the malware research community – Nucci: col. 14, lines 61-67 and col. 15, lines 1-20); 
(the data capture module (201) is configured to observe and collect information regarding traffic streams (e.g., packet headers and/or full packet streams) and to filter and organize the collected traffic stream data regarding duplicate records or out-of-order records.  Specifically, the data capture module (201) extracts the payload and the flow-features for sending to the pattern matching engine (202) and the statistical classifier (204).  For example, the data capture module (201) includes functionality of the flow parser (105) of FIG. 1A that extracts statistical features on a per-flow basis while the pattern matching engine (202) corresponds to the IDS/IPS (106) of FIG. 1A that analyzes these received packets and generates flow labels based on existing payload based signatures in the signature library (203) – Nucci: col. 7, lines 59-67 and col. 8, lines 1-6); 
Nucci is not relied on to explicitly disclose “monitoring data associated with a user of the cloud-based security system” but in view of Ranum discloses monitoring data associated with a user of the cloud-based security system (the passive scanners 120 may monitor the network in real-time to detect any potential vulnerabilities in the network in response to identifying interactive or encrypted sessions in the packet stream (e.g., interactive sessions may typically include activity occurring through keyboard inputs, while encrypted sessions may cause communications to appear random, which can obscure activity that installs backdoors or rootkit applications)) – Ranum: par. 0032 – Note: a cloud database that aggregates signatures associated with known virus or malware samples that multiple different anti-virus vendors have catalogued – par. 0017).
Nucci in view of Ranum further discloses analyzing the data with the plurality of rules (the group behavioral model is generated by analyzing layer 3 and layer 4 contents of the set of historical flows based on a supervised machine learning algorithm.  Using the same supervised machine learning algorithm, the statistical model generator (208) is further configured to analyze, for each signature in the signature library (203), a matched subset of the historical flows to generate a corresponding behavioral model representing specific behavior exhibited in the matched subset.  Such behavior model is in turn used to further identify additional flows to be added to the set of historical flows in a recursive manner.  In particular, the corresponding behavioral model is generated by analyzing layer 3 and layer 4 contents of the matched subset based on the supervised machine learning algorithm.  As shown in FIG. 1B, the group behavior model associated with the signature library (203) and other behavior models each associated with an individual signature in the signature library (203) are stored as the statistical models (215) to be used by the statistical classifier (204).  In one or more embodiments, the statistical models (215) are generated based on the aforementioned layer 3 and layer 4 contents and are referred to as layer 3 and layer 4 models – Nucci: col. 8, lines 49-67); and 
performing one or more security functions on the data based on triggering of a rule of the plurality of rules (Signatures for each newly discovered flow-bucket is then forwarded, e.g., via the module (301), to the IDS/IPS (302) that will start using them for tagging/labeling incoming flows – Nucci: col. 14, line 67 and col. 15, lines 1-3).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Nucci in view of Ranum to include monitoring data associated with a user of the cloud-based security system.
One of ordinary skill in the art would have been motivated because it would allow “strategic anti-malware monitoring in a network, and in particular, to leveraging active network scanning and passive network monitoring and cloud databases to determine whether any hosts in the network are running processes or hosting content that match known virus or malware signatures that various different anti-virus vendors have catalogued to detect malware infections without requiring the hosts to have a local or resident anti-virus agent” – Ranum: par. 0002. It would further allow to “provide a unified solution that aggregates the vulnerability and asset information obtained by the active scanners 210, the passive scanners 220, and the log aggregator 290 to comprehensively manage governance, risk, and compliance across the network – Ranum: par. 0041.

Per claim 9, it recites a node in a cloud-based security system, comprising: 
a processor (Nucci: Fig. 4, 402) and memory storing instructions (Nucci: Fig. 4, 404) that, when executed, cause the processor to perform the steps recited in claim 1.
Therefore, claim 9 is rejected based on the same analysis and motivation to combine set forth in the rejection of claim 1 above. 

Per claim 16, it recites a method implemented in a node in a cloud-based security system comprising the steps recited in claim 1.
Therefore, claim 16 is rejected based on the same analysis and motivation to combine set forth in the rejection of claim 1 above. 

Per claims 4 and 11, Nucci in view of Ranum discloses features of claims 1 and 9, wherein the plurality of rules include a Snort-like format (For each cluster, the suspicious flows that behave similarly in terms of communication pattern are identified and stored in one of the flow-buckets B.sub.i=1.sup.I=i=1, .  . . , 1.  Each flow-bucket is then forwarded to the threat tagger (309) that extracts the flow identifiers, retrieves the correspondent flow payloads from the flow payload storage (311), and analyzes the flow payloads to automatically extract the threat payload signature – Nucci: col. 14, lines 59-67 – Note: extracting signature is equivalent to snort-like format).
Further, Ranum explicitly discloses “the intrusion detection system may generally include an open source network intrusion prevention and detection system (e.g., Snort), a packet analyzer, or any other system that having a suitable sensor 215 that can detect and prevent intrusion or other security events in the network” – Ranum: par. 0037.
The same motivation to modify Nucci in view of Ranum applied to claim 1 above applies here.

Per claims 5, 12 and 18, Nucci in view of Ranum discloses features of claims 1, 9 and 16, wherein the node does not buffer the data during the monitoring, and wherein the steps further include maintaining a stream state across packet boundaries of the data (At any single time based on the flow-based features (i.e., feature vectors) observed to that time point, the statistical model generator (208) creates a decision boundary for identifying flows exhibiting the aforementioned common behavior associated with the signature library (203) or for identifying flows exhibiting the aforementioned specific behavior associated with a particular signature in the signature library (203).  For example, the statistical model generator (208) may create a decision boundary for identifying general malicious flows labeled by macro-profiling or a particular class of malicious flows labeled by micro-profiling. The task of the statistical model generator (208) is to identify the important features that are responsible for creating the boundary.  FIG. 3A shows an example two dimensional decision space (300) defined by example feature 1 and feature 2, which are identified as the important features for creating the boundary – Nucci: col. 9, lines 12-28 – Note: The dark segments in the two dimension space represent a threat region defined by the aforementioned boundary.  For the example where the decision space corresponds to a behavior model associated a particular signature in the signature library, the threat region represents the specific behavior of flows matching the particular signature).

Per claims 6, 13 and 19, Nucci in view of Ranum discloses features of claims 1, 9 and 16. 
Nucci is not relied on to explicitly disclose but in view of Ranum discloses wherein the steps further include subsequent to a first match of the rule of the plurality of rules, stopping the analyzing and performing the one or more security functions (an operation 350 may use the information obtained with the active scanners in operations 310 and 320 in combination the network activity monitored in operation 340 to remediate network compromises that arise from operation 330 detecting viruses or other malware in the network – Ranum: par. 0050 – Note: generating a report, isolating where the viruses or other malware took hold in the network, searching other host that may be infected with the same virus or malware).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Nucci in view of Ranum to include wherein the steps further include subsequent to a first match of the rule of the plurality of rules, stopping the analyzing and performing the one or more security functions.
One of ordinary skill in the art would have been motivated because it would allow “to prevent further infection and assess strategies to prevent similar infections from happening in the future” – Ranum: par. 0050.

Per claims 7 and 14, Nucci in view of Ranum discloses the non-transitory computer-readable storage medium of claim 1 and 9, wherein one or more rules of the plurality of rules include a fast pattern (When a flow matches any of the signatures (referred to as a positive match), the IDS/IPS (302) tags the flow as known/bad – Nucci: col. 13, lines 29-31 – Note: a known/bad signature is associated with an already accounted for threat model and would not need further analysis by the system).

Per claims 8, 15 and 20, Nucci in view of Ranum discloses features of claims 1, 9 and 16, wherein the cloud-based security system utilizes the plurality of rules to implement one or more of a firewall and an intrusion prevention system (the data capture and processing module (103) collects the data in the form of full packets, packet headers and flow information…This module also has an intrusion detection/prevention system (IDS/IPS (106)) that leverages the work done by the host module (101) and runs the generated rules against incoming packets (104) where it searches deep within the packet payloads for matches – Nucci: col. 6, lines 14-24).

2.	Claims 2-3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Nucci, US Patent 9094288B1 in view of Ranum, US2014/0013434A1 as applied to claims 1, 9 and 16 above, further in view of Leddy, US2020/0067861A1.

Per claims 2, 10 and 17, Nucci in view of Ranum discloses features of claims 1, 9 and 16. 
Nucci in view of Ranum is not relied on to explicitly disclose but further in view of Leddy discloses wherein one or more rules of the plurality of rules include experimental rules (for example by performing a "whois" query against an Internet registry, it is tested whether the URL is associated with a known brand, whether the URL links to a good/bad page, etc. – Leddy: par. 0219 – Note: “whois” is considered a generic signature used to establish a temporary/experimental rule), and wherein the steps further include monitoring the data associated with triggering any of the experimental rules (As one example, if the URL was recently formed/registered and is not associated with a known brand, then the training module can determine that a new rule should be generated for that URL.  Any other appropriate URL analysis techniques (which may include third party techniques) can be used to determine whether a new rule should be generated for a URL. Thus, based on the analysis of the URL, the message is placed in the yellow bin – Leddy: par. 0219); and 
processing domains associated with the triggering any of the experimental rules to further develop the experimental rules (A new rule for "baddomain.com" is generated/authored.  The new rule is added to a rules database (e.g., as a new entry), which is loaded by the URL filter.  The new URL filter rule can then be used to filter out messages that include the "baddomain.com" URL. [0222] In some embodiments, the training module determines whether a new rule should be generated for the extracted URL – Leddy: par. 0221-0222 – Note: machine learning techniques are used to perform training.  In some embodiments, the training progresses through a cycle of test (where the message that passed through the test process is determined to have training potential), enters a training phase, performs re-training, etc. – par. 0239).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Nucci-Ranum further in view of Leddy to include wherein one or more rules of the plurality of rules include experimental rules, and wherein the steps further include monitoring the data associated with triggering any of the experimental rules; and processing domains associated with the triggering any of the experimental rules to further develop the experimental rules.
One of ordinary skill in the art would have been motivated because it would allow to protect users against evolving scams – Leddy: par. 0004 and yet manage false positives acceptable by the system through testing rules against all ham messages, a subset of ham or bypassing testing against ham, e.g., based on urgency/priority of implementing the rule – Leddy: par. 0120.

Per claim 3, Nucci-Ranum-Leddy discloses the non-transitory computer-readable storage medium of claim 2, wherein the experimental rules are written in a manner that includes false positives, and the processing is to reduce the false positives (Statistical models are generated by training the models on flows tagged using the threat signatures provided by the host-view.  Accordingly, the models are tuned both to capture the holistic properties shared by the malicious threat across as a whole (and thus capable to spot new ones) and to model the behavior of each of the discovered threat (and thus capable to discover the known threats even in case the malicious sessions may be encrypted to bypass traditional IDS and firewall network systems).  As a consequence, false positive/negative is reduced to present more precise evidence of suspicious activities allowing the analyst to focus on events that require immediate attention – Nucci: col. 5, lines 31-43).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
The following USPGPUBs disclose similar scope. 
Korsunsky (US2011/0214157, US2011/0235510, US2011/0238855, US2011/0231564, US2011/0231869) and Kapoor (US2008/0229415, US2007/0192863, US2008/0262990).
Among other advantages and in the context closely similar to the instant application, they are all generally directed to identifying zero-day/zero-knowledge/unknown attacks by matching signatures and syntaxes and identifying patterns or reoccurrences to develop and store models for inferring policies (rules) which are used to firewall and/or mitigate accordingly in a timely fashion.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AREZOO SHERKAT/Examiner, Art Unit 2434