DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Applicant’s Request for Continued Examination filed 1/8/2021 is acknowledged.  
Claims 1, 10, and 15 have been amended.   
It is noted that previous amendment presented in claim 4 continue to be shown as current amendments.
Previous rejections under 35 USC 112 are withdrawn in light of the present amendments.
Claims 18 and 19 have been previously cancelled.
Claims 1-17 and 20 remain pending.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 1-17 and 20 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1, 10, and 15 recites the term “the received traffic flow” in the present amended claim language.  There is insufficient antecedent basis for this limitation in the claim, as the claim does not recite “a received traffic flow”, but only recites receiving “a flow record” and “discarded network traffic information”.
Claims 2-9, 11-14, 16, 17, and 20 are rejected due to dependence.
Claim Rejections - 35 USC § 103
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-14 (as best understood) are rejected under 35 U.S.C. 103 as being unpatentable over Puzis et al. (US20170171050A1), hereafter Puzis, in view of Yang et al. (USP 9621853B1), hereafter Yang, and further in view of Chesla (USP 9892270B2).  

Regarding claim 1,
Puzis discloses a method for correlating discarded network traffic with network policy events in a software-defined network (Title; Abstract), comprising receiving a flow record from a first network device (i.e. Fig. 2, NFO) by a second network device (i.e. Fig. 2, OFC API via 224), the flow record including initial (i.e. discovered, baseline) network flow information in a flow record format (i.e. paragraphs 18, 22, 132), receiving, by the second network device, network traffic information discarded (i.e. expired/removed; paragraphs 20, 29, 37, 129-130) by an attack mitigation enforcement device (i.e. paragraph 77; NetFlow Enabled Routers (NERs) selected by network administration to maintain network monitoring) based on a network traffic dropping policy (i.e. paragraphs 17, 34, 80-85; entry expiration/removal), correlating, by the second network device, the received flow record with the received discarded network traffic information (i.e. Fig. 9, paragraph 133) and encoding, by the i.e. updating for balanced distribution of flow records; Fig. 10a-c, 12a-c; paragraph 135).

Puzis does not expressly show the above correlating the received discard network traffic information “related to changes in one or more traffic policies relative to information in the received traffic flow”.
Yang discloses analogous SDN network service orchestration including correlating received discard network traffic information “related to changes in one or more traffic policies relative to information in the received traffic flow” (i.e. Fig. 17A-B, steps 1706, 1716; Col. 22-23, lines 33-16; auto-correlation to determine root casue of QoS/policy change/re-assignment including packet loss, insufficient bandwidth, etc.).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis by correlating the received discard network traffic information related to changes in one or more traffic policies relative to information in the received traffic flow”, as shown by Yang, thereby enabling automated improvement of service metrics.

Puzis also does not expressly show the above correlating while maintaining the initial network flow information to yield an enhanced flow record, whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information.
Chesla discloses  an analogous software-defined network in which network traffic information is associated with each network policy from a network policy enforcement Fig. 1; Background), wherein network traffic is discarded based on matching/correlating to a network traffic policy while maintaining the initial network flow information to yield an enhanced flow record (i.e. Col. 8, lines 27-67; associating/correlating SDN/openflow flows with network policies to determine flow patterns) whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, and a user (i.e. via GUI; Fig. 2, 4-8; Col. 3-4, Summary; Col. 12-14) selects the discarded network traffic to be encoded (i.e. Col. 9, lines 1-14; use of basic & advanced ACL functions).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis where network traffic is discarded based on a matching/correlating a network traffic policy while maintaining the initial network flow information to yield an enhanced flow record, whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, as shown by Chesla, thereby providing real-time customizable and programmable cyber security systems for threat mitigation. 





Regarding claim 10,
Puzis discloses a monitoring system comprising a monitored network comprising a plurality of devices and one or more physical network elements (i.e. Fig. 2; Background; paragraphs 81-91).
Puzis discloses an attack mitigation enforcement device (i.e. paragraph 77; network administration) coupled to the monitored network by the physical network elements storing a flow record repository of flow record information (i.e. Fig. 2, 211; paragraphs 70-75) and one or more network monitoring devices (i.e. paragraph 77; NetFlow Enabled Routers (NERs) selected by network administration to maintain network monitoring) operable to receive a flow record including initial (i.e. discovered, baseline) network flow information from the one or more physical network elements in a flow record format (i.e. paragraphs 18, 22, 132), receive network traffic information discarded (i.e. expired/removed; paragraphs 20, 29, 37, 129-130) based on a network traffic dropping policy (i.e. paragraphs 17, 34, 80-85; entry expiration/removal), correlate portions of the received flow record with the received discarded network traffic information (i.e. Fig. 9, paragraph 133) and encode the discarded network traffic information in the received flow record based on the correlation (i.e. updating for balanced distribution of flow records; Fig. 10a-c, 12a-c; paragraph 135).

Puzis does not expressly show the above correlating the received discard network traffic information “related to changes in one or more traffic policies relative to information in the received traffic flow”.
Yang discloses analogous SDN network service orchestration including correlating received discard network traffic information “related to changes in one or more traffic policies relative to information in the received traffic flow” (i.e. Fig. 17A-B, steps 1706, 1716; Col. 22-23, lines 33-16; auto-correlation to determine root casue of QoS/policy change/re-assignment including packet loss, insufficient bandwidth, etc.).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis by correlating the received discard network traffic information related to changes in one or more traffic policies relative to information in the received traffic flow”, as shown by Yang, thereby enabling automated improvement of service metrics.

Puzis also does not expressly show the above correlating while maintaining the initial network flow information to yield an enhanced flow record, whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information.
Chesla discloses  an analogous software-defined network in which network traffic information is associated with each network policy from a network policy enforcement device (Fig. 1; Background), wherein network traffic is discarded based on matching/correlating to a network traffic policy while maintaining the initial network flow information to yield an enhanced flow record (i.e. Col. 8, lines 27-67; associating/correlating SDN/openflow flows with network policies to determine flow patterns) whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, and a user (i.e. via GUI; Fig. 2, 4-8; Col. 3-4, Summary; Col. 12-14) selects the discarded network traffic to be encoded (i.e. Col. 9, lines 1-14; use of basic & advanced ACL functions).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis where network traffic is discarded based on a matching/correlating a network traffic policy while maintaining the initial network flow information to yield an enhanced flow record, whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, as shown by Chesla, thereby providing real-time customizable and programmable cyber security systems for threat mitigation. 

Regarding claims 2 and 11,
The combination of Puzis, Yang, and Chesla discloses storing the enhanced flow record in a flow record repository (i.e. Fig. 2, 211; paragraphs 70-75).  See motivation above.

Regarding claims 3 and 12,
The combination of Puzis, Yang, and Chesla discloses receiving network traffic policy information from the first network device/one or more physical elements (i.e. Puzis: Fig. 2, flow 221 thru 229 between network admin, NFO, OFC; Chesla: i.e. Col. 8, lines 27-67; associating/correlating SDN/openflow flows with network policies to determine flow patterns).  See motivation above.
Regarding claims 4 and 13,
The combination of Puzis, Yang, and Chesla discloses the network traffic policy information comprises a plurality of discard rules configured to discard network traffic matching predetermined criteria (i.e. Chesla: Col. 10, lines 8-35; Fig. 4-5 and Col. 12-13, “event rule”).  See motivation above.

Regarding claims 5 and 14,
The combination of Puzis, Yang, and Chesla discloses the discarded network traffic information includes at least a number of dropped packets (i.e. removed/expired in Puzis; Chesla: i.e. Col. 9, lines 1-14; use of basic & advanced ACL functions including DPI and black-hole route functions of discarded traffic).  See motivation above.
Regarding claims 6 and 8,
The combination of Puzis, Yang, and Chesla discloses the network comprises a software defined network (SDN) and wherein the first network device and the second network device comprise SDN enabled network devices comprise OpenFlow switches and wherein the SDN controller comprises an OpenFlow controller (i.e. Background of Puzis and Chesla).  See motivation above.

Regarding claim 7,
The combination of Puzis, Yang, and Chesla discloses the first network device and the second network device are communicatively coupled to an SDN controller (i.e. Puzi Fig. 2) and wherein receiving the discarded network traffic information comprises receiving, by the second network device, the discarded network traffic information from the network policy enforcement device (i.e. Puzis Fig. 2; Chesla: Col. 9, lines 1-14; use of basic & advanced ACL functions including DPI and black-hole route functions of discarded traffic).  See motivation above.

Regarding claim 9,
The combination of Puzis, Yang, and Chesla discloses…monitoring one or more network flows using a plurality of the enhanced flow records stored in the flow record repository (i.e. Puzis paragraph 135; Chelsa: Col. 9, lines 25-30).  See motivation above.

5.	Claims 15-17 and 20 (as best understood) are rejected under 35 U.S.C. 103 as being unpatentable over Puzis, Yang, and Chesla, and further in view of Bosch et al. (US20180063018A1), hereafter Bosch.  

Regarding claim 15,
Puzis discloses a software-defined network (SDN) traffic monitoring system comprising a monitored SDN network comprising a plurality of devices (i.e. Title; Abstract; Fig. 2; Background).
Puzis shows a SDN enabled switch communicatively coupled to the monitored network, a SDN controller configured to interface with the SDN enabled switch (i.e. Fig. 2; Background paragraphs 2-7, 81-91 describing basic SDN/Openflow architecture), and an attack mitigation enforcement device coupled to the monitored network (i.e. paragraph 77; network administration), a flow record repository for storing flow record information (i.e. Fig. 2, 211; paragraphs 70-75) and one or more network monitoring devices (NetFlow Enabled Routers (NERs) selected by network administration to maintain network monitoring) communicatively coupled to the SDN enabled switch by the SDN controller and communicatively coupled to the flow record repository (i.e. i.e. paragraphs 18, 22, 132), wherein the one or more network monitoring devices are configured and operable to receive a flow record including initial (i.e. discovered, baseline) network flow information from the SDN controller in a flow i.e. paragraphs 18, 22, 132), receive network traffic information discarded (i.e. expired/removed; paragraphs 20, 29, 37, 129-130) based on a network traffic dropping policy (i.e. paragraphs 17, 34, 80-85; entry expiration/removal), correlate the received flow record with the received discarded network traffic information (i.e. Fig. 9, paragraph 133) and encode the discarded network traffic information in the received flow record based on the correlation (i.e. updating for balanced distribution of flow records; Fig. 10a-c, 12a-c; paragraph 135).

Puzis does not expressly show the above correlating the received discard network traffic information “related to changes in one or more traffic policies relative to information in the received traffic flow”.
Yang discloses analogous SDN network service orchestration including correlating received discard network traffic information “related to changes in one or more traffic policies relative to information in the received traffic flow” (i.e. Fig. 17A-B, steps 1706, 1716; Col. 22-23, lines 33-16; auto-correlation to determine root casue of QoS/policy change/re-assignment including packet loss, insufficient bandwidth, etc.).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis by correlating the received discard network traffic information related to changes in one or more traffic policies relative to information in the received traffic flow”, as shown by Yang, thereby enabling automated improvement of service metrics.

Puzis does not expressly show the above correlating while maintaining the initial network flow information to yield an enhanced flow record, whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, and a user selects the discarded network traffic to be encoded from the group consisting of an ACL, a flow specification object, and a black hole route.
Chesla discloses  an analogous software-defined network in which network traffic information is associated with each network policy from a network policy enforcement device (Fig. 1; Background), wherein network traffic is discarded based on a network traffic policy while maintaining the initial network flow information to yield an enhanced flow record (i.e. Col. 8, lines 27-67; associating/correlating SDN/openflow flows with network policies to determine flow patterns) whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, and a user (i.e. via GUI; Fig. 2, 4-8; Col. 3-4, Summary; Col. 12-14) selects the discarded network traffic to be encoded from the group consisting of an ACL, a flow specification object, and a black hole route (i.e. Col. 9, lines 1-14; use of basic & advanced ACL functions including DPI and black-hole route functions of discarded traffic).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis where network traffic is discarded based on a network traffic policy while maintaining the initial network flow information to yield an enhanced flow record, whereby one or more field definitions are added to the received flow record to be populated with the received discarded network traffic information, and a user selects the discarded network traffic to be encoded from the group consisting of an ACL, a flow specification object, and a black hole route, as shown by Chesla, thereby providing real-time customizable and programmable cyber security systems for threat mitigation. 
Puzis and Chesla do not expressly show TCP data rate control to prevent sending data in excess of permitted link rate to control queuing in router buffers.
Bosch discloses a system and method for managing chained services in a network environment (Title) utilizing TCP data rate control to prevent sending data in excess of permitted link rate to control queuing in router buffers (paragraph 34; TCP optimizer including rate control policing for incoming and outgoing flows).
It would have been obvious to one of ordinary skill in the art at the time of effective filing to modify Puzis and Chesla with TCP data rate control to prevent sending data in excess of permitted link rate to control queuing in router buffers, as shown by Bosch, thereby extending the advantages of software-defined network policy management to specific flow mechanism such as TCP window/rate control.
Regarding claims 16 and 17,
The combination of Puzis, Yang, Chesla, and Bosch discloses the network traffic policy comprises at least one of a priority policy, a rate policy and a discard policy and the one or more network monitoring devices are further configured and operable to monitor one or more network flows using a plurality of the enhanced flow records stored in the flow record repository.  See disclosures and motivation above.

Regarding claim 20,
The combination of Puzis, Yang, Chesla, and Bosch discloses the network comprises a software defined network (SDN) and wherein the first network device and the second network device comprise SDN enabled network devices comprise OpenFlow switches and wherein the SDN controller comprises an OpenFlow controller (i.e. Background of Puzis and Chesla).  See motivation above.

Response to Arguments
6.	Applicant's arguments filed 1/8/2021 have been fully considered but they are not moot because the new ground of rejection is now based on newly-cited Yang reference for any teaching or matter specifically challenged in the argument.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY B SEFCHECK whose telephone number is (571)272-3098.  The examiner can normally be reached on Monday-Friday 6AM-4PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ayaz Sheikh can be reached on 571-272-3795.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.