Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
Remarks
In a response filed on January 4, 2021 (the “Response”), the Applicant presents claims 1-20 for examination. Claims 1-20 are pending, of which claim 1, 11 and 20 are independent.
Response to Arguments
Regarding the objection to claim 6, the amendment to claim 6 overcomes the objection. Hence, the objection to claim 6 is withdrawn.
Regarding the 35 U.S.C. 103 rejection of claims 1-20, the Applicant’s arguments in view of the amendments have been fully considered and they are not persuasive. The Applicant argues, that “the Office Action fails to provide sufficient support for the assertion that at least the following is obvious in view of the cited art, generating similarity scores between pairs of nodes that have one node in common by comparing corresponding time series vectors of the set of time series vectors. As an initial matter, the Office Action at page 4 states that "Prenger does not explicitly teach, vectors". Therefore, Applicant respectfully asserts that the office action does not rely on Prenger for time series vectors - let alone for generating similarity scores between pairs of nodes that have one node in common by comparing corresponding time series vectors. Furthermore, Applicant respectfully asserts that Savalle, whether alone or in combination with Prenger as asserted, also fails to teach or suggest at least "generating similarity scores between pairs of nodes that have one node in common by comparing corresponding time series vectors of the set of time series vectors". At best, Savalle discloses feature vectors. However, Savalle fails to teach or suggest that those feature vectors are time series vectors. Additionally, Savalle also fails to teach or suggest generating a similarity score between pairs of nodes that have one node in common. Instead, the feature vectors in Savalle are compared to another feature vector and each feature vector represents only a single node. Savalle appears to disclose that a "feature vector [is] derived from [] time series" data. See Savalle col 18:12-18. However, merely deriving a feature vector from time series data does not disclose, teach, or suggest a time series vector. Furthermore, Savalle disclose a comparison of the feature vector for one network to feature vectors for other networks, which is contrary to generating similarity scores between pairs of nodes that have one node in common. Savalle col 11:10-13 ("in turn, the system may construct feature vectors from the available information and look for similar conditions in the networks of other organizations, to detect when similar performance issues may arise. "). Finally, the Office Action at page 4 cites to Savalle figure 6, col 16:65-67, 17:11-13, 18:9-21, 12:1-20, and 7:1-12. However, none of the indicated passages specify that the feature vector in Savalle is a time series vector. Therefore, Applicant respectfully asserts that the Office Action fails to provide sufficient support for the assertion that at least "generating similarity scores between pairs of nodes that have one node in common by comparing corresponding time series vectors of the set of time series vectors" is obvious. Claims 6 and 16 stand rejected under 35 U.S.C. 103 as being unpatentable over Prenger in view of Savalle, and in further view of U.S. Pub. No. 2016/0210556 (Ben). Applicant respectfully submits that Prenger, Savalle, and Ben cannot be combined to support claim rejections under 35 U.S.C. 103 for at least the reasons provided in sub-section II above. Consequently, for at least these reasons, it is respectfully submitted that claims 1, 9, and 15, and their dependent claims are allowable over the cited art.”
In response, the Examiner highlights, that the specification describes time-series vectors in paragraph 0047 as “time-series vector generator 412 to create quantitative abstractions of the metadata that capture actor behavior”; in paragraph 0049 as, “the time-series vector generator 412 converts the time- series representations of metadata into a fixed length vector”; and paragraph 0030 as “the time-series vector generator 124 converts the metadata time series representation into a vectorized representation”. Savalle (US Patent 10601676 B2) teaches, “vector distance between feature vectors derived from the time series of device characteristics for the two devices” (Savalle: Column 18, lines 9-21). Hence, Examiner finds that a person of ordinary skill in the art would interpret the claims (as written) in combination with the description as provided in the specification as vectors derived from the time series which is taught by Savalle.
Hence, the Applicant’s arguments are not persuasive. The detailed summary is provided under the 35 U.S.C. 103 rejection. Further, the patentability of the dependent claims should be determined based on the claimed limitations recited thereon, rather than their independent claim 1. Hence, the Applicant’s arguments have been fully considered but they are not persuasive in view of reasons set forth above and the rejection of claim 1-20 under 35 U.S.C 103 will not be withdrawn.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-4 and 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Prenger et al (US Patent 9628512 B2; hereinafter Prenger) in view of Savalle et al (US Patent No. 10601676 B2; hereinafter Savalle).
Regarding claim 1, Savalle teaches: 
A method for identifying malicious network communications comprising: receiving network traffic by tapping at least one network device of a network (Prenger: Column 2, lines 55-67 and figure 1A, element 102 provides for receiving network traffic and tapping a device); 
extracting a set of metadata from the network traffic, the set of metadata corresponding to network traffic between nodes of a plurality of pairs of nodes, the set of metadata describing network communications (Prenger: Figure 1A, element 104 provides for metadata and figure 5, element 408 provides for metadata); 
detecting at least one pair of nodes of the plurality of pairs of nodes acting as a relay on the network by at least: generating a set of time series representing the set of metadata, respective set of time series corresponding to respective pairs of nodes of the plurality of pairs of nodes (Prenger: Figure 1A, element 106 provides for analyzing (detecting) relay behavior; Figure 7D, elements 210, 206, 204a-e provide for pairs of nodes and plurality of pairs of nodes; Column 12, lines 1-30 and figure 9, element 900 provides for time series of packets in the session (representing the set of metadata) and corresponding to respective pairs of nodes), 
generating similarity scores between pairs of nodes that have one node in common by comparing corresponding time series of the set of time series (Prenger: Column 8, lines 1-20 provide for similarity scores; Column 11, lines 53-67 provide for recording time series; Column 12, lines 1-28 and lines 28-50 provide for comparison of time series with other records and similarity score generation); 
generating an alarm when the similarity score is beyond a threshold indicating that the at least one pair of nodes of the plurality of pairs of nodes are part of a relay arrangement (Prenger: Figure 9, elements 907, 909 provide for reporting and element 911 provides for threshold and column 12, lines 60-67 and column 13, lines 1-5 provide for reporting a relay; Abstract & Column 6, lines 43-60 provides for alarm).
Since Prenger does not explicitly teach, vectors, Savalle in a similar field of endeavor (Network Diagnostics) teaches vectors (Savalle: Figure 6, element 614 provides for vector features; Column 16, lines 65-67 and column 17, lines 11-13 provides for vectors generated from time-series data; Column 18, lines 9-21 provide for vectors derived from time-series data; Column 12, lines 1-20 and column 7, lines 1-12 provide for metadata and visualization data (time series data)).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the Malicious Relay Detection System & Method of Prenger with the Vector Techniques of Savalle such that the modified method of Prenger & Savalle teaches vectorization of time-series data. One would have been motivated to make such a combination in order to improve security by implementing advanced analytical techniques for detection of anomalies as well as performance issues (Savalle: Column 1, lines 10-25).
Regarding claim 2, the rejection of claim 1 is incorporate. Prenger teaches: 
The method of claim 1, further comprising generating the set of metadata by capturing the network traffic (Prenger: Figure 1A, element 104 provides for metadata and figure 5, element 408 provides for metadata; Column 2, lines 63-67 and column 3, lines 1-18 provide for generating metadata).
Regarding claim 3, the rejection of claim 1 is incorporate. Prenger teaches:
(Prenger: Figure 5, elements 510a-h provide for mapping the set of metadata; Column 11, lines 63-67 provide for N byte sized packets (metadata) and column 12, lines 1-27 provide for generating time series of packets from source to destination; Column 12, lines 28-50 provide for scalar statistics and distributions such as histograms or parametric distribution models; Savalle: Abstract, figure 7, element 720, column 1, lines 54-67, column 8, lines 34-52 provide for mapping metadata (data and anonymized data) and normalizing them for a machine learning based model); and 
converting the set of time series representation into the set of time series vectors (Savalle: Column 16, lines 65-67 and column 17, lines 11-13 provides for vectors generated from time-series data).
Regarding claim 4, the rejection of claim 1 is incorporate. Prenger teaches:
The method of claim 1, wherein time series vectors of the set of time series vectors each correspond to different sessions (Prenger: Figure 5, element 506 and figure 8, element 802 provide for sessions; Column 3, lines 9-17, lines 25-38 provide for different sessions; Savalle: Column 16, lines 65-67 and column 17, lines 11-13 provides for vectors generated from time-series data; Column 12, lines 47-67 provide for time series at different points in time (different sessions); Further, column 18, lines 42- 52 provide for techniques employed across different networks (different sessions) to anticipate issues before they occur).
Regarding claim 5, the rejection of claim 1 is incorporate. Prenger teaches:
The method of claim 1, wherein the similarity scores correspond to a similarity of network behavior across legs of a relay, the legs of the relay comprising respective pairs of nodes that have one node in common (Savalle: Figure 4, elements 404a-n and column 12, lines 45-55 provides for time series extractor (element 406) which is the common node and (pairs of nodes—element 404a-n); Claims 1, 6 and column 18, lines 1-21 provide for computing the relevancy score (degree of similarity) between a first device and a second device; Further, figure 1A, element 120 provides for PE-1, PE-2 and PE-3 (Provider Edge Routers)—which is equivalent to common node and figure 1B, element 110 CE-1 (Customer Edge Routers) also provides for common node and column 3, lines 50-67 provide for local/branch networks (legs of a relay); Figure 1B, element 152-154 provide for pairs of nodes (servers); Further, column 7, lines 45-58 and figure 3, element 320 provide for Access Points, AP1-APn through which nodes may connect).
Regarding claim 7, the rejection of claim 1 is incorporate. Prenger teaches:
The method of claim 1, wherein the node in common is either a destination for a first pair of nodes and a source for a second pair of nodes, or a source for the first pair of nodes and a destination for the second pair of nodes depending on a direction of the network traffic (Savalle: Column 13, lines 10-17 provide for access point parameter X for a particular AP aa:bb:cc:dd:ee:ff—which is equivalent to source for pairs of nodes (client devices connected to the AP) that have a node in common (AP) as well as destination; Column 15, lines 20-37 provide for reference entity (common node—element 402); Ben Simhon: Figure 2, element 4 provides for a common node with different relevancy scores).
Regarding claim 8, the rejection of claim 1 is incorporate. Prenger teaches:
The method of claim 1, wherein one node of at least some respective pairs of nodes that have one node in common is external to a network, and three nodes of the respective pairs of nodes that have one node in common are internal to the network (Prenger: Figure 3, element 212 provides for the external node and elements 206 and 204a-e are the three internal nodes with element 210 (switch) that is the common node; Savalle: Figure 1B, element PE-1 provides for external node and elements CE-1 (common node) provide for two or more internal nodes (elements 152-154) to the network).
Regarding claim 9, the rejection of claim 1 is incorporate. Prenger teaches:
(Prenger: Figure 3, element 212 provides for the elements 206 and 204a-e are the three internal nodes with element 210 (switch) that is the common node; Savalle: Figure 1B, elements CE-1 (common node) provide for two or more internal nodes (elements 152-154) to the network).
Regarding claim 10, the rejection of claim 1 is incorporate. Prenger teaches:
10. The method of claim 1, wherein one node of at least some respective pairs of nodes that have one node in common is in a partitioned area of a network, and only a subset of nodes internal to the network have trust-permissions to access the partitioned area of the network (Prenger: Column 4, lines 55-67 and column 5, lines 1-5 along with figure 2, element 206 and elements 204a-e provide for nodes in a partitioned network with trust permissions and element 210 is the common node).
	Regarding claim 11, the following applies: Claim 11 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 1. Hence, the same rationale for the rejection of claim 1 applies to claim 11.
Regarding claim 12, the following applies: Claim 12 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 2. Hence, the same rationale for the rejection of claim 2 applies to claim 12.
Regarding claim 13, the following applies: Claim 13 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 3. Hence, the same rationale for the rejection of claim 3 applies to claim 13.
Regarding claim 14, the following applies: Claim 14 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 4. Hence, the same rationale for the rejection of claim 4 applies to claim 14.
Regarding claim 15, the following applies: Claim 15 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 5. Hence, the same rationale for the rejection of claim 5 applies to claim 15.
Regarding claim 17, the following applies: Claim 17 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 7. Hence, the same rationale for the rejection of claim 7 applies to claim 17.
Regarding claim 18, the following applies: Claim 18 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 8. Hence, the same rationale for the rejection of claim 8 applies to claim 18.
Regarding claim 19, the following applies: Claim 19 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 9. Hence, the same rationale for the rejection of claim 9 applies to claim 19.
Regarding claim 20, Savalle teaches: 
A system for detecting threats on a network, comprising: a computer processor to execute a set of program code instructions; a memory to hold the set of program code instructions, in which the set of program code instructions comprises program code to perform: receiving network traffic by tapping at least one network device of a network (Prenger: Claim 1 and figure 2, element 222 provides for a system with a processor and memory; Column 2, lines 55-67 and figure 1A, element 102 provides for receiving network traffic and tapping a device); 
extracting a set of metadata from the network traffic, the set of metadata corresponding to network traffic between nodes of a plurality of pairs of nodes, the set of metadata describing network communications (Prenger: Figure 1A, element 104 provides for metadata and figure 5, element 408 provides for metadata); 
detecting at least one pair of nodes of the plurality of pairs of nodes acting as a relay on the network by at least: generating a set of time series vectors representing the set of metadata, respective set of time series vectors corresponding to respective pairs of nodes of the plurality of (Prenger: Figure 1A, element 106 provides for analyzing (detecting) relay behavior; Figure 7D, elements 210, 206, 204a-e provide for pairs of nodes and plurality of pairs of nodes; Column 12, lines 1-30 and figure 9, element 900 provides for time series of packets in the session (representing the set of metadata) and corresponding to respective pairs of nodes; Savalle: Figure 6, element 614 provides for vector features; Column 16, lines 65-67 and column 17, lines 11-13 provides for vectors generated from time-series data; Column 18, lines 9-21 provide for vectors derived from time-series data; Column 12, lines 1-20 and column 7, lines 1-12 provide for metadata and visualization data (time series data)), 
generating similarity scores between pairs of nodes that have one node in common by comparing corresponding time series vectors of the set of time series vectors (Prenger: Column 8, lines 1-20 provide for similarity scores; Column 11, lines 53-67 provide for recording time series; Column 12, lines 1-28 and lines 28-50 provide for comparison of time series with other records and similarity score generation; Savalle: Figure 6, element 614 provides for vector features; Column 16, lines 65-67 and column 17, lines 11-13 provides for vectors generated from time-series data; Column 18, lines 9-21 provide for vectors derived from time-series data; Column 12, lines 1-20 and column 7, lines 1-12 provide for metadata and visualization data (time series data)); 
generating an alarm when the similarity score is beyond a threshold indicating that the at least one pair of nodes of the plurality of pairs of nodes are part of a relay arrangement (Prenger: Figure 9, elements 907, 909 provide for reporting and element 911 provides for threshold and column 12, lines 60-67 and column 13, lines 1-5 provide for reporting a relay; Abstract & Column 6, lines 43-60 provides for alarm).
Claim 6 are rejected under 35 U.S.C. 103 as being unpatentable over Prenger et al (US Patent 9628512 B2; hereinafter Prenger) in view of Savalle et al (US Patent No. 10601676 B2; hereinafter Savalle) in view of Ben Simhon et al (US Patent Publication No. 2016/0210556 A1; hereinafter Ben Simhon).
Regarding claim 6, the rejection of claim 1 is incorporate. Prenger teaches: 
(Savalle: Figure 5C, element 506 and column 16, lines 52-67 provides for comparing the time-series surrounding the detected issue to those of other candidate entities in the network/organization; Column 15, lines 20-37 provide for reference entity 402 (common node)):
generating a plurality of similarity scores at least for unique combinations of pairs of nodes that have one node in common and a corresponding pairs of time series vectors (Savalle: Column 16, lines 52-67 provides for comparing the time-series surrounding the detected issue to those of other candidate entities in the network/organization; Column 13, lines 10-17 provide for access point parameter X for a particular AP aa:bb:cc:dd:ee:ff—which is equivalent to unique combination of pairs of nodes (client devices connected to the AP) that have a node in common (AP); Column 15, lines 20-37 provide for reference entity (common node—element 402); Column 15, lines 48-67 provides for relevance evaluator (410)—which is also equivalent to generating a plurality of similarity scores (relevancy scores)), by: 
performing a plurality of comparisons of a respective pair of time series vectors to generate a plurality of scores (Savalle: Figure 4, elements 312, 410 and column 8, lines 43-67, column 9, lines 1-7 and column 9, lines 8-48 provide for a predictive analytics model (element 312) that builds predictive models by considering plurality of parameters to generate a plurality of scores; Column 16, lines 19-33 provide for determining which time series match—which is equivalent to plurality of comparisons; ), 
wherein a time series vector of the respective pair of time series vectors undergoes one or more [adjustments] using one or more offsets prior to performing respective comparisons of the plurality of comparisons to generate respective scores (Savalle: Column 6, lines 24-44 provide for a machine learning model M that adjusts the parameters a,b,c in order to determine misclassified points—which is equivalent to a time series vector of the respective pair of time series vectors undergoes one or more adjusted using one or more temporal offsets prior to performing respective comparisons of the plurality of comparisons; Figures 5A-5D and column 16, lines 34-52 provide for plurality of comparisons to generate respective scores—wherein the graphs 5A-5D show different scores for different comparisons); and 
selecting a score of the plurality of scores that indicates a highest degree of similarity as the similarity score for the unique combinations of pairs of nodes that have one node in common and a corresponding pairs of time series vectors (Savalle: Column 14, lines 60-67, column 15, lines 1-19 and column 16, lines 19-33 provide for degree of similarity; Column 13, lines 1-10, lines 11-41 and figure 5C, element 510 provides for highest degree of similarity score for ‘any’ access point (AP–aa;bb:cc:dd:ee:ff (common node))—detecting the issue).
Since Prenger in view of Savalle does not explicitly teach ‘temporal [offset/adjustments]’, Ben Simhon teaches, ‘temporal [offset/adjustments]’ (Ben Simhon: Paragraph 0070 provides for adjustments to the baseline which may be a function of time and define a range of expected values for each point in time; Figure 11 (entire figure) and paragraphs 0097, 0101 and 0102 provides for offset techniques).
Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the Malicious Relay Detection System & Method of Prenger with the Vector Techniques of Savalle with the Heuristic Techniques of Ben Simhon such that the modified method of Prenger, Savalle & Ben Simhon teaches temporal offset/adjustments. One would have been motivated to make such a combination in order to improve security by implementing advanced analytical techniques for detection of anomalies as well as performance issues for quick resolution (Ben Simhon: Paragraph 0004).
Regarding claim 16, the following applies: Claim 16 describes a computer program product embodied on a non-transitory computer readable medium that performs the method of claim 6. Hence, the same rationale for the rejection of claim 6 applies to claim 16.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure—US Patents 10616267; 10298611 and 10560311 and US Patent Publication 20150264068 and 20180077186.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TISCHI PANICKER whose telephone number is (571) 270-7924.  The examiner can normally be reached on M-F (7:30 - 16:30).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ANISS CHAD can be reached on (571) 270-3832.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications 


/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/Tischi Balachandra/Examiner, Art Unit 3662