DETAILED ACTION
	This Office Action is in response to an Amendment, filed 24 November 2020, wherein Claims 1-8, 10-14, 16-19, and 21-23 stand pending and ready for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) were submitted on 25 November 2020 and 03 March 2021. The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Response to Amendment
Claims 1-2, 11-12, 18-19, and 21-22 were amended.
No Claims were cancelled or added.
Claims 1-8, 10-14, 16-19, and 21-23 stand pending and ready for examination.

Response to Arguments
Independent Claim 1
Applicant argues the proposed combination fails to render obvious at least one limitation in this claim, the limitation(s) reciting:
“receiving a selection of a particular set of fields from a plurality of different sets of fields that are useable for aggregating network flows; using sets of values associated with the selected particular set of fields to aggregate the monitored network flows into a plurality of different groups of flows”
Applicant’s arguments are based on the premise that the Moon reference (US 20150358391) is being mischaracterized by the Examiner. Specifically, Applicant argues the applications are not previously defined (as asserted by the Examiner in the Office Action) but rather they are defined after the messaging unites have organized the received data by application – citing Paragraph [0059] in Moon for support.

The Examiner respectfully disagrees and finds these arguments unpersuasive. The paragraphs cited by the Examiner provide several examples in which the application/application flows are defined including: i) From [0059] – “[…] The application may be automatically defined by the application performance monitor 108, may be suggested by the application performance monitor 108 to a user for definition, maybe user-defined, etc. […]”; ii) From [0097] – “[…] For example, the messaging units 204 may group and organize the data streams being received from the meters 102 using one or more application grouping criteria, such as application, customer/organization, a custom user-defined grouping, etc. […]”; iii) From [0098] – “[…] The messaging unit 204 may group the data streams being received from the meters 102a, 102b, and 102c as corresponding to the application defined by the customer and then provide these data streams to the analyzer 206 for processing/analyzing.”. While the example argued by Applicant is included in the options, it was not being relied upon. The cited paragraphs disclose beforehand in addition to other options. Thus the arguments are unpersuasive to this point.

Applicant argues the proposed combination fails to render obvious at least one limitation in this claim, the limitation(s) reciting:
“for each particular group of flows of the plurality of groups: generating a set of one or more recommended security rules to apply to the particular group of flows, the set of recommended security rules for the particular group of flows matching on a set of values for the particular setoff fields of the data tuples representing the network flows of the particular group of flows used to aggregate the particular group of flows”
Applicant’s arguments are based on the premise that the firewall rules in Brooks are predefined, not generated, therefore the Brooks reference (and the proposed combination) fails to disclose the newly amended limitation above.

The Examiner finds the argument(s) moot because new rejections are being presented below (excluding the Brooks reference) as necessitated by amendment.

Claim Objections
Claims 1 and 11 are objected to because of the following minor informalities:  Claims 1 and 11 recite “[…] generating a set of one or more recommended […] used to aggregated the particular group of flows […]”, this is grammatically incorrect. The Claim should recite “[…] generating a set of one or more recommended […] used to aggregate the particular group of flows […]”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 8, 11-13, 16-19, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Moon et al. (US 20150358391) in view of Beam et al. (US 20170126727).

As to Claim 1, Moon discloses a method for visualizing network flows between a plurality of machines that execute distributed applications in a network (The Abstract describes a system for monitoring, collecting, and displaying application data streams), the method comprising: monitoring network flows between the plurality of machines to collect network flow information (Fig. 6 and Paragraphs [0094]-[0096] describe an example method 600 for monitoring and capturing operational data sent and received between various applications operating on various nodes; Fig. 3 conveys the environment), wherein each network flow is represented in the collected network flow information as a data tuple comprising values for a plurality of fields (Paragraphs [0034][0054] describe the network data being captured and processed [on a per application/flow basis] that includes the packet information, NIC information, port and protocol information, source/destination IP addresses, source/destination protocols, port numbers, etc.); receiving a selection of a particular set of the fields from a plurality of different sets of fields that are useable for aggregating network flows (Paragraph [0059] describes how data is collected on a per-application basis, wherein the application and components are [previously] user-defined; Paragraphs [0097][0098] go into more detail about how the application data is aggregated after the customer defines the application to include 1 or more nodes for which the data is to be collected/aggregated for the particular application; (as noted in Applicant’s spec Fig. 3 & 4 and Paragraphs [0046][0061]-[0064] the nodes are selected by a user on a GUI for the system to then begin monitoring and aggregating data)), using sets of values associated with the selected particular set of fields to aggregate the monitored network flows into a plurality of different groups of flows (Figs. 7 and 8A-8B  and Paragraphs [0097]-[0102] describe how the monitored data is processed, organized, and grouped on a per-application basis; See also Paragraphs [0054][0058][0059]; Paragraphs [0034][0054] describe the network data being captured and processed [on a per application/flow basis] that includes the packet information, NIC information, port and protocol information, source/destination IP addresses, source/destination protocols, port numbers, etc.); and for each particular group of flows of the plurality of groups: displaying, in a user interface, an aggregated set of flow records for the particular group of flows (Figs. 12C-12G and Paragraphs [0113]-[0117] convey various examples of user interfaces displaying the processed and aggregated application data; See also Paragraphs [0064][0099]).
(Fig. 3 and Paragraph [0067]). Moon discloses analyzing the monitored traffic and grouping the monitored traffic (See citations for claim 1 above). Moon does not disclose for each of the groups: generating a set of one or more recommended security rules to apply to the particular group of flows, the set of recommended security rules for the particular group of flows matching on a set of values for the particular set of fields of the data tuples representing the network flows of the particular group of flows used to aggregated the particular group of flows; and displaying, in a user interface, an aggregated set of flow records for the particular group of flows along with the set of recommended security rules for a user to select for application to the particular group of flows.
In an analogous art, Beam discloses for each of the groups: generating a set of one or more recommended security rules to apply to the particular group of flows, the set of recommended security rules for the particular group of flows matching on a set of values for the particular set of fields of the data tuples representing the network flows of the particular group of flows used to aggregated the particular group of flows (Fig. 6A and Paragraphs [0071]-[0073] describe how the security management system automatically generates security rules/policies for particular traffic and device groupings; Paragraphs [0031]-[0033] describe how the security management system aggregates traffic data from amongst the devices based on various factors such as source addresses, communication pairs, application, etc.); and displaying, in a user interface, an aggregated set of flow records for the particular group of flows along with the set of recommended security rules for a user to select for application to the particular group of flows (Fig. 6A and Paragraphs [0071]-[0073 describe how the security management system provides automatically generated security rules/policies to an administrator for review, edit, etc.; See also Figs. 4A-4C for exemplary user displays).
It would have been obvious to one of ordinary skill in the art before the effective filing date of Applicant’s invention to modify the application traffic monitoring system of Moon, specifically the processed data that is displayed to the user about the network environment, with the techniques of Beam, specifically the displaying of proposed security rules to implement in the user’s network environment.
	The suggestion/motivation for doing so would have been to further optimize the network environment by auto-generating and provisioning security rules that match the devices in the network thereby reducing the amount of time and resources needed by the network admin to manually perform the process.

As to Claim 2, Moon discloses wherein the aggregated set of flow records for each particular group of flows identifies at least one of (i) a number of packets in the particular group of network flows and (ii) an amount of data in the particular group of network flows (Paragraph [0099] describes how the system uses the data streams to continuously determine the amount of data being communicated for a given application).

	As to Claim 3, Moon discloses wherein the particular set of fields comprises at least one of source Internet protocol (IP) address, source port, destination IP address, destination port, and protocol fields (Paragraph [0059] describes how data is collected on a per-application basis, wherein the application and components are [previously] user-defined; Paragraphs [0097][0098] go into more detail about how the application data is aggregated after the customer defines the application to include 1 or more nodes for which the data is to be collected/aggregated for the particular application; Paragraphs [0034][0054] describe the network data being captured and processed [on a per application/flow basis] that includes the packet information, NIC information, port and protocol information, source/destination IP addresses, source/destination protocols, port numbers, etc. (as previously defined by users when defining the nodes + components of the application)).

	As to Claim 8, Moon discloses wherein the displayed sets of aggregated flow records are displayed at a first level of detail, wherein the method further comprises: receiving input to display the aggregated flow records at a second level of detail; and displaying the aggregated flow records at the second level of detail (Figs. 12B-12F and Paragraphs [0112]-[0117] describe how the user can filter the plurality of flow records in various different ways to display different views of the processed data in order to see the data in any level of detail desired; See also Paragraphs [0034][0054][0058][0059][0098]).

	Claims 11-13 contain all the same elements as Claims 1-3 and 8. Therefore, the same rationale applies equally as well.

 As to Claim 16, Moon does not disclose wherein the generated sets of recommended security rules comprise sets of firewall rules.
 (Beam: Paragraphs [0020][0073] describe examples of security policies that include firewall policies). 
	Motivation provided above with reference to Claim 1.

As to Claim 17, Moon does not disclose receiving input to identify a particular recommended security rule; and applying the particular recommended security rule at a set of points in the network.
In an analogous art, Beam discloses receiving input to identify a particular recommended security rule (Beam: Fig. 6A and Paragraphs [0071]-[0073] describe how the administrator can review and publish the generated security policies and rules, then the security management system can begin applying and updating the various security devices); and applying the particular recommended security rule at a set of points in the network (Beam: Fig. 6A and Paragraphs [0071]-[0073] describe how the administrator can review and publish the generated security policies and rules, then the security management system can begin applying and updating the various security devices).
Motivation provided above with reference to Claim 1.

As to Claim 18, Moon discloses wherein the plurality of groups into which the network flows are aggregated comprises a single group for all unknown traffic (Paragraph [0112] describes how the system detects traffic from unknown ports and automatically discovers such traffic; Paragraphs [0059][0060][0097] describe how all monitored traffic is collected and grouped).

As to Claim 19, Moon discloses wherein using the sets of values to aggregate the monitored network flows comprises assigning a set of control flows and a set of data flows associated with a particular application to a same group, wherein the control flows communicate over a first set of ports and the data flows communicate over a different second set of ports (Fig. 7 and Paragraphs [0097][0098] further describe how the all of the captured operational data is grouped/organized on an application basis, customer basis, etc.; Paragraphs [0054][0058][0059] describe how all of the data streams are processed by associating all of the various data streams with the corresponding application(s) (i.e. all flows associated with an application and its components are associated and grouped to that application)).

	As to Claim 21, Moon discloses wherein using the sets of values to aggregate the monitored network flows into the plurality of different groups of flows comprises: identifying network flows that have the same set of values from the sets of values in the data tuples representing network flows for the particular selected set of fields (Paragraphs [0034][0054] describe the network data being captured and processed [on a per application/flow basis] that includes the packet information, NIC information, port and protocol information, source/destination IP addresses, source/destination protocols, port numbers, etc.); and aggregating the identified network flows with the same sets of values into the groups of flows (Figs. 7 and 8A-8B  and Paragraphs [0097]-[0102] describe how the monitored data is processed, organized, and grouped on a per-application basis; See also Paragraphs [0054][0058][0059]; Paragraphs [0034][0054] describe the network data being captured and processed [on a per application/flow basis] that includes the packet information, NIC information, port and protocol information, source/destination IP addresses, source/destination protocols, port numbers, etc.).

	As to Claim 22, Moon discloses wherein receiving the selection of the particular set of fields comprises receiving an input specifying one set of fields from the plurality of different sets of fields useable for aggregating network flows (Paragraph [0059] describes how data is collected on a per-application basis, wherein the application and components are [previously] user-defined; Paragraphs [0097][0098] go into more detail about how the application data is aggregated after the customer defines the application to include 1 or more nodes for which the data is to be collected/aggregated for the particular application; (as noted in Applicant’s spec Fig. 3 & 4 and Paragraphs [0046][0061]-[0064] the nodes are selected by a user on a GUI for the system to then begin monitoring and aggregating data)).

	As to Claim 23, Moon discloses wherein the plurality of different sets of fields correspond to different stages of analysis and the input specifying one set of fields specifies one of the stages of analysis (Paragraphs [0059][0097][0098] describe an example of users defining their applications [to be monitored, grouped, etc.] (wherein the inputs correspond to a “defining” stage of analysis); Fig. 12D and Paragraphs [0108][0111][0115] describe other examples of user inputs that correspond to custom alerts, threshold monitoring, user-defined event inputs, etc. (i.e. different inputs that correspond to different stages of analysis in the system)).

Claims 4, 6, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Moon et al. (US 20150358391) in view of Beam et al. (US 20170126727), and further in view of Balakrishnan et al. (US 20070011734).

As to Claim 4, Moon discloses the method of claim 3, as cited above, Moon/Beam disclose wherein the aggregated sets of flow records are displayed using device identifiers (Moon: Figs. 12a-12f).Moon/Beam do not explicitly disclose retrieving a mapping of the values of a subset of the fields to names from a network inventory comprising logical network information for the plurality of machines in the network, wherein the names comprise names from the network inventory.
In an analogous art, Balakrishnan discloses retrieving a mapping of the values of a subset of the fields to names from a network inventory comprising logical network information for the plurality of machines in the network, wherein the names comprise names from the network inventory (Figs. 3 – 4A and Paragraphs [0047]-[0050][0055] describe how flow classification is performed on incoming communications using a 5-tuple flow classification scheme and then retrieving flow structure and corresponding state information to associate the packets with the particular flow ID (i.e. name) (See fig. 7 212 for flow table and corresponding flow id)).

The suggestion/motivation for doing so would have been to associate incoming packets with known flows using a retrieved mapping to provide more accurate flow records. 

Claim 14 recites all the same elements as Claim 4, therefore the same rationale applies equally as well.

As to Claim 6, Moon discloses wherein the names comprise at least one of tenant identifiers for different tenants with machines in the plurality of machines, tier identifiers of a multi-tier application, and application identifiers (Fig. 7 and Paragraphs [0097][0098] further describe how the captured operational data is grouped/organized on an application basis, customer basis, etc.; Paragraphs [0054][0058][0059] describe how the data streams are processed by associating the various data streams with one or more applications).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Moon et al. (US 20150358391) and Beam et al. (US 20170126727), in view of Balakrishnan et al. (US 20070011734), and further in view of Harris Jr. et al. (US 20170078168).

explicitly disclose wherein the names comprise at least one of  virtual network interface controller (VNIC) identifiers, machine names for source and destination machines associated with the network flows, and one or more logical networks associated with the network flows.
In an analogous art, Harris Jr. discloses wherein the names comprise at least one of  virtual network interface controller (VNIC) identifiers, machine names for source and destination machines associated with the network flows, and one or more logical networks associated with the network flows (Paragraphs [0036][0037] describe how network traffic information being monitored and/or traffic flow data being generated includes a virtual machine name).
It would have been obvious to one of ordinary skill in the art before the effective filing date of Applicant’s invention to modify the types of identifiers used in the network flow identification system of Moon/Beam/Balakrishman, to include virtual machine names as identifiers, as taught by the traffic monitoring system of Harris.
The suggestion/motivation for doing so would have been to accurately associate and visualize flow information on a per-VM basis thereby allowing a network admin to make more informed decisions. 

s 7 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Moon et al. (US 20150358391) in view of Beam et al. (US 20170126727), and further in view of Harris Jr. et al. (US 20170078168).

As to Claim 7, Moon discloses displaying a plurality of flow records (Figs. 12C-12G and Paragraphs [0113]-[0117] convey various examples of user interfaces displaying the processed and aggregated application data; See also Paragraphs [0064][0099]); receiving input to select a subset of the displayed plurality of flow records (Moon: Figs. 12B-12F and Paragraphs [0112]-[0117] describe how the user can filter/sort the plurality of flow records in various different ways to display different views of the processed data in order to see the data in any level of detail desired; See also Paragraphs [0034][0054][0058][0059][0098]). Moon/Beam do not explicitly disclose creating a new flow record that aggregates the selected subset of flow records.
In an analogous art, Harris discloses creating a new flow record that aggregates the selected subset of flow records (Harris: Fig. 11 and Paragraphs [0094]-[0096] describe the advanced edit mode where manual changes may be made to the flow table and network instructions –dynamically micro-segmenting the network in real-time – the advanced mode may permit visual algorithmic scripting of flow control, predicating the creation or decommissioning of flows on certain triggers and rules defined by the administrator; Fig. 7 and Paragraphs [0080]-[0083] provide another GUI where the user may input edits that are converted into flow control tables and other instructions to turn the selected items into a network structure; See also Paragraphs [0038]-[0042]) .

The suggestion/motivation for doing so would have been to give a user/administrator a greater level of control when managing their network providing further customization and visualization.

As to Claim 10, Moon/Beam/Harris disclose wherein the second level of detail separates the aggregated sets of flow records into a greater number of flow records (Moon: Figs. 12B-12F and Paragraphs [0112]-[0117] describe how the user can filter/sort the plurality of flow records in various different ways to display different views of the processed data in order to see the data in any level of detail desired including selecting a node and viewing further detailed information; See also Paragraphs [0034][0054][0058][0059][0098]) (Harris: Fig. 11 and Paragraphs [0094]-[0096] describe the advanced edit mode where manual changes may be made to the flow table and network instructions –dynamically micro-segmenting the network in real-time – the advanced mode may permit visual algorithmic scripting of flow control, predicating the creation or decommissioning of flows on certain triggers and rules defined by the administrator; Paragraphs [0041][0042][0082] where micro-segment network traffic rules may be augmented via manipulation of the diagram – the detail of the micro-segment diagram may be modified to allow an entity to drill down to various parts of the network; See also Fig. 7 and Paragraphs [0080]-[0083]). 

The suggestion/motivation for doing so would have been to give a user/administrator a greater level of control when managing their network providing further customization and visualization.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Lang et al. (US 20150269383) discloses a system and method for managing implementations of policies in a network by receiving input and automatically generating machine-enforceable rules/configurations. Brandt et al. (US 20130031037) discloses a system that facilitates automatic security learning and generation for a network of devices.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JONATHAN A SPARKS whose telephone number is (571)431-0735.  The examiner can normally be reached on IFP (Flex) Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tonia Dollinger can be reached on 571-272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JONATHAN A. SPARKS/
Examiner




/TONIA L DOLLINGER/Supervisory Patent Examiner, Art Unit 2459