DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office action is in response to the amendment filed on 12/15/2020. Claims 2 and 9 have been canceled, and claims 19-21 are added.

Claims 1, 3-8 and 10-21 are presented for examination. 

The terminal disclaimer filed on 12/15/2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent 10,389,641 has been reviewed and is accepted.  The terminal disclaimer has been recorded. 

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 06/25/2020, 07/29/2020, 12/28/2020 and 02/10/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

The objection to claim 17 is withdrawn in view of the amendment.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-8 and 10-21 are rejected under 35 U.S.C. 103 as being unpatentable over Hsiao et al. (US 2016/0226944), in view of Pappu et al. (US 2013/0304909), Hanson (US 2011/0277034).

As to claim 1, Hsiao discloses the invention as claimed, including a method of operating a communications network comprising: 
receiving a plurality of network operational data items relating to the operation of said communications network (103, Fig. 1; 201, Fig. 2), each of those network operational data items comprising one or more attributes, each attribute comprising a value for that attribute (414, Fig. 4; Fig. 11C; ¶0118, “review dashboard 710 that includes a set of incident attribute fields 711”; ¶0157; ¶0158); 
processing a plurality of the values of at least one of said attributes to 
classifying said network operational data items using type-specific processing which depends upon the identified statistical data type of said at least one attribute is nominal (i.e., dest_ip, src_ip, dest_port), ordinal (low, medium, high, critical) or quantitative (Fig. 11C; ¶0118, “identifying patterns among the notable events, each notable event can be associated with an urgency value (e.g., low, medium, high, critical), which is indicated in the incident review dashboard”; ¶0123, “displayed using different patterns or colors to represent different performance states, such as a critical state, a warning state...”; ¶0197, “column 1138 may indicate that the "dest_ip," "dest_port," "src_ip," "status," and "uri_path" event attributes are specified as key attributes and the "bytes," "bytes_in," "bytes_out," and "time_taken" event attributes are specified as aggregation attributes”; ¶0210; ¶0212, “data that represents security risks. The dashboard includes a number of potential security risks, such as "HTTP Errors," "DNS Errors," "Cloud Email," "NFS Activity," and "Threat List Activity”; ¶0216, “FIGS. 11D-11E to add a filter for network and/or event data that exactly matches the IP address (e.g., 10.160.26.206) from which the security risk was detected”).

Although Hsiao discloses a field extractor (412, Fig. 4) that automatically identifies a statistical data type of the values of the attributes as nominal, ordinal or quantitative (¶0096; ¶0097, “field extractor 412 applies extraction rule 408 for the first command "Search IP="10*" to events in data store 414 including events 416-418”; ¶0098), Hsiao does not specifically disclose automatically finding a statistical data type of the values of the attributes as nominal, ordinal or quantitative by statically analyzing a plurality of the values of at least of said attributes.
automatically finding a statistical data type of the values of the attributes as nominal, ordinal or quantitative by statically analyzing a plurality of the values of at least of said attributes (Fig. 3; Fig. 5E shows automatically finding a statistical data type as nominal (i.e., IP address range, Vulnerability ID) or ordinal (i.e., critical vulnerability, vulnerable assets, critical assets); ¶0011, “automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network, search the analyzed and correlated information for data meeting certain criteria”; ¶0043; ¶0044, “three-dimensional visualization shown in FIG. 5E may include a red color code to represent critical vulnerabilities associated with IP addresses in the range "192.168.20.2" to "192.168.20.205," an orange color code to represent vulnerable assets in the IP address range "192.168.20.2" to "192.168.20.205," and a yellow color code to represent critical assets in the IP address range "192.168.20.2" to "192.168.20.205”).
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Hsiao to include automatically finding a statistical data type of the values of the attributes as nominal, ordinal or quantitative by statically analyzing a plurality of the values of at least of said attributes, as taught by Hanson because it would more suitably managing network security by efficiently detecting and preventing intrusion or other security events in the network (Hanson, ¶0011; ¶0026; ¶0028).

Although Hsiao discloses automatically operating the communications network to apply common class-specific treatment (¶0265; ¶0269), Hsiao does not specifically 
However, Pappu discloses automatically operating the communications network to apply the treatment in response to network operational data items in one or more classes (350, Fig. 3A; 374, Fig. 3C; 550, Fig. 5; Fig. 7; ¶0007, “The subscriber fairness solution contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor subscriber usage of network resources across various attributes”; ¶0008; ¶0016; ¶0021; ¶0072; ¶0089; ¶0090). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the system of Hsiao to include automatically operating the communications network to apply the treatment in response to network operational data items in one or more classes, as taught by Pappu because it would improve performance, operation, flow control, or quality of service of network traffic by providing desired solution using a flow-based statistical collection mechanism to monitor user usage across various attributes (Pappu, ¶0008; ¶0016).

As to claim 3, Hsiao discloses the method according to claim 1 further comprising comparing said plurality of values to one or more specialised patterns in order to find the type of the values of the attribute as being a specialist data type (¶0097, “looking for a pattern of one or more digits…”; ¶0118, “identifying patterns”; ¶0123; ¶0147, “comparison engine 908 in remote capture agent 950 may receive events from events generator 907 and compare one or more fields…”; ¶0202; ¶0208).

receiving a specification of a specialised pattern for a specialist data type from a user (¶0097, “looking for a pattern of one or more digits…”; ¶0101, “statistics about occurrences of specific fields in the returned events, including "selected fields" that are pre-selected by the user, and "interesting fields"; ¶0118, “identifying patterns”).

As to claim 5, Hsiao discloses the method according to claim 3 further comprising receiving a specification of one or more operations suitable for processing values matching said specialised pattern (¶0097, “looking for a pattern of one or more digits…”; ¶0118, “identifying patterns”).

As to claims 6 and 21, Hsiao discloses wherein said type-specific processing comprises computing a type-specific similarity or distance measure between two data items (Figs. 11D-11E; ¶0147, “compare one or more fields from the events to a set of filtering rules in the configuration information to determine whether to include the events in an event stream”; ¶0202).

As to claim 7, it is rejected for the same reasons set forth in claim 1 above. In addition, Hsiao discloses network control apparatus comprising: a computer system including a non-transitory computer readable medium for storing code and a computer hardware processor for executing the code such that the computer system is configured to at least perform (¶0061, “computer-readable storage medium, which may be any device or medium…”; ¶0062).

As to claim 8, Hsiao discloses a non-transitory computer readable medium having stored thereon a program or suite of programs executable by a processor to perform the method of claim 1 (¶0061, “computer-readable storage medium, which may be any device or medium…”; ¶0062).

As to claims 10, 11 and 18, they are rejected for the same reasons set forth in claims 1 and 7 above. In addition, Hsiao discloses clustering said network operational data items using type-specific processing which depends upon the identified statistical data type of said at least one attribute (¶0049, “grouping of the event streams”; ¶0118, “identifying patterns among the notable events, each notable event can be associated with an urgency value”; ¶0121, “cluster-related performance metrics”; ¶0168, “GUI 1025 may allow a user to specify an event stream attribute such as a category of an event stream”; ¶0212, “data that represents security risks. The dashboard includes a number of potential security risks, such as "HTTP Errors," "DNS Errors," "Cloud Email," "NFS Activity," and "Threat List Activity”; ¶0284).

As to claim 12, Hsiao discloses the method according to claim 1 wherein the attributes of the network operational data items include data comprising a sequence of bytes representing a sequence of characters; and the processing of the network operational data items does not rely on the network operational data items being in accordance with a predetermined schema (¶0083; ¶0095, “deriving a field value by performing a function on a character string or value retrieved by the 

As to claim 13, Hsiao discloses the network control apparatus according to claim 7 wherein the attributes of the network operational data items include data comprising a sequence of bytes representing a sequence of characters; and the computer system is not pre-configured with data representing a predetermined schema for the network operational data items (¶0083; ¶0095, “deriving a field value by performing a function on a character string or value retrieved by the extraction rule. For example, a transformation rule may truncate a character string”; ¶0098). 

As to claims 14 and 15, they are rejected for the same reasons set forth in claim 1 above. In addition, Hsiao discloses giving network traffic, represented by the network operational data items assigned to the same class, a same quality of service (¶0004; ¶0115; ¶0128; ¶0129; ¶0132; ¶0155).

As to claim 16, Hsiao discloses the method according to claim 1 further comprising determining that a network element or network traffic is malicious, wherein automatically operating the communications network to apply the common class-specific treatment includes handling the malicious network element network traffic with a same countermeasure (¶0004, “network capture systems may be customized to 
extract data for security and intrusion-detection purposes”; ¶0113; ¶0115, “security-related information”; ¶0118; ¶0139, “identification of potential security risks from 

As to claim 17, Hsiao discloses the network control apparatus according to claim 7 wherein the computer system is further configured to determine that a network element or network traffic is malicious, automatically operating the communications network in the network control to apply the common class-specific treatment includes handling the malicious network element network traffic with a same countermeasure (¶0004, “network capture systems may be customized to extract data for security and intrusion-detection purposes”; ¶0113; ¶0115, “security-related information”; ¶0118; ¶0139, “identification of potential security risks from previously generated event streams”; ¶0172; ¶0242).

As to claims 19 and 20, Hsiao discloses a method according to claim 1, wherein statistically analyzing the plurality of the values of at least one of said attributes comprises calculating one or more collective properties of the values, the one or more collective properties being selected from the group comprising: i) the number of unique values found in the plurality of values of the attribute; ii) the frequency distribution of the values of the attribute; and iii) the frequency distribution of the differences between the values of the attribute when ordered (Fig. 11C; ¶0098, “count the number of unique values contained in the target fields, which in this example produces the value "2"; ¶0101, “FIG. 6A displays a timeline 605 that graphically illustrates the number of events that occurred in one-hour intervals over the 

Applicant’s arguments with respect to claims 1, 3-8 and 10-21 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUNGWON CHANG whose telephone number is (571)272-3960.  The examiner can normally be reached on 8 - 4 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on (571)272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have 


/JUNGWON CHANG/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        February 17, 2021