Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
2.	This action is in response to the Amendment filed February 11, 2021.

3.	Claims 1, 9, and 18-20 have been amended

4.	Claims 1-20 have been examined and are pending with this action.

Response to Arguments
5.	Applicant’s arguments with respect to the rejection(s) of claim(s) 1-20, previously rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Nucci et al. (US 9,094,288), herein referred to as Nucci, has been carefully considered, but are moot in view of the new grounds of rejection below.
Although the examiner does not agree with all of the arguments presented in the Remarks section of the Amendment, after further searching and consideration, Du et al. (US 2015/0256413), herein referred to as Du, has been applied to expedite prosecution.
	For these reasons and the rejections set forth below, claims 1-20 have been rejected and remain pending.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

6.	Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Du et al. (US 2015/0256413).
INDEPENDENT:
As per claim 1, Du teaches a computer-implemented method for network analysis, comprising: 
obtaining, by one or more computing devices, configuration data and state data associated with a network, wherein the configuration and state data for a given network device of the network describes at least one of how the given network device modifies, forwards, or drops packets within the network (see Du, [0096]: “The device attributes 428 are identities or characteristics of the network components 110 on the network 108. The device attributes 428 can include the capability or compatibility of one or more hardware or software components of the network components 110. The device attributes 428 can also include a specification of one or more hardware components or software components included as part of the network components 110. The device attributes 428 can also include configuration information concerning the network components 110”; [0107]: “The DPI metadata 516 is contextual or descriptive data concerning an inspection performed on the live data packets 406. The running state data 518 is data concerning an active operation of the network components 110. The running configuration data 520 is data concerning an active configuration of the network components 110”; [0110]: “the electronic system 100 can generate an aggregate data 528 by collecting data or metadata concerning a device, a user, or a traffic flow in the network 108. The electronic system 100 can generate the aggregate data 528 by collecting or aggregating the DPI metadata 516, the running state data 518, the running configuration data 520, the polling metadata 522, the probing metadata 526, the device response 524, or a combination thereof”; and [0125]: “The run state module 606 can also poll the network components 110 for the running configuration data 520. The run state module 606 can poll the network components 110 for the running configuration data 520 by requesting a device configuration”); 
generating, by the one or more computing devices and using the configuration data and the state data, a network model that models behavior of a plurality of network devices of the network, wherein the network model describes processing of data packets via traffic flows through the network (see Du, [0106]: “The user models 506, the device models 508, and the traffic models 510 can be generated from DPI metadata 516, running state data 518, running configuration data 520, polling metadata 522, probing metadata 526, a device response 524, or a combination thereof”; [0146]: “The model generation module 612 is configured to generate the user models 506 of FIG. 5, the device models 508 of FIG. 5, the traffic models 510 of FIG. 5, and the topology model 512 of FIG. 5. The model generation module 612 can generate the topology model 512 for mapping the locations and connections of the network components 110 in the network 108. The model generation module 612 can generate the user models 506, the device models 508, and the traffic models 510 for tracking the behaviors of users, devices, and traffic, respectively, on the network 108”; and [0204]: “It has been discovered that generating the topology model 512 based on the topology attributes 514 obtained from the live network packets 404 provides for a more accurate representation of the topology of the network 108”); 
(see Du, Fig.4; and [0055]: “The first control unit 212 can operate the first user interface 218 to display information generated by the network system 100. The first control unit 212 can also execute the first software 226 for the other functions of the network system 100. The first control unit 212 can further execute the first software 226 for interaction with the communication path 104 via the first communication unit 216”); 
receiving at least one network flow specifier which describes one or more characteristics of one or more traffic flows of interest (see Du, [0096]: “The device attributes 428 are identities or characteristics of the network components 110 on the network 108. The device attributes 428 can include the capability or compatibility of one or more hardware or software components of the network components 110. The device attributes 428 can also include a specification of one or more hardware components or software components included as part of the network components 110. The device attributes 428 can also include configuration information concerning the network components 110”; [0098]: “The traffic attributes 430 are rates, measurements, or identifiers concerning the flow of traffic in the network 108. The traffic attributes 430 can include a link speed, a switching or routing rate, a destination IP, a source IP, or a combination thereof. The traffic attributes 430 can also include the number or size of an application flow”; and [0174]: “The traffic module 616 can make viewable the live traffic flow 402 by first determining the transmission path 410 of FIG. 4 of the live network packets 404”); 
obtaining, from the network model and in response to receiving the network flow specifier, a subset of network flow path information associated with the traffic flows of interest of the network, wherein the subset of network flow information is determined based on the network flow specifier (see Du, [0086]: “The display interface 230 can depict live traffic flow 402 on the live topology 302. The live traffic flow 402 is a representation of the flow of network traffic over the links 304 of the live topology 302. The live traffic flow 402 can represent the flow of live network packets 404 over the links 304 of the live topology 302”; and [0174]: “The traffic module 616 can determine the transmission path 410 of the live network packets 404 by interacting with the topology sensor module 602 to inspect the headers of the live network packets 404. In addition, the traffic module 616 can determine the transmission path 410 of the live network packets 404 by inspecting the traffic models 510, the topology model 512, or a combination thereof”); 
exposing the subset of network flow path information at one or more corresponding functional layers of the network (see Du, [0080]: “The live topology 302 can be arranged into multiple layers. The multiple layers can group the network components 110 by device functionality, device location, or a combination thereof”; [0110]: “the electronic system 100 can generate an aggregate data 528 by collecting data or metadata concerning a device, a user, or a traffic flow in the network 108”; and [0174]: “The traffic module 616 can make viewable the live traffic flow 402 by first determining the transmission path 410 of FIG. 4 of the live network packets 404. The traffic module 616 can determine the transmission path 410 of the live network packets 404 by interacting with the topology sensor module 602 to inspect the headers of the live network packets 404. In addition, the traffic module 616 can determine the transmission path 410 of the live network packets 404 by inspecting the traffic models 510, the topology model 512, or a combination thereof”); and 
providing for display on the user device, the subset of network flow path information and the one or more traffic flows of the network at the one or more corresponding functional layers, including the model behavior of the one or more network devices at one or more of the corresponding functional layers (see Du, [0080]: “The live topology 302 can be arranged into multiple layers. The multiple layers can group the network components 110 by device functionality, device location, or a combination thereof”; [0099]: “The display interface 230 can depict one or more modeled behaviors 502 of the network 108 of FIG. 1, the network components 110 of FIG. 1, the live traffic flow 402 of FIG. 4, or a combination thereof. The modeled behaviors 502 are trends or patterns detected from an analysis of the network 108”; [0103]: “The device models 508 are data structures or simulations representing the behavior of devices on the network 108. The device models 508 can include data structures or simulations generated over time”; and [0175]: “the traffic module 616 can make viewable the live traffic flow 402 by highlighting one or more of the links 304 traversed by the live network packets 404”).

As per claim 9, Du teaches a non-transitory computer readable medium storing code executable by a process to perform a method, the method comprising: 
obtaining configuration data and state data for a network of network devices, wherein the configuration data and state data for a given network device describes at least one of how the given network device modifies, forwards, or drops packets within the network (see Du, [0096]: “The device attributes 428 are identities or characteristics of the network components 110 on the network 108. The device attributes 428 can include the capability or compatibility of one or more hardware or software components of the network components 110. The device attributes 428 can also include a specification of one or more hardware components or software components included as part of the network components 110. The device attributes 428 can also include configuration information concerning the network components 110”; [0107]: “The DPI metadata 516 is contextual or descriptive data concerning an inspection performed on the live data packets 406. The running state data 518 is data concerning an active operation of the network components 110. The running configuration data 520 is data concerning an active configuration of the network components 110”; [0110]: “the electronic system 100 can generate an aggregate data 528 by collecting data or metadata concerning a device, a user, or a traffic flow in the network 108. The electronic system 100 can generate the aggregate data 528 by collecting or aggregating the DPI metadata 516, the running state data 518, the running configuration data 520, the polling metadata 522, the probing metadata 526, the device response 524, or a combination thereof”; and [0125]: “The run state module 606 can also poll the network components 110 for the running configuration data 520. The run state module 606 can poll the network components 110 for the running configuration data 520 by requesting a device configuration”); 
generating, using the configuration data and state data, a network model that models behavior of the one or more network devices of the network, wherein the network model describes processing of data packets via traffic flows through the network (see Du, [0106]: “The user models 506, the device models 508, and the traffic models 510 can be generated from DPI metadata 516, running state data 518, running configuration data 520, polling metadata 522, probing metadata 526, a device response 524, or a combination thereof”; [0146]: “The model generation module 612 is configured to generate the user models 506 of FIG. 5, the device models 508 of FIG. 5, the traffic models 510 of FIG. 5, and the topology model 512 of FIG. 5. The model generation module 612 can generate the topology model 512 for mapping the locations and connections of the network components 110 in the network 108. The model generation module 612 can generate the user models 506, the device models 508, and the traffic models 510 for tracking the behaviors of users, devices, and traffic, respectively, on the network 108”; and [0204]: “It has been discovered that generating the topology model 512 based on the topology attributes 514 obtained from the live network packets 404 provides for a more accurate representation of the topology of the network 108”); 
obtaining, from the network model, network flow path information defining interconnections between one or more network devices on a network (see Du, [0086]: “The display interface 230 can depict live traffic flow 402 on the live topology 302. The live traffic flow 402 is a representation of the flow of network traffic over the links 304 of the live topology 302. The live traffic flow 402 can represent the flow of live network packets 404 over the links 304 of the live topology 302”; and [0174]: “The traffic module 616 can determine the transmission path 410 of the live network packets 404 by interacting with the topology sensor module 602 to inspect the headers of the live network packets 404. In addition, the traffic module 616 can determine the transmission path 410 of the live network packets 404 by inspecting the traffic models 510, the topology model 512, or a combination thereof”); 
obtaining, from the network model, traffic data defining behavior of packets traversing across the interconnections between the one or more network devices at one or more corresponding functional layers of the network (see Du, [0100]: “The modeled behaviors 502 can be operational trends or patterns detected from an analysis of the network components 110 in the network 108. The modeled behaviors 502 can also be usage trends or patterns detected from an analysis of the users on the network 108. In addition, the modeled behaviors 502 can be flow patterns detected from analysis of the traffic in the network 108”); 
providing an interface to a user device, the interface including one or more user selectable elements to allow a user to specify one or more network flows of interest (see Du, Fig.4; and [0055]: “The first control unit 212 can operate the first user interface 218 to display information generated by the network system 100. The first control unit 212 can also execute the first software 226 for the other functions of the network system 100. The first control unit 212 can further execute the first software 226 for interaction with the communication path 104 via the first communication unit 216”); 
receiving at least one network flow specifier which describes one or more characteristics of the one or more traffic flows of interest (see Du, [0096]: “The device attributes 428 are identities or characteristics of the network components 110 on the network 108. The device attributes 428 can include the capability or compatibility of one or more hardware or software components of the network components 110. The device attributes 428 can also include a specification of one or more hardware components or software components included as part of the network components 110. The device attributes 428 can also include configuration information concerning the network components 110”; [0098]: “The traffic attributes 430 are rates, measurements, or identifiers concerning the flow of traffic in the network 108. The traffic attributes 430 can include a link speed, a switching or routing rate, a destination IP, a source IP, or a combination thereof. The traffic attributes 430 can also include the number or size of an application flow”; and [0174]: “The traffic module 616 can make viewable the live traffic flow 402 by first determining the transmission path 410 of FIG. 4 of the live network packets 404”); and 
providing for display a subset of the network flow path information, a subset of the traffic data, and the modeled behavior of one or more of the network devices at one or more of the functional layers using one or more categories of filters identified based on the at least one network flow specifier, wherein the one or more categories of filters are selectable to modify the display with an updated subset of the network flow path information and an updated subset of the traffic data that satisfies a selection of the one or more categories of filters (see Du, [0080]: “The live topology 302 can be arranged into multiple layers. The multiple layers can group the network components 110 by device functionality, device location, or a combination thereof”; [0099]: “The display interface 230 can depict one or more modeled behaviors 502 of the network 108 of FIG. 1, the network components 110 of FIG. 1, the live traffic flow 402 of FIG. 4, or a combination thereof. The modeled behaviors 502 are trends or patterns detected from an analysis of the network 108”; [0103]: “The device models 508 are data structures or simulations representing the behavior of devices on the network 108. The device models 508 can include data structures or simulations generated over time”; [0116]: “As an additional example, the DPI module 604 can perform an inspection of the live network packets 404 by filtering or intercepting the live network packets 404”; and [0175]: “the traffic module 616 can make viewable the live traffic flow 402 by highlighting one or more of the links 304 traversed by the live network packets 404”).

As per claim 18, Du teaches a network analysis system, comprising: 
one or more processors; and 
one or more memory devices including instructions that, when executed by the one or more processors, cause the network analysis system to: 
, wherein the configuration and state data for a given network device of the network devices describes at least one of how the given network device modifies, forwards, or drops packets within the network (see Du, [0096]: “The device attributes 428 are identities or characteristics of the network components 110 on the network 108. The device attributes 428 can include the capability or compatibility of one or more hardware or software components of the network components 110. The device attributes 428 can also include a specification of one or more hardware components or software components included as part of the network components 110. The device attributes 428 can also include configuration information concerning the network components 110”; [0107]: “The DPI metadata 516 is contextual or descriptive data concerning an inspection performed on the live data packets 406. The running state data 518 is data concerning an active operation of the network components 110. The running configuration data 520 is data concerning an active configuration of the network components 110”; [0110]: “the electronic system 100 can generate an aggregate data 528 by collecting data or metadata concerning a device, a user, or a traffic flow in the network 108. The electronic system 100 can generate the aggregate data 528 by collecting or aggregating the DPI metadata 516, the running state data 518, the running configuration data 520, the polling metadata 522, the probing metadata 526, the device response 524, or a combination thereof”; and [0125]: “The run state module 606 can also poll the network components 110 for the running configuration data 520. The run state module 606 can poll the network components 110 for the running configuration data 520 by requesting a device configuration”); 
generate, using the configuration data and state data, a network model that models behavior of the one or more network devices, wherein the network model describes processing of data packets via traffic flow through the network (see Du, [0106]: “The user models 506, the device models 508, and the traffic models 510 can be generated from DPI metadata 516, running state data 518, running configuration data 520, polling metadata 522, probing metadata 526, a device response 524, or a combination thereof”; [0146]: “The model generation module 612 is configured to generate the user models 506 of FIG. 5, the device models 508 of FIG. 5, the traffic models 510 of FIG. 5, and the topology model 512 of FIG. 5. The model generation module 612 can generate the topology model 512 for mapping the locations and connections of the network components 110 in the network 108. The model generation module 612 can generate the user models 506, the device models 508, and the traffic models 510 for tracking the behaviors of users, devices, and traffic, respectively, on the network 108”; and [0204]: “It has been discovered that generating the topology model 512 based on the topology attributes 514 obtained from the live network packets 404 provides for a more accurate representation of the topology of the network 108”);
provide an interface to a user device, the interface including one or more user selectable elements to allow a user to specify categories of filters, wherein individual categories of filters describe one or more network flows path, the configuration data, and the state data in the network (see Du, Fig.4; and [0055]: “The first control unit 212 can operate the first user interface 218 to display information generated by the network system 100. The first control unit 212 can also execute the first software 226 for the other functions of the network system 100. The first control unit 212 can further execute the first software 226 for interaction with the communication path 104 via the first communication unit 216”);
obtain, from the network model, network flow path information defining interconnections between the one or more network devices on the network (see Du, [0086]: “The display interface 230 can depict live traffic flow 402 on the live topology 302. The live traffic flow 402 is a representation of the flow of network traffic over the links 304 of the live topology 302. The live traffic flow 402 can represent the flow of live network packets 404 over the links 304 of the live topology 302”; and [0174]: “The traffic module 616 can determine the transmission path 410 of the live network packets 404 by interacting with the topology sensor module 602 to inspect the headers of the live network packets 404. In addition, the traffic module 616 can determine the transmission path 410 of the live network packets 404 by inspecting the traffic models 510, the topology model 512, or a combination thereof”); 
receive one or more selected categories of filters of the category of filters (see Du, Fig.4); 
provide for display a subset of the configuration data and a subset of the state data using the one or more categories of filters (see Du, Fig.4); and 
provide for display a subset of the network flow path information using the one or more selected categories of filters, including the model behavior of the one or more network devices at a corresponding functional layer (see Du, [0080]: “The live topology 302 can be arranged into multiple layers. The multiple layers can group the network components 110 by device functionality, device location, or a combination thereof”; [0099]: “The display interface 230 can depict one or more modeled behaviors 502 of the network 108 of FIG. 1, the network components 110 of FIG. 1, the live traffic flow 402 of FIG. 4, or a combination thereof. The modeled behaviors 502 are trends or patterns detected from an analysis of the network 108”; [0103]: “The device models 508 are data structures or simulations representing the behavior of devices on the network 108. The device models 508 can include data structures or simulations generated over time”; and [0175]: “the traffic module 616 can make viewable the live traffic flow 402 by highlighting one or more of the links 304 traversed by the live network packets 404”).

DEPENDENT:
As per claim 2, which depends on claim 1, Du teaches further comprising: determining network flow paths sharing one or more common path elements; identifying the network flow paths sharing one or more common path elements as a group of network flow paths; inspecting each network flow path in the group individually for differences between each network flow path within the group; and providing for display the differences between each network flow path in the group (see Du, Figs.3 & 4; [0086]: “Referring now to FIG. 4, therein is shown another example display interface 230 of the network system 100. The display interface 230 can depict live traffic flow 402 on the live topology 302. The live traffic flow 402 is a representation of the flow of network traffic over the links 304 of the live topology 302. The live traffic flow 402 can represent the flow of live network packets 404 over the links 304 of the live topology 302”; [0092]: “As depicted in FIG. 4, the overlay window 412 can communicate an alert 418 concerning a network anomaly 416. The alert 418 is a notification for informing a user of the network 108 such as a network administrator of the network anomaly 416. The network anomaly 416 is a network usage behavior deviating from a pattern of usage previously established by a user or a device in the network 108. The network anomaly 416 can deviate from the established pattern of usage by a statistically significant amount. For example, the network anomaly 416 can deviate from the established pattern of usage by two standard deviations or more”; and [0098]: “The traffic attributes 430 are rates, measurements, or identifiers concerning the flow of traffic in the network 108. The traffic attributes 430 can include a link speed, a switching or routing rate, a destination IP, a source IP, or a combination thereof. The traffic attributes 430 can also include the number or size of an application flow”).
As per claim 3, which depends on claim 1, Du teaches further comprising: determining one or more sample packets for each network flow path, wherein the one or more sample packets represents a packet having forwarding behavior along each network flow path; and providing for display the one or more sample packets (see Du, [0132]: “The probing module 608 can probe the network components 110 by sending a probing packet to one or more of the network components 110. The probing packet can include a connection request packet, a customized service packet or a combination thereof”).
As per claim 4, which depends on claim 1, Du teaches further comprising: providing for selection one or more constraints applicable to each network flow path, wherein the one or more constraints limit a scope of the one or more network flow paths; receiving a selection for the one or more constraints; and providing for display the scope of the one or more network flow paths determined by the selection of the one or more constraints (see Du, [0140]: “The device attributes 428, the user attributes 426, the traffic attributes 430, the topology attributes 514, or a combination thereof can be predetermined by the electronic system 100. In addition, the attributes can be received from another device or selected from a user input”; and [0176]: “The traffic module 616 can also make viewable the live traffic flow 402 by generating an instance of the overlay window 412 of FIG. 4 concerning the live traffic flow 402. The traffic module 616 can generate the overlay window 412 based on an event trigger, a user input, or a combination thereof. The traffic module 616 can generate the overlay window 412 for providing information concerning the live traffic flow 402”).
As per claim 5, which depends on claim 1, Du teaches further comprising: identifying a first request flow path or first response flow path in the network; generating a second response flow path corresponding to the first request flow path, or a second request flow path corresponding to the first response flow path in the network, wherein traffic matching the first request flow path generates traffic matching the second response flow path, and traffic matching the second request flow path generates traffic matching the first response flow path; determining the flow data based on one or more of the first request flow path, first response flow path, second request flow path and second response flow path; and providing for display the flow path data (see Du, [0090]: “The live topology 302 can depict a transmission path 410 of the live network packets 404. The transmission path 410 is a connection route used by the live network packets 404 for reaching a host destination. The transmission path 410 of the live network packets 404 can include multiple instances of the links 304 connecting a source of the live network packets 404 with the host destination”; and [0176]: “The traffic module 616 can also make viewable the live traffic flow 402 by generating an instance of the overlay window 412 of FIG. 4 concerning the live traffic flow 402. The traffic module 616 can generate the overlay window 412 based on an event trigger, a user input, or a combination thereof. The traffic module 616 can generate the overlay window 412 for providing information concerning the live traffic flow 402”).
As per claim 6, which depends on claim 5, Du teaches further comprising: analyzing at least one of the request flow path and the response flow path; determining that the request flow path is a stateful request flow path, wherein the stateful request flow path establishes a state in the network that determines forwarding behavior defined by the response flow path associated with the one or more network devices; and determining that the response flow path is a stateful response flow path, wherein the stateful response flow path includes packets having forwarding behavior matching the request flow path through the network (see Du, [0087]: “The live network packets 404 are packets presently being transmitted over the network 108 without reaching a host destination intended for the packets. The live network packets 404 can be packets presently traversing a wired or wireless connection in the network 108. The live network packets 404 can be packets associated with a hypertext transfer protocol (HTTP) session, a simple network management protocol (SNMP) session, a domain name system (DNS) session, a file transfer protocol (FTP) session, a Telnet session, a transmission control protocol (TCP) session, an Internet Protocol (IP) session, or a combination thereof”).
As per claim 7, which depends on claim 1, Du teaches further comprising: computing one or more first flows in a first snapshot of the network and one or more second flows in a second snapshot of the network that match one or more constraints; for each first flow in the first snapshot, computing a first sample packet; analyzing a first behavior of the first sample (see Du, [0092]: “As depicted in FIG. 4, the overlay window 412 can communicate an alert 418 concerning a network anomaly 416. The alert 418 is a notification for informing a user of the network 108 such as a network administrator of the network anomaly 416. The network anomaly 416 is a network usage behavior deviating from a pattern of usage previously established by a user or a device in the network 108. The network anomaly 416 can deviate from the established pattern of usage by a statistically significant amount. For example, the network anomaly 416 can deviate from the established pattern of usage by two standard deviations or more”; and claim 1 rejection above).
As per claim 8, which depends on claim 1, Du teaches further comprising: providing for selection two or more network configurations of the network; comparing the two or more network configurations based at least in part on the configuration and state data corresponding to one or more functional layers; and providing for display the two or more network configurations, the display including differences between the two or more network configurations at the one or more corresponding functional layers (see Du, [0092]: “As depicted in FIG. 4, the overlay window 412 can communicate an alert 418 concerning a network anomaly 416. The alert 418 is a notification for informing a user of the network 108 such as a network administrator of the network anomaly 416. The network anomaly 416 is a network usage behavior deviating from a pattern of usage previously established by a user or a device in the network 108. The network anomaly 416 can deviate from the established pattern of usage by a statistically significant amount. For example, the network anomaly 416 can deviate from the established pattern of usage by two standard deviations or more”; and claim 1 rejection above).
As per claim 10, which depends on claim 9, Du further teaches wherein the one or more categories of filters includes at least one of: packet header values, input and output interfaces, forwarding behavior, and types of network functions (see Du, [0116]: “As an additional example, the DPI module 604 can perform an inspection of the live network packets 404 by filtering or intercepting the live network packets 404”; and [0197]: “The maintenance module 620 can receive a user input such as a click-input, a touch gesture, or a selection input through the overlay window 412 to apply the corrective action 420 to one or more of the network components 110. In addition, the maintenance module 620 can receive the user input through the live topology 302. For example, the maintenance module 620 can change the transmission path 410 of the live network packets 404 when the user clicks or selects a different instance of the links 304 on the live topology 302”).
As per claim 11, which depends on claim 9, Du teaches further comprising: computing one or more first flows in a first snapshot of the network and one or more second flows in a second snapshot of the network that match one or more constraints; for each first flow in the first snapshot, computing a first sample packet; analyzing a first behavior of the first sample packet through the first snapshot; analyzing a second behavior of the first sample packet through the second snapshot; computing a third collection of flows in the second flows of the second snapshot that are distinct from the flows matching the first sample packet for each first flow in the first snapshot; for each flow in the third collection of flows, computing a second sample packet; analyzing a third behavior of the second sample packet through the first snapshot; analyzing a fourth behavior of the second sample packet through the second (see Du, [0090]: “The live topology 302 can depict a transmission path 410 of the live network packets 404. The transmission path 410 is a connection route used by the live network packets 404 for reaching a host destination. The transmission path 410 of the live network packets 404 can include multiple instances of the links 304 connecting a source of the live network packets 404 with the host destination”; [0092]: “As depicted in FIG. 4, the overlay window 412 can communicate an alert 418 concerning a network anomaly 416. The alert 418 is a notification for informing a user of the network 108 such as a network administrator of the network anomaly 416. The network anomaly 416 is a network usage behavior deviating from a pattern of usage previously established by a user or a device in the network 108. The network anomaly 416 can deviate from the established pattern of usage by a statistically significant amount. For example, the network anomaly 416 can deviate from the established pattern of usage by two standard deviations or more”; [0132]: “The probing module 608 can probe the network components 110 by sending a probing packet to one or more of the network components 110. The probing packet can include a connection request packet, a customized service packet or a combination thereof”; and [0176]: “The traffic module 616 can also make viewable the live traffic flow 402 by generating an instance of the overlay window 412 of FIG. 4 concerning the live traffic flow 402. The traffic module 616 can generate the overlay window 412 based on an event trigger, a user input, or a combination thereof. The traffic module 616 can generate the overlay window 412 for providing information concerning the live traffic flow 402”).
As per claim 12, which depends on claim 9, Du teaches further comprising: providing for selection one or more constraints applicable to each network flow path, wherein the one or more constraints limit a scope of the one or more network flow paths; receiving a selection for the one or more constraints; and providing for display the scope of the one or more network flow paths (see Du, [0140]: “The device attributes 428, the user attributes 426, the traffic attributes 430, the topology attributes 514, or a combination thereof can be predetermined by the electronic system 100. In addition, the attributes can be received from another device or selected from a user input”; and [0176]: “The traffic module 616 can also make viewable the live traffic flow 402 by generating an instance of the overlay window 412 of FIG. 4 concerning the live traffic flow 402. The traffic module 616 can generate the overlay window 412 based on an event trigger, a user input, or a combination thereof. The traffic module 616 can generate the overlay window 412 for providing information concerning the live traffic flow 402”).
As per claim 13, which depends on claim 9, Du further teaches wherein the method further comprises: updating the one or more categories of filters based at least in part on the network flow path data and the traffic data provided for display (see Du, [0116]: “As an additional example, the DPI module 604 can perform an inspection of the live network packets 404 by filtering or intercepting the live network packets 404”; [0161]: “The model generation module 612 can update the user models 506, the device models 508, the traffic models 510, the topology model 512, or a combination thereof as new information concerning the network 108 becomes available. For example, the device models 508 can be updated as new devices are added to the network 108. As an additional example, the user models 506 can be updated as new users join the network 108”; [0172]: “The model generation module 612 can update the user models 506, the device models 508, the traffic models 510, the topology model 512, or a combination thereof as new information concerning the network 108 becomes available. For example, the device models 508 can be updated as new devices are added to the network 108. As an additional example, the user models 506 can be updated as new users join the network 108”; and [0205]: “The user can also more intuitively understand the effects of the corrective action 420 by seeing the results of the corrective action 420 on the network 108 through an updated instance of the live topology 302”).
claim 14, which depends on claim 9, Du further teaches wherein the method further comprises: updating the one or more categories of filters based at least in part on previous selections of the one or more categories of filters (see Du, [0116]: “As an additional example, the DPI module 604 can perform an inspection of the live network packets 404 by filtering or intercepting the live network packets 404”; [0161]: “The model generation module 612 can update the user models 506, the device models 508, the traffic models 510, the topology model 512, or a combination thereof as new information concerning the network 108 becomes available. For example, the device models 508 can be updated as new devices are added to the network 108. As an additional example, the user models 506 can be updated as new users join the network 108”; [0172]: “The model generation module 612 can update the user models 506, the device models 508, the traffic models 510, the topology model 512, or a combination thereof as new information concerning the network 108 becomes available. For example, the device models 508 can be updated as new devices are added to the network 108. As an additional example, the user models 506 can be updated as new users join the network 108”; and [0205]: “The user can also more intuitively understand the effects of the corrective action 420 by seeing the results of the corrective action 420 on the network 108 through an updated instance of the live topology 302”).
As per claim 15, which depends on claim 9, Du further teaches wherein the method further comprises: aggregating the network flow path data and the traffic data; computing a plurality of network flow paths defining the interconnections of the one or more network devices on the network; storing the plurality of network flow paths; and classifying the plurality of network flow paths (see Du, [0092]: “As depicted in FIG. 4, the overlay window 412 can communicate an alert 418 concerning a network anomaly 416. The alert 418 is a notification for informing a user of the network 108 such as a network administrator of the network anomaly 416. The network anomaly 416 is a network usage behavior deviating from a pattern of usage previously established by a user or a device in the network 108. The network anomaly 416 can deviate from the established pattern of usage by a statistically significant amount. For example, the network anomaly 416 can deviate from the established pattern of usage by two standard deviations or more”; and [0110]: “the electronic system 100 can generate an aggregate data 528 by collecting data or metadata concerning a device, a user, or a traffic flow in the network 108”).
As per claim 16, which depends on claim 15, Du further teaches wherein the method further comprises: analyzing the plurality of network flow paths; determining at least two network flow paths sharing a common path that ends in a loop (see Du, Figs.3 & 4; [0086]: “Referring now to FIG. 4, therein is shown another example display interface 230 of the network system 100. The display interface 230 can depict live traffic flow 402 on the live topology 302. The live traffic flow 402 is a representation of the flow of network traffic over the links 304 of the live topology 302. The live traffic flow 402 can represent the flow of live network packets 404 over the links 304 of the live topology 302”; [0092]: “As depicted in FIG. 4, the overlay window 412 can communicate an alert 418 concerning a network anomaly 416. The alert 418 is a notification for informing a user of the network 108 such as a network administrator of the network anomaly 416. The network anomaly 416 is a network usage behavior deviating from a pattern of usage previously established by a user or a device in the network 108. The network anomaly 416 can deviate from the established pattern of usage by a statistically significant amount. For example, the network anomaly 416 can deviate from the established pattern of usage by two standard deviations or more”; and [0098]: “The traffic attributes 430 are rates, measurements, or identifiers concerning the flow of traffic in the network 108. The traffic attributes 430 can include a link speed, a switching or routing rate, a destination IP, a source IP, or a combination thereof. The traffic attributes 430 can also include the number or size of an application flow”).
As per claim 17, which depends on claim 15, Du further teaches wherein the method further comprises: analyzing the plurality of network flow paths; determining at least two network flow paths sharing a common path and one or more forwarding rules or configuration (see Du, Figs.3 & 4; [0086]: “Referring now to FIG. 4, therein is shown another example display interface 230 of the network system 100. The display interface 230 can depict live traffic flow 402 on the live topology 302. The live traffic flow 402 is a representation of the flow of network traffic over the links 304 of the live topology 302. The live traffic flow 402 can represent the flow of live network packets 404 over the links 304 of the live topology 302”; [0090]: “The live topology 302 can depict a transmission path 410 of the live network packets 404. The transmission path 410 is a connection route used by the live network packets 404 for reaching a host destination. The transmission path 410 of the live network packets 404 can include multiple instances of the links 304 connecting a source of the live network packets 404 with the host destination”; [0098]: “The traffic attributes 430 are rates, measurements, or identifiers concerning the flow of traffic in the network 108. The traffic attributes 430 can include a link speed, a switching or routing rate, a destination IP, a source IP, or a combination thereof. The traffic attributes 430 can also include the number or size of an application flow”; and [0208]: “It has been discovered that displaying the live traffic flow 402 on the live topology 302 provides for an improved way of detecting for violations of network rules and policies. A user of the network system 100 can quickly recognize a violation of such rules or policies by visually perceiving abnormal traffic flows on the live topology 302”).
As per claim 19, which depends on claim 18, Du further teaches wherein the one or more memory devices further includes instructions that, when executed by the one or more processors, cause the network analysis system to: compute one or more first flows in a first snapshot of the network and one or more second flows in a second snapshot of the network that match one or more constraints; for each first flow in the first snapshot, compute a first sample packet; analyze a first behavior of the first sample packet through the first snapshot; analyze a second behavior of the first sample packet through the second snapshot; compute a third collection of flows in the second flows of the second snapshot that are distinct from the flows matching the first sample packet for each first flow in the first snapshot; for each flow in the third (see Du, [0100]: “The modeled behaviors 502 can be operational trends or patterns detected from an analysis of the network components”; [0103]: “The device models 508 can include data structures or simulations generated over time”; [0104]: “The traffic models 510 can include data structures or simulations generated over time”; [0108]: “The polling metadata 522 can include a time interval between configuration polls, the types of configuration tables accessed, or a combination thereof”; [0127]: “the polling metadata 522 can include a time interval between configuration polls, the types of configuration tables accessed, or a combination thereof”; [0148]: “As an additional example, the model generation module 612 can generate the user models 506 by calculating the application flows associated with a particular user over a period of time”; and throughout the teachings of Du).
As per claim 20, which depends on claim 18, Du further teaches wherein the one or more memory devices further includes instructions that, when executed by the one or more processors, cause the network analysis system to: provide for selection one or more constraints applicable to each network flow path, wherein the one or more constraints limit a scope of the one or more network flow paths; receive a selection for the one or more constraints; and provide for display the scope of the one or more network flow paths determined by the selection of the one or more constraints (see Du, [0140]: “The device attributes 428, the user attributes 426, the traffic attributes 430, the topology attributes 514, or a combination thereof can be predetermined by the electronic system 100. In addition, the attributes can be received from another device or selected from a user input”; and [0176]: “The traffic module 616 can also make viewable the live traffic flow 402 by generating an instance of the overlay window 412 of FIG. 4 concerning the live traffic flow 402. The traffic module 616 can generate the overlay window 412 based on an event trigger, a user input, or a combination thereof. The traffic module 616 can generate the overlay window 412 for providing information concerning the live traffic flow 402”).


Conclusion
7.	For the reasons above, claims 1-20 have been rejected and remain pending.

8.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


9.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL Y WON whose telephone number is (571)272-3993.  The examiner can normally be reached on Wk.1: M-F: 8-5 PST & Wk.2: M-Th: 8-7 PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is note, the examiner generally will not hold interviews after a Final Office Action has been issued.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


MICHAEL YOUNG WON
Primary Patent Examiner
Art Unit 2449



/Michael Won/
Primary Examiner, Art Unit 2449
March 9, 2021