Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-20 are presented for examination. 
Claims 1-7, and 16-20 are elected for examination. 
Claims 8-15 are withdrawn. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to 
5.	Claims 1-7, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chow et al hereafter Chow (US pat. App. Pub. 20110197278) and in view of Keohane et al hereafter Keohane (US pat. App. Pub. 20080263666).  
6.	As per claims 1, Chow discloses a system, comprising: one or more processors; and one or more memory devices that store instructions configured to be executed by the one or more processors to perform actions that: monitor network traffic flow through one or more ports of one or more entities in a network; detect a newly port on a first entity (paragraphs: 32-34, wherein it emphasizes that a device monitor that PDU data traffic on the port and detect the port at the first entity); determine whether the newly-opened port on the first entity is likely to be used for malicious activity based on a collaborative filtering model, the collaborative filtering model based on implicit datasets, the implicit datasets including usage patterns of the one or more open ports of the one or more entities for non-malicious activity; and issue an alert when the newly-opened port is determined to be used for malicious activity (paragraphs: 28, 37. 45, 47-49, and 71, wherein it elaborates that device determines if any malicious activity is taking place in the port of the entity based on the usages pattern by collaborating one or more ports on the entities and issue an alert when the malicious activity is determined on the port). Although, Chow mention about the new port of the entity. He does not expressly 
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated Keohane’s teachings of open port of the entity with the teachings of Chow, for the purpose of effectively protecting the newly open of the entity port from malicious attack.  
7.	As per claim 2, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: structure data from the network traffic flow into an entity-port model that reflects the usage of the one or more open ports by the one or more entities for non-malicious activity; perform single value decomposition with alternative least squares to decompose the entity-port model into a first matrix of entity factors and a second matrix of port factors; and use the first matrix and the second matrix to generate a recommendation score indicative of whether the newly-opened port is an anomalous port (paragraphs: 19, 39, 47, 77). 
8.	As per claim 3, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: obtain the usage patterns from synchronize (SYN) and acknowledgement (ACK) settings in transmission control protocol (TCP) packets (paragraphs: 31, 48, 78)
9.	As per claim 4, Chow discloses the system, wherein the usage patterns are derived from Internet Protocol Flow Information Export (IPFIX) data (paragraphs:  17, 37). 

11.	As per claim 6, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: raise an alert when the recommendation score is below a threshold (paragraphs: 34, 50). 
12.	As per claim 7, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: prior to perform single value decomposition, transform an entity-port pair of the entity-port model into a preference and confidence pair (paragraphs: 30, 49). 
13.	As per claim 16, Chow discloses a device, comprising: at least one processor and at least one memory device; wherein the at least one processor is configured to: obtain a collaborative filtering model to represent usage of one or more ports of a plurality of entities of a network, wherein the usage of the one or more ports in the collaborative filtering model are used for non-malicious activity; detect in real-time a newly-opened port for a first entity of the plurality of entities; utilize the collaborative filtering model to determine a likelihood that the newly-opened port is an anomalous port (paragraphs: 28, 37. 45); and upon the determination that the newly-opened port is determined to be anomalous, raise an alert in real-time to deter usage of the anomalous port (paragraphs: 47-49, and 71). Although, Chow mention about the new port of the entity. He does not expressly mention open port. In the same field of endeavor, 
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated Keohane’s teachings of one or more open ports of a plurality of entities of a network with the teachings of Chow, for the purpose of effectively protecting the newly open of the entity port from malicious attack.  
14.	As per claim 17, Chow discloses the device, wherein the at least one processor is further configured to: construct the collaborative filtering model using implicit datasets, the implicit datasets derived from settings in transmission packets distributed in the network (paragraphs: 18, 34, 39). 
15.	As per claim 18, Chow discloses the device, wherein the at least one processor is further configured to: generate an entity-port model having a value identifying a usage frequency of an open port for an entity; and apply singular value decomposition with alternating least squares to estimate a missing value for a port of an entity and generating a first matrix representing entity factors and a second matrix representing port factors (paragraphs: 31, 30, 45). 
16.	As per claim 19, Chow discloses the device, wherein the at least one processor is further configured to: generate a recommendation score for the first entity and the newly-opened port based on the first matrix and the second matrix (paragraphs: 40, 46, 90). 

Citation of References
18. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: 
Mark Stuart Day (US pat. 7,814,542): discusses a port scanning attack directed to the network as a whole (core network) potentially emanates from within the LAN. The edge router includes a network throttling device which identifies and mitigates harmful transmissions such that they do not propagate to the core network. The network throttling device has a connection daemon to scan transactions and determine deviant or atypical connection attempts. A pattern detector examines the history and looks for malicious behavior. Identified deviant patterns cause a throttler enforcer to limit the triggering user by restricting future connection attempts. Accordingly, virus propagation via port scanning is mitigated to a safe level and false alarms targeting legitimate activity are minimized.
Kevin Worth (US pat. App. Pub. 20130036469): elaborates that network devices with a network monitoring computing device for network traffic among multiple computing devices, comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports with the network monitoring computing device, and detecting suspicious network activity for flow sampled network traffic having a source port and a destination port exceptional to the list of approved ports with the network 
Conclusion
19.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD W REZA whose telephone number is (571)272-6590.  The examiner can normally be reached on Monday-Friday 8:30-5:30 ET.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436