Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to Application # 16/534,126 filed on 08/07/2019 in which claims 1-20 are presented for examination.

Status of Claims
Claims 1-20 are pending, of which Claims 1-20 are considered allowable via the included Examiner’s Amendment.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in a telephone interview with Chitrajit Chandrashekar on January 29, 2021.
 
The application has been amended as follows:

In the Claims:

Claim 1: (Currently Amended)
A method for network security implemented by a network traffic management system comprising one or more anomaly detection apparatuses, server devices, or client devices, the method comprising:
applying a model to received network traffic to generate a likelihood score score model is associated with a browsing pattern for a web application to which the network traffic is directed; and
initiating a mitigation action against the network traffic, when the flow score exceeds a threshold.


Claim 2: (Currently Amended)
The method of claim 1, further comprising:
updating a sub-model model based on an obtained raw feature 
sending a client-side script to a client that originated the other network traffic, the client-side script configured to, when executed, return feature 


Claim 3: (Currently Amended)
The method of claim 1, wherein the model comprises a web application model and an anomaly detection model and the method further comprises applying the web application model to the network traffic to generate the likelihood score score to generate the flow score.


Claim 4: (Currently Amended)
The method of claim 1, further comprising selecting the model from a plurality of stored models based on a current time or a platform corresponding to a flow associated with the network traffic.


Claim 5: (Currently Amended)
The method of claim 2, wherein the sub-model comprises 


Claim 6: (Currently Amended)
A non-transitory computer readable medium having stored thereon instructions for network security comprising executable code which when executed by one or more processors, causes the processors to:
apply a model to received network traffic to generate a likelihood score score model is associated with a browsing pattern for a web application to which the network traffic is directed; and
initiating a mitigation action against the network traffic, when the flow score exceeds a threshold.


Claim 7: (Currently Amended)
The non-transitory computer readable medium of claim 6, wherein the executable code when executed by the processors further causes the processors to:
update a sub-model model based on an obtained raw feature 
send a client-side script to a client that originated the other network traffic, the client-side script configured to, when executed, return feature 


Claim 8: (Currently Amended)
The non-transitory computer readable medium of claim 6, wherein the model comprises a web application model and an anomaly detection model and the executable code when executed by the processors further causes the processors to apply the web application model to the network traffic to generate the likelihood score score to generate the flow score.


Claim 9: (Currently Amended)
The non-transitory computer readable medium of claim 6, wherein the executable code when executed by the processors further causes the processors to select the model from a plurality of stored models based on a current time or a platform corresponding to a flow associated with the network traffic.


Claim 10: (Currently Amended)
The non-transitory computer readable medium of claim [[6]] 7, wherein the sub-models 


Claim 11: (Currently Amended)
An anomaly detection apparatus[[,]] comprising:
a memory comprising programmed instructions stored thereon and one or more processors configured to execute the stored programmed instructions to:
apply a model to received network traffic to generate a likelihood score score model is associated with a browsing pattern for a web application to which the network traffic is directed; and
initiating a mitigation action against the network traffic, when the flow score exceeds a threshold.


Claim 12: (Currently Amended)
The anomaly detection apparatus of claim 11, wherein the processors are further configured to execute the stored programmed instructions to:
update a sub-model model based on an obtained raw feature 
send a client-side script to a client that originated the other network traffic, the client-side script configured to, when executed, return feature 


Claim 13: (Currently Amended)
The anomaly detection apparatus of claim 11, wherein the model comprises a web application model and an anomaly detection model and the processors are further configured to execute the stored programmed instructions to apply the web application model to the network traffic to generate the likelihood score score to generate the flow score.


Claim 14: (Currently Amended)
The anomaly detection apparatus of claim 11, wherein the processors are further configured to execute the stored programmed instructions to select the model from a plurality of stored models based on a current time or a platform corresponding to a flow associated with the network traffic.


Claim 15: (Currently Amended)
The anomaly detection apparatus of claim [[11]] 12, wherein the sub-model comprises 


Claim 16: (Currently Amended)
A network traffic management system[[,]] comprising:
one or more anomaly detection apparatuses, server devices, or client devices with memory comprising programmed instructions stored thereon and one or more processors configured to execute the stored programmed instructions to:
apply a model to received network traffic to generate a likelihood score score model is associated with a browsing pattern for a web application to which the network traffic is directed; and
initiating a mitigation action against the network traffic, when the flow score exceeds a threshold.


Claim 17: (Currently Amended)
The network traffic management system of claim 16, wherein the processors are further configured to execute the stored programmed instructions to:
update a sub-model model based on an obtained raw feature 
send a client-side script to a client that originated the other network traffic, the client-side script configured to, when executed, return feature 


Claim 18: (Currently Amended)
The network traffic management system of claim 16, wherein the model comprises a web application model and an anomaly detection model and the processors are further configured to execute the stored programmed instructions to apply the web application model to the network traffic to generate the likelihood score score to generate the flow score.


Claim 19: (Currently Amended)
The network traffic management system of claim 16, wherein the processors are further configured to execute the stored programmed instructions to select the model from a plurality of stored models based on a current time or a platform corresponding to a flow associated with the network traffic.


Claim 20: (Currently Amended)
The network traffic management system of claim [[16]] 17, wherein the sub-model comprises 


Reasons For Allowance
The following is an examiner’s statement of reasons for allowance:
Claims 1-20 are considered allowable.

The instant invention is directed to a method, medium, apparatus, and system for management of the detection and mitigation of malicious and anomalous network traffic.

The closest prior art, as recited, Matsunaga et al. US Patent Application Publication No. 2009/0052330 and Lefebvre et al. US Patent Application Publication No. 2015/0341379, are also generally directed to various aspects of management of the detection and mitigation of malicious and anomalous network traffic.  However, Matsunaga et al. or Lefebvre et al. does not teach or suggest, either singularly or in combination, the particular combination of steps or elements as recited in the independent claims 1, 6, 11, 16.  For example, none of the cited prior art teaches or suggests the steps of:
Regarding Claim 1:
Network traffic anomaly detection utilizing a model of received network traffic in generating first a likelihood score and then a flow score based on the generated likelihood score, with the model based on a pattern of web browsing of a web application that is accessed by the network traffic, and then when a threshold is exceeded for the generated flow score, a mitigation action is taken against the network traffic directed at the web application.
When combined with the additional limitations found in Claim 1.

Regarding Claim 6:
Network security traffic detection utilizing a model of received network traffic in generating first a likelihood score and then a flow score based on the generated likelihood score, with the model based on a pattern of web browsing of a web application that is accessed by the network traffic, and then when a threshold is exceeded for the generated flow score, a mitigation action is taken against the network traffic directed at the web application.
When combined with the additional limitations found in Claim 6.

Regarding Claim 11:
Network traffic anomaly detection utilizing a model of received network traffic in generating first a likelihood score and then a flow score based on the generated likelihood score, with the model based on a pattern of web browsing of a web application that is accessed by the network traffic, and then when a threshold is exceeded for the generated flow score, a mitigation action is taken against the network traffic directed at the web application.
When combined with the additional limitations found in Claim 11.

Regarding Claim 16:
Network traffic anomaly detection utilizing a model of received network traffic in generating first a likelihood score and then a flow score based on the generated likelihood score, with the model based on a pattern of web browsing of a web application that is accessed by the network traffic, and then when a threshold is exceeded for the generated flow score, a mitigation action is taken against the network traffic directed at the web application.
When combined with the additional limitations found in Claim 16.

Therefore Claims 1-20 of the instant application are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Waizumi et al. - US_20090265784: Waizumi et al. teaches network anomaly and failure detection and identification of the specific cause based on the generation of a histogram from correlation coefficients.
Watanabe et al. - US_20090167520: Watanabe et al. teaches network anomaly and failure detection and identification of the specific cause based on an analysis of an alarm log.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRADLEY HOLDER whose telephone number is 571-270-3789.  The examiner can normally be reached on Monday-Friday 10:00AM-7:00PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw, can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/BRADLEY W HOLDER/
Primary Examiner, Art Unit 2498