DETAILED ACTION
This action is in response to the amendment filed 1/5/2021.  Claims 1-20 are pending.  Independent claims 1, 13 and 18, and corresponding dependent claims are directed towards methods and systems for improving beaconing detection algorithms.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 1/5/2021 has been entered.
Terminal Disclaimer
The terminal disclaimer filed on 12/8/2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US Patent 10,284,584 has been reviewed and is accepted.  The terminal disclaimer has been recorded.
Response to Amendment
In response to the amendment filed 1/5/2021:  Applicant has amended the claims and some of the corresponding 35 USC § 112 rejections have been withdrawn.
Applicant has amended the claims, and the corresponding rejections have been altered to address the amended language.
Examiner Initiated Interview
Examiner contacted attorney Sam Sahota (Reg. No. 47,051) (212)960-8499 and proposed an Examiner’s Amendment to add the language “in a digital domain” to the language of the independent claims, and other amendments to correct 112 issues and claim objections, to render the claims in condition for allowance.  While the “in a digital domain” language had been presented in the advisory action filed 12/11/2020, the amendment added in the 1/5/2021 claims “by considering the input data as data points of the analog signal” was not present.  The Examiner indicated that the combination of the wording presented in both amendments was sufficient to overcome the prior art of rejection and would render the claims allowable, along with the other amendments addressing the 112 issues and claim objections.  Attorney indicated that they were not prepared to accept Examiner’s proposed amendment and requested this office action be mailed.
Response to Arguments
Applicant's arguments filed 1/5/2021 have been fully considered but they are not persuasive.
Applicant argues with regards to the rejection of claim 1:
	“On page 4 of the office action, the Examiner argues that “Examiner further relied upon Cousins to show improving performance of the detecting, by evaluating the listing of time series data using techniques used for evaluating an analog signal (Cousins col. 8 H 17-34 forming a signal from trace-files (e.g. from a tapped network) to facilitate later processing of those signals such as filtering, truncation or transformation).”
	On page 5 of the Office Action, the Examiner further states that “Cousins clearly shows analyzing digital data with analog signal methodology (Cousins col. 8 II. 17-34 forming a signal from trace-files (e.g. from a tapped network) to facilitate later processing of those signals such as filtering, truncation or transformation).” (Emphasis added by Applicant).
	However, Cousins only reference to the analog domain is the general statement “In still other implementations consistent with the principles of the invention, continuous signals may be constructed (e.g., by a digital-to-analog converter, digital logic combination, or similar device) to facilitate further signal filtering, truncation, or transformation that is performed in a non-discrete manner (e.g., by analog or digital electrical signal manipulation).” See col. 8, lines 28-34 of Cousins.
	Therefore, Cousins uses a digital to analog converter to perform the analog manipulation, otherwise, it uses digital manipulation with the digital logic combination. Cousins never states or even suggests that it uses analog techniques in the digital domain. The signal manipulation will be in the analog domain after using a D/A converter.”
Examiner respectfully disagrees.  The limitations of Claim 1 do not require that the analog techniques are used “in the digital domain” as argued, only that the techniques used for evaluating an analog signal are used.  As such, the digital-to-analog conversion of Cousins, which shifts processing of the signal to the analog domain still reads upon “using techniques used for evaluating an analog domain”.  Examiner notes that the proposed amendment to add the limitation “in a digital domain”, discussed with the attorney for applicant during the Examiner Initiated Interview, would have overcome this interpretation.
Applicant further argues with regards to the rejection of claim 1:
	“Therefore, Cousins merely describes tracefiles and then later states continuous signals may be constructed (e.g., by a digital-to-analog converter, digital logic combination, or similar device) to facilitate further signal filtering, truncation, or transformation that is performed in a non-discrete manner. Instead, Cousins merely discloses a system that acquires information about communication among wired or wireless nodes [110, 210] in a network [100, 200] by intercepting chunks of data in the network by a wired or wireless tap [120, 220] located among the wired or wireless nodes [110, 210] in the network. See abstract of Cousins.
	However, Cousins does not use analog techniques where the input data is considered as an analog signal for evaluating the listing of time series data.
detecting of potential beaconing activity to at least one of eliminate false positive indications of beaconing activity and provide indication of multiple interleaved periodicities of beaconing, by further evaluating the listing of time series data using techniques used for evaluating an analog signal by considering the input data as data points of the analog signal.”
Examiner respectfully disagrees.  Examiner’s has relied upon the combination of Noble and Cousins for the rejection of claim 1 (see below).  Noble is relied upon for the detection of potential beaconing activity through evaluation of sampled time-series data that is plotted/presented as a graphical representation of a signal.  Cousins is relied upon to show treatment of time-series data as an analog signal (by actual conversion to an analog signal) for further processing (i.e. filtering out noise).  The combination of the two references teach the limitations of claim 1.
All other arguments presented by Applicant either repeat or rely upon the issues addressed above, and are also not persuasive for the reasons given above.
Claim Objections
Claim 7 and 18-19 are objected to because of the following informalities, shown with suggested amendments:  Claim 7 ll. 2-3 “evaluating a listing of time series data a processor” as this is the first recitation of “processor”; Claim 19 l. 3 “executes” should be “executing”, l. 5 “receives” should be “receiving”, l. 6 “receives” should be “receiving”, l. 7 “returns” should be “returning”, and l. 9 “receives” should be “receiving” for grammar; Claim 19 ll. 10-11 “to the requesting computer to ing data from the requesting computer to be processed by the method of detecting beaconing behavior, and returns to the requesting computer a result of executing the of beaconing behavior on the received data” for proper antecedent basis; and Claim 19 l. 9 “receiving a request from a computer via the network to execute the method of detecting beaconing behavior” for proper antecedent basis.	Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. § 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 11 are rejected under 35 U.S.C. § 101 because the claimed invention is directed to non-statutory subject matter.
Claim 11 sets forth a “computer readable storage medium”.  However, the specification as originally filed does not explicitly define the “computer readable storage medium”. The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO.  See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow).  The broadest reasonable interpretation of a claim drawn to a computer readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is absent an explicit definition or is silent (See MPEP 2111.01).  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2).  Examiner recommends amending the limitation to read “non-transitory computer readable storage medium”.  Examiner’s Note: Claim 12, depending from Claim 11, explicitly defines structural limitations of the “computer readable storage medium” (e.g. “memory device”) that preclude interpretation of the medium as transitory.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.
Claims 10-12 are rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.
Claims 10-12 all consist of embodiments in which the parent method is not being or required to be executed, as such these claims would not infringe upon the claim of the parent.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.  Further detail is provide for each claim:as executed in one of:”; 	Claim 11 “the program instructions readable and executable by a computer” renders the execution of the method of the parent claim as optional, as “executable” does not require the execution of the method.  Examiner suggests amending to “the program instructions readable and executed by a computer”;	Claim 12 has multiple options (see “comprises one of”) where the execution of the parent method is rendered optional. Of the four limitations presented, the first limitation is the only limitation where the method of the parent claims is required to be executed.  The second limitation explicitly makes execution of the method optional, and the third and fourth limitation are directed towards moving instructions for performing the method elsewhere without addressing execution of the method.  Examiner suggests the removal of the second limitation, and addressing execution of the method in the third and fourth limitation.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6, 8-9, 11-13, 15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Noble, Kevin “Detecting Malicious Beacons”, published Mar. 11, 2014, cited in IDS 03/28/2019, in view of Cousins et al. (US 7,574,597 B1), issued Aug. 11, 2009.
As to claim 1, Noble substantially discloses a method for detecting beaconing activity (Noble page 4 ¶7 execution of a simple script to process network data), the method comprising:	receiving, as input data (Noble pg. 4 ¶4 flow files stored in a database) into a computer-implemented processing procedure (Noble page 4 ¶7 - analysis script parses data), at least one listing of time series data (Noble page 4 ¶4 collection of three days of traffic to evaluate for beacons) and candidate periods of potential beaconing activity (Noble page 4 ¶7 - analysis script parses data into data flows shown in graph; page 4 graph (expanded on page 11) shows host pairs with src_ip and dst_ip);	processing the input data, using a processor on a computer, to detect candidates of potential beaconing activity (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal; Figure 2 showing multiple beacons as signals; Figure 3 showing multiple beacons being reviewed in a single graph; pg. 3 ¶2); and	considering the input data as data points of a signal (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal).	Noble fails to explicitly disclose improving a performance of the detecting of potential beaconing activity to at least one of eliminate false positive indications of beaconing activity and provide indication of multiple interleaved periodicities of forming a signal from trace-files (e.g. from a tapped network) to facilitate later processing of those signals such as filtering, truncation or transformation).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the traffic signal formation of Cousins with the malicious beacon detection of Noble, such that a signal is formed of the recorded beaconing activity in Noble in order to filter out misleading data/noise, as it would advantageously assist in monitoring encrypted traffic flow (Cousins col. 1 ll. 31-53).
As to claim 2, Noble and Cousins discloses the invention as claimed as described in claim 1, including wherein the further evaluating comprises evaluating the listing of time series for statistical characteristics and wherein times that fall outside a pre-set statistical measurement are eliminated from being potential candidates of beaconing activity (Noble pg. 3 ¶4 filter out beacons where time between packets is less than 15 minutes), and	considering the input data to be data points of the analog signal (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal) and evaluating an adequacy of different observation granularities (Cousins col. 8 l. 50 – col. 9 l. 16 choosing an appropriate time quantization using Nyquist rate to sample from trace-file to generate signal – Nyquist rate is the minimum frequency at which you can sample a signal without any under sampling).
As to claim 3, Noble and Cousins discloses the invention as claimed as described in claim 2, including wherein the evaluating for statistical characteristics comprises listing the time series data as a list of time intervals between two consecutive connections (Noble pg. 2 ¶1 beacon represented as consistent interval between connections; Noble pg. 2 ¶3-4 tracking and filtering of interval data to identify malicious beacons; Fig. 3 showing multiple intervals plotted), and	wherein further evaluating the listing of time series data of an analog signal is to detect under-sampled time series (Cousins col. 8 l. 50 – col. 9 l. 16 choosing an appropriate time quantization using Nyquist rate to sample from trace-file to generate signal – Nyquist rate is the minimum frequency at which you can sample a signal without any under sampling).
As to claim 6, Noble and Cousins discloses the invention as claimed as described in claim 3, including wherein the further evaluating comprises evaluating the list of time intervals between two consecutive connections as a listing of candidate periods at a specific granularity and the listing is eliminated if more than a pre-set number of points of the candidate period listing at the specific granularity is non-zero, indicating an under sampling of data under a Nyquist Theorem sampling requirement and is accepted as a listing at the specific granularity if the number of points is less the choosing an appropriate time quantization using Nyquist rate to sample from trace-file to generate signal), and	wherein the further evaluating includes by considering the input data to be data points of the analog signal (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal) and using the Nyquist Theorem to evaluate the adequacy of different observation granularities (Cousins col. 8 l. 50 – col. 9 l. 16 choosing an appropriate time quantization using Nyquist rate to sample from trace-file to generate signal – Nyquist rate is the minimum frequency at which you can sample a signal without any under sampling).
As to claim 8, Noble and Cousins discloses the invention as claimed as described in claim 1, including further comprising:	preprocessing network records (Noble page 4 ¶4 collection of three days of traffic to evaluate for beacons) to identify candidate source and destination pairs (Noble page 2 ¶2 separating data into host pairs) for detecting beaconing behavior (Noble page 4 ¶7 - analysis script parses data into data flows shown in graph; page 4 graph (expanded on page 11) shows host pairs with src_ip and dst_ip), each source and destination pair being associated with specific time intervals (Noble page 3 ¶4 to be considered a host pair packets are filtered based on time between first packet and last requiring time be greater than 15 minutes) in a plurality of time intervals forming a time range (Noble page 3 ¶1 test length is three days), the time interval and time range having been predefined (Noble page 3 ¶1 + ¶4 minimum value and length for test are all preset values);	converting the activity time interval information from a time domain into a describing spectral plotting of beacons "the count of instances increasing the size of each blue circle" the size is count of instances of each beaconing occurrence for a host pair (i.e. frequency)); and	determining candidate frequencies from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities (Noble page 4 "Analysis" section shows using beacon data and graphs to evaluate suspected beacon traffic).
As to claim 9, Noble and Cousins discloses the invention as claimed as described in claim 8, including further comprising:	prior to the converting into the frequency domain, rescaling/aggregating time intervals such that a plurality of data sets with different time interval resolutions/time ranges are included in the plurality of time intervals for each source and destination pair (Noble page 2 ¶2 adjusting packets to align in a set of bins (based on time, input size or count or some combination of the three) - combination of bins based on time and one of the other two attributes would result in time intervals not having the same resolution); 	converting the plurality of data sets into the frequency domain (Noble page 2 ¶2 "adjusting packets so to align in a set of bins, or buckets of sorts centered around … count"; page 2 ¶4 describing spectral plotting of beacons "the count of instances increasing the size of each blue circle" the size is count of instances of each beaconing occurrence for a host pair (i.e. frequency)); and	analyzing activity time interval information for each source and destination pair Analysis" section shows using beacon data and graphs to evaluate suspected beacon traffic).
As to claim 11, Noble and Cousins discloses the invention as claimed as described in claim 1, including a computer readable storage medium including program instructions embodied therewith, the program instructions readable and executable by a computer to cause the computer to perform the method (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data).
As to claim 12, Noble and Cousins discloses the invention as claimed as described in claim 11, including the computer readable storage medium comprising one of:	a memory device on a computer currently executing the method (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data);	a memory device on a computer that can selectively execute the method (not required);	a memory device on a computer that can selectively dispatch the computer-readable instructions to another computer via a network (not required); and	a standalone, non-transitory memory device that stores the computer-readable instructions to be uploaded into a computer memory via an input port (not required
As to claim 13, Noble substantially discloses an apparatus(Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data), comprising:	a memory device (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data); and	a processor having access to the memory device, the memory device storing a series of machine-readable instructions to execute a method of detecting beaconing behavior (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data), wherein the method comprises:		receiving, as input data (Noble pg. 4 ¶4 flow files stored in a database) into a computer-implemented processing procedure using the processor (Noble pg. 4 ¶7 - analysis script parses data), at least one listing of at least one of time series data (Noble page 4 ¶4 collection of three days of traffic to evaluate for beacons) and candidate periods of potential beaconing activity (Noble pg. 4 ¶7 - analysis script parses data into data flows shown in graph; pg. 4 graph (expanded on pg. 11) shows host pairs with src_ip and dst_ip);		processing the input data, using a processor on a computer, to detect candidates of potential beaconing activity (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal; Figure 2 showing multiple beacons as signals; Figure 3 showing multiple beacons being reviewed in a single graph; pg. 3 ¶2); and	considering the input data as data points of a signal (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal). an analog signal.	Cousins discloses improving a performance to eliminate false positive indications, by further evaluating the input data as an analog signal (Cousins col. 8 ll. 17-34 forming a signal from trace-files (e.g. from a tapped network) to facilitate later processing of those signals such as filtering, truncation or transformation).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the traffic signal formation of Cousins with the malicious beacon detection of Noble, such that a signal is formed of the recorded beaconing activity in Noble in order to filter out misleading data/noise, as it would advantageously assist in monitoring encrypted traffic flow (Cousins col. 1 ll. 31-53).
As to claim 15, Noble and Cousins discloses the invention as claimed as described in claim 13, including wherein the further evaluating of the input data comprises one or more of:	evaluating a listing of time series for statistical characteristics and times that fall outside a pre-set statistical measurement are eliminated (Noble pg. 3 ¶4 filter out beacons where time between packets is less than 15 minutes);	evaluating a listing of candidate periods and the listing is eliminated if more than a pre-set number of points of the candidate periods listing are non-zero as a specific choosing an appropriate time quantization using Nyquist rate to sample from tracefile to generate signal); and	evaluating time series data for potential multiple interleaved periods, using a Gaussian Mixture Model (GMM) analysis and as selected using a minimum Bayesian Information Criterion (BIC) (not required).
As to claim 17, Noble and Cousins discloses the invention as claimed as described in claim 15, including wherein the method further comprises:	preprocessing network records (Noble page 4 ¶4 collection of three days of traffic to evaluate for beacons) to identify candidate source and destination pairs (Noble page 2 ¶2 separating data into host pairs) for detecting beaconing behavior (Noble page 4 ¶7 - analysis script parses data into data flows shown in graph; page 4 graph (expanded on page 11) shows host pairs with src_ip and dst_ip), each source and destination pair being associated with a specific time interval (Noble page 3 ¶4 to be considered a host pair packets are filtered based on time between first packet and last requiring time be greater than 15 minutes) in a plurality of time intervals forming a time range (Noble page 3 ¶1 test length is three days), the time interval and time range having been predefined (Noble page 3 ¶1 + ¶4 minimum value and length for test are all preset values);	converting the activity time interval information from a time domain into a frequency domain (Noble page 2 ¶2 "adjusting packets so to align in a set of bins, or buckets of sorts centered around … count"; page 2 ¶4 describing spectral plotting of beacons "the count of instances increasing the size of each blue circle" the size is count of instances of each beaconing occurrence for a host pair (i.e. frequency)); and	determining candidate frequencies from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities (Noble page 4 "Analysis" section shows using beacon data and graphs to evaluate suspected beacon traffic).
Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Noble, Kevin “Detecting Malicious Beacons”, published Mar. 11, 2014, cited in IDS 03/28/2019, in view of Cousins et al. (US 7,574,597 B1), issued Aug. 11, 2009, in view of "Hypothesis Testing, Power, Sample Size and Confidence Intervals (Part 1)", published Jun. 3, 2010, hereinafter referred to as Robbins.
As to claim 4, Noble and Cousins substantially disclose the invention as claimed as described in claim 3, including a list of time intervals (see above claim 3).	Noble and Cousins fail to explicitly disclose wherein the evaluating for statistical characteristics comprises executing an instantiation of a one-sample t-test wherein a null hypothesis Ho is constructed and the input data is presumed due to an underlying normal distribution with a mean µ0 = P and noise induced variance σ2, and a goal of the processing is to decide, given a predefined significance level α and the set of input data, whether to reject the null hypothesis Ho in favor of an alternative hypothesis H1 : P is not the true period.	Robbins describes hypothesis testing.	With this in mind, Robbins discloses an instantiation of a one-sample t-test one sample test for mean) wherein a null hypothesis Ho is constructed (Robbins pg. 5 null hypothesis) and the input data is presumed due to an underlying normal distribution (Robbins pg. 8 data with normal or Gaussian distribution) with a mean µ0 = specified constant (Robbins pg. 4 mean µ of data set; pg. 5 Ho = µ) and noise induced variance σ2 (Robbins pg. 13 sample variance s2; pg. 22 decrease in standard deviation variance is decrease in noise), and a goal of the processing is to decide, given a predefined significance level α (Robbins pg. 10 significance level α set to .05) and the set of input data (Robbins pg. 8 data with normal or Gaussian distribution), whether to reject the null hypothesis Ho in favor of an alternative hypothesis H1 : µ0 <> specified constant (Robbins pg. 5 alternative hypothesis; pg. 5 alternative hypothesis HA : µ is <> to constant).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the one sample test of Robbins with the beaconing detection of Noble and Cousins, such that the test is used to determine if a beacon period is correct, as it would advantageously rule out chance as an alternative explanation for beaconing (Robbins pg. 3).
As to claim 5, Noble, Cousins and Robbins disclose the invention as claimed as described in claim 4, including wherein the evaluation of statistical characteristics serves as a first pruning processing (Noble pg. 3 ¶4 filter out beacons where time between packets is less than 15 minutes), the method further comprising a second pruning processing wherein a listing of candidate period is evaluated based on a predetermined time interval (Noble pg. 3 ¶1 test length is three days) and the listing is filter applied to data-set eliminates candidates outside of min-max number of connections as improbable (e.g. maximum 5000)).
Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Noble, Kevin “Detecting Malicious Beacons”, published Mar. 11, 2014, cited in IDS 03/28/2019, in view of Cousins et al. (US 7,574,597 B1), issued Aug. 11, 2009, in view of Geramifard, Omid "Hidden Markov Model-Based Methods in Condition Monitoring of Machinery Systems" published Sep. 2, 2013.
As to claim 7, Noble and Cousins substantially discloses the invention as claimed as described in claim 1, including wherein the further evaluating comprises: evaluating a listing of time series data for potential multiple interleaved periods (Noble pg. 2-3 evaluating plot data for multiple beacons; Figure 2 showing beacon data interleaved); and filtering out time series in the beaconing detection data that are under-sampled (Cousins col. 8 l. 50 – col. 9 l. 16 choosing an appropriate time quantization using Nyquist rate to sample from trace-file to generate signal – Nyquist rate is the minimum frequency at which you can sample a signal without any under sampling).	Noble and Cousins fail to disclose using a Gaussian Mixture Model (GMM) analysis and as selected using a minimum Bayesian Information Criterion (BIC).	Geramifard describes hidden Markov model-based methods for condition monitoring of machinery systems.	With this in mind, Geramifard discloses using a Gaussian Mixture Model (GMM) use of GMM and selection of number of models to use based on minimum BIC).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the GMM with selection by minimum BIC of Geramifard with the beaconing detection method of Noble and Cousins, such that a GMM is used to evaluate potential periods, as it would advantageously prevent unnecessary complexity and improve the prediction results (Geramifard pg. 31 last ¶).
As to claim 16, Noble and Cousins substantially discloses the invention as claimed as described in claim 15, including wherein the processing comprises two of the three evaluations (see above claim 15), evaluating a listing of time series data for potential multiple interleaved periods (Noble pg. 2-3 evaluating plot data for multiple beacons; Figure 2 showing beacon data interleaved), and multiple evaluations in sequence (Noble pg. 2 § Features of beacons – describing multiple filters used on data for detection of beaconing including controlling maximum variance).	Noble and Cousins fail however to explicitly disclose wherein the processing comprises all three of the evaluations, as executed in a sequence of order as identified.	Geramifard discloses the third evaluation using a Gaussian Mixture Model (GMM) analysis and as selected using a minimum Bayesian Information Criterion (BIC) (Geramifard pg. 32 line 19 – pg. 33 line 6 use of GMM and selection of number of models to use based on minimum BIC).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject .
Claims 10, 14 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Noble, Kevin “Detecting Malicious Beacons”, published Mar. 11, 2014, cited in IDS 03/28/2019, in view of Cousins et al. (US 7,574,597 B1), issued Aug. 11, 2009, in view of Dunlap et al. (US 2013/0179593 A1), published Jul. 11, 2013.
As to claim 10, Noble and Cousins substantially discloses the invention as claimed as described in claim 1, failing, however, to explicitly disclose the method configured to be executable in one of:  a network server or gateway that monitors network activity for a web site or a local area network; a server or computer accessible for providing monitoring services to client computers or networks that are selectively connected to the server; and a cloud service.	Dunlap describes a cloud computing controlled gateway for communication networks.	With this in mind, Dunlap discloses a network server or gateway that monitors network activity for a web site or a local area network (Dunlap [0014] server incorporating gateway; [0023] monitoring traffic); a server or computer accessible for server incorporating gateway; [0023] monitoring traffic); and a cloud service (Dunlap [0016] web services remotely hosted on cloud; [0020] web services for monitoring).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the gateway/server of Dunlap with the beaconing monitoring of Noble and Cousins, such that the method of Noble and Cousins is hosted on one of the elements of Dunlap, as it would advantageously reduce the cost associated with the development and installation of multiple local network applications for accessing/routing to devices (Dunlap [0016]-[0017]]).
As to claim 14, Noble and Cousins substantially discloses the invention as claimed as described in claim 13, including executing the method (Noble page 4 ¶7 execution of a simple script to process network data).	Noble and Cousins fail to explicitly disclose one of: a server or gateway serving as a network portal for a local network of computers; a server on a network accessible via the network and that provides a service of executing the method to another computer on the network, to execute the method as based on data supplied by the other computer; and a server on a network accessible via the network and that provides a service of executing the method to another computer on the network, to execute the method as based on data supplied by the other computer, as a cloud service.	Dunlap discloses a server or gateway (Dunlap [0014] server incorporating gateway; [0023] monitoring traffic of LAN) serving as a network portal for a local router as portal between LAN and cloud; [0014] gateway/router incorporated in server). It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the gateway/server of Dunlap with the beaconing monitoring of Noble and Cousins, such that the method of Noble and Cousins is hosted on one of the elements of Dunlap, as it would advantageously reduce the cost associated with the development and installation of multiple local network applications for accessing/routing to devices (Dunlap [0016]-[0017]]) .
As to claim 18, Noble substantially discloses a method of deploying computer resources (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data), the method comprising provisioning a memory device (Noble page 3 ¶1 three days of networked test data - requires storage of data) with a set of computer-readable instructions for a computer to execute a method detecting beaconing behavior (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer with processor and access to data), wherein the method of detecting beaconing behavior comprises:	receiving network records for evaluating beaconing behavior (Noble pg. 4 ¶4 flow files stored in a database);	preprocessing the network records (Noble page 4 ¶4 collection of three days of traffic to evaluate for beacons) to identify candidate source and destination pairs (Noble page 2 ¶2 separating data into host pairs) for detecting beaconing behavior (Noble page 4 ¶7 - analysis script parses data into data flows shown in graph; page 4 graph shows host pairs with src_ip and dst_ip), each source and destination pair being associated with a specific time interval (Noble page 3 ¶4 to be considered a host pair packets are filtered based on time between first packet and last requiring time be greater than 15 minutes) in a plurality of time intervals forming a time range (Noble page 3 ¶1 test length is three days), the time interval and time range having been predefined (Noble page 3 ¶1 + ¶4 minimum value and length for test are all preset values);		receiving, as input data (Noble pg. 4 ¶4 flow files stored in a database) into a computer-implemented processing procedure using a processor (Noble page 4 ¶7 - analysis script parses data), at least one listing of at least one of time series data (Noble page 4 ¶4 collection of three days of traffic to evaluate for beacons) and candidate periods of potential beaconing activity (Noble page 4 ¶7 - analysis script parses data into data flows shown in graph; page 4 graph (expanded on page 11) shows host pairs with src_ip and dst_ip);		processing the input data, using a processor on a computer, to detect candidates of potential beaconing activity (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal; Figure 2 showing multiple beacons as signals; Figure 3 showing multiple beacons being reviewed in a single graph; pg. 3 ¶2);		considering the input data as data points of a signal (Noble pg. 2 ¶1 & Figure 1 – beacon data plotted and represented as signal);		determining candidate frequencies from the source and destination pairs as likely candidate frequencies/periodicities of beaconing activities (Noble page 4 "Analysis" section shows using beacon data and graphs to evaluate suspected beacon traffic),	wherein the further evaluating for improving the performance of the detecting comprises one or more of:		evaluating a listing of time series for statistical characteristics and times that fall outside a pre-set statistical measurement are eliminated (Noble pg. 3 ¶4 filter out beacons where time between packets is less than 15 minutes);		evaluating a listing of candidate periods and the listing is eliminated if more than a pre-set number of points of the candidate periods listing are non-zero at a specific granularity as failing a Nyquist Theorem sampling requirement (not required); and		evaluating the time series data for potential multiple interleaved periods, using a Gaussian Mixture Model (GMM) analysis and as selected using a minimum Bayesian Information Criterion (BIC) (not required).	Noble fails to explicitly disclose a server accessible via a network; a web-site; improving a performance of the detecting of potential beaconing activity to at least one of eliminate false positive indications of beaconing activity and provide indication of multiple interleaved periodicities of beaconing, by further evaluating the time series data using techniques used for evaluating an analog signal; and evaluating a listing of candidate periods and the listing is eliminated if more than a pre-set number of points of the candidate periods listing are non-zero at a specific granularity as failing a Nyquist Theorem sampling requirement (not required).	Cousins discloses improving a performance to eliminate false positive indications, by further evaluating the listing of data using techniques used for evaluating forming a signal from trace-files (e.g. from a tapped network) to facilitate later processing of those signals such as filtering, truncation or transformation) and evaluating a listing of candidate periods and the listing is eliminated if more than a pre-set number of points of the candidate periods listing are non-zero at a specific granularity as failing a Nyquist Theorem sampling requirement (Cousins col. 8 l. 50 – col. 9 l. 16 choosing an appropriate time quantization using Nyquist rate to sample from trace-file to generate signal).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the traffic signal formation of Cousins with the malicious beacon detection of Noble, such that a signal is formed of the recorded beaconing activity in Noble in order to filter out misleading data/noise, as it would advantageously assist in monitoring encrypted traffic flow (Cousins col. 1 ll. 31-53).	Noble and Cousins fail to explicitly disclose a server accessible via a network; and a web-site.	Dunlap discloses a server accessible via a network (Dunlap [0014] server incorporating gateway; [0023] monitoring traffic of LAN); and a web-site (Dunlap [0016] web services remotely hosted on cloud; [0020] managed web-site).  It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the gateway/server of Dunlap with the beaconing monitoring of Noble and Cousins, such that the method of Noble and Cousins is hosted on one of the elements of Dunlap, as it would advantageously reduce the cost associated with the development and installation of multiple local network 
As to claim 19, Noble, Cousins and Dunlap disclose the invention as claimed as described in claim 18, including wherein the server provides one of:	executes the method of detecting beaconing behavior (Noble page 4 ¶7 execution of a simple script to process network data - requires a computer) based on network data received from a local area network of computers (Noble page 3 ¶1 data from a network containing 1500 hosts over the period of three days) for which the server serves as a network portal (Dunlap Fig. 1 item 110 router as portal between LAN and cloud; [0014] gateway/router incorporated in server);	receives a request from a computer via the network to execute the method of detecting beaconing behavior, receives data from the requesting computer to be processed by the method, and returns to the requesting computer a result of executing the method on the received data (not required); and	receives a request from a computer via the network to execute the method and transmits the set of computer-readable instructions to the requesting computer to itself execute the method of detecting beaconing behavior (not required).
As to claim 20, Noble, Cousins and Dunlap disclose the invention as claimed as described in claim 18, including wherein the server provides a service of executing the method of detecting beaconing behavior as a cloud service (Dunlap [0016] web-services remotely hosted on cloud computing network; [0020] accessing web-service web site).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Singh et al. (US 8,788,407 B1) is related to detection of beaconing malware.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654.  The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ERIC W SHEPPERD/

ERIC W. SHEPPERD

Art Unit 2492