DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-21 are pending.

Information Disclosure
2.	The information disclosure statement (IDS) submitted on 4/30/19; 3/25/20; 11/05/20; 12/28/20 was filed after the mailing date of the Claims on 1/30/20.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
3.	Claims 1-21 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims of copending Application No. 16/261,655, (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because:
For example claims 1, 11, and 21 of the claim set 1-21 of the instant application ‘634 recites:

Obviously the instant application ‘634 recite similar limitations to the claimed invention of ‘655. The claims of copending application ‘655 recite additional limitations that’s not in the instant application ‘634, thus, includes narrower limitations than that of claims 1-21 of ‘634. Therefore, it would have been obvious for a person of ordinary skill in the art the claimed invention of ‘634 is a broader variation to that of the claimed invention of ‘655.	
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

4.	Claims 1-21 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims of copending Application No. 16/261, 608 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because:
	Claims 1, 11, and 21 of the claim set 1-21 of the instant application ‘634 recites:
“defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets; identifying, in data traffic transmitted between multiple nodes that communicate over a network, a set of port scans, each of the port scans comprising 
As such, it is obvious claims 1-21 of the instant application ‘634 recite similar limitations to that of claims 1-15 in ‘608. The claims of copending application ‘608 recite additional limitations not in the instant application ‘634, thus, includes narrower limitations than that of claims 1-21 of ‘634. Therefore, it would have been obvious for a person of ordinary skill in the art the claimed invention of ‘634 is a broader variation to that of the claimed invention of ‘608.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

5.	Claims 1-21 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims of copending Application No. 16/261,606 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because:
Claims 1, 11, and 21 of the claim set 1-21 of the instant application ‘634 recites:
“defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets; identifying, in data traffic transmitted between multiple nodes that communicate over a network, a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period; and upon detecting a port scan by one of the nodes comprising accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, initiating a preventive action”
.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.


Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

6.	Claim(s) 1-21 is/are rejected under 35 U.S.C. 102a as being anticipated by Sharifi [US 10,904,277].
As per claim 1:	Sharifi teach a method, comprising: 
[Sharifi: Fig.2]
identifying, in data traffic [Sharifi: col.1, lines 40-60; traffic can also include packets] transmitted between multiple nodes that communicate over a network, a set of port scans [Sharifi: col.7, line 61 – col.8, line 50; multiple nodes over a network in terms of each of the virtual machine instances 140A may operate as a distinct computing node and may resemble conventional computing resources, such as web servers, application servers, content servers, remote workstations, etc., that have been instantiated by the customers of environment], each of the port scans comprising an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period; and [Sharifi: col.4, lines 18-50; the “predefined time period” is relative and thus, can be given the broadest reasonable interpretation (BRI) as any determined time or period of time, which according to the limitation is related to identifying traffic]
upon detecting a port scan by one of the nodes comprising accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, initiating a preventive action. [Sharifi: col.5, line 45-col.6, line 11; for example, the port scan determines the network activity indicates the threat actors access three ports. The system may take any suitable action based on the threat level score, such as report the threat level score, combine the score with previous threat level scores or other threat intelligence, generate one or more alerts if the threat is sufficiently severe, or perform automated remediation tasks. A “prevention action” can be given the BRI as a remediation task]

 [Sharifi: col.4, lines 18-50; different periods of time includes logging period]
Claim 3:  Sharifi: col.5, line 35-col.6, line 5; discussing the method according to claim 1, wherein detecting accesses of at least one of the communication ports in the first set comprises detecting accesses of at least a specified number of the communication ports in the first set, wherein the specified number is greater than one.
Claim 4:  Sharifi: col.5, lines 40-67; discussing the method according to claim 1, wherein the at least one of the communication ports in the first set and at least one of the communication ports in the second set comprise at least a specified number of the communication ports in each of the first and the second sets, wherein the specified number is greater than one.

Claim 6:  Sharifi: col.19, lines 43-65; discussing the method according to claim 1, wherein the given software category comprises database servers.
Claim 7:  Sharifi: col.7, line 61 – col.8, line 50; discussing the method according to claim 1, wherein the given software category comprises email servers.
Claim 8:  Sharifi: col.19, lines 60-65; discussing the method according to claim 1, wherein the given software category comprises remote session applications.
Claim 9:  Sharifi: col.6, lines 5-11; discussing the method according to claim 1, wherein initiating the preventive action comprises generating an alert for the given source node in the detected port scan.
Claim 10:  Sharifi: col.12, lines 35-41; discussing the method according to claim 1, wherein initiating the preventive action comprises restricting access of the given source node in the detected port scan to the network.
As per claim 11:	Sharifi teach an apparatus, comprising: 
a network interface device coupled to a data network comprising multiple nodes that communicate via the network; and [Sharifi: Fig.9]
at least one processor configured: [Sharifi: Fig.9]
to define, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets, [Sharifi: Fig.2] 
to identify, in data traffic [Sharifi: col.1, lines 40-60; traffic can also include packets] transmitted between multiple nodes that communicate over a network, a set of port [Sharifi: col.7, line 61 – col.8, line 50; multiple nodes over a network in terms of each of the virtual machine instances 140A may operate as a distinct computing node and may resemble conventional computing resources, such as web servers, application servers, content servers, remote workstations, etc., that have been instantiated by the customers of environment], each of the port scans comprising an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period, and [Sharifi: col.4, lines 18-50; the “predefined time period” is relative and thus, can be given the broadest reasonable interpretation (BRI) as any determined time or period of time, which according to the limitation is related to identifying traffic]
upon detecting a port scan by one of the nodes comprising accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, to initiate a preventive action. [Sharifi: col.5, line 45-col.6, line 11; for example, the port scan determines the network activity indicates the threat actors access three ports. The system may take any suitable action based on the threat level score, such as report the threat level score, combine the score with previous threat level scores or other threat intelligence, generate one or more alerts if the threat is sufficiently severe, or perform automated remediation tasks. A “prevention action” can be given the BRI as a remediation task]
Claim 12:  Sharifi: Fig.5; discussing the apparatus according to claim 11, wherein a given processor is configured to identify the port scans by: identifying, in the data traffic, a set of pairs of the source and the destination nodes, each pair consisting of a given source node and a given destination node, and one or more of the communication ports accessed in the data traffic between the source and destination nodes in each pair, computing, for each pair in the set, a respective baseline level that is indicative of a first  [Sharifi: col.4, lines 18-50; different periods of time includes logging period]
Claim 13:  Sharifi: col.5, line 35-col.6, line 5; discussing the apparatus according to claim 11, wherein a given processor is configured to detect accesses of at least one of the communication ports in the first set by detecting accesses of at least a specified number of the communication ports in the first set, wherein the specified number is greater than one.
Claim 14:  Sharifi: col.5, lines 40-67; discussing the apparatus according to claim 11, wherein the at least one of the communication ports in the first set and at least one of the communication ports in the second set comprise at least a specified number of the communication ports in each of the first and the second sets, wherein the specified number is greater than one.
Claim 15:  Sharifi: col.35, lines 9-11; discussing the apparatus according to claim 11, wherein the given software category comprises operating systems.
Claim 16:  Sharifi: col.19, lines 43-65; discussing the apparatus according to claim 11, wherein the given software category comprises database servers.
Claim 17:  Sharifi: col.7, line 61 – col.8, line 50; discussing the apparatus according to claim 11, wherein the given software category comprises email servers.

Claim 18:  Sharifi: col.19, lines 60-65; discussing the apparatus according to claim 11, wherein the given software category comprises remote session applications.
Claim 19:  Sharifi: col.6, lines 5-11; discussing the apparatus according to claim 11, wherein a given processor is configured to initiate the preventive action by generating an alert for the given source node in the detected port scan.
Claim 20:  Sharifi: col.12, lines 35-41; discussing the apparatus according to claim 11, wherein a given processor is configured to initiate the preventive action by restricting access of the given source node in the detected port scan to the network.
As per claim 21:	Sharifi teach a computer software product, the product comprising a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer: 
to define, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets; [Sharifi: Fig.2] 
to identify, in data traffic [Sharifi: col.1, lines 40-60; traffic can also include packets] transmitted between multiple nodes that communicate over a network, a set of port scans [Sharifi: col.7, line 61 – col.8, line 50; multiple nodes over a network in terms of each of the virtual machine instances 140A may operate as a distinct computing node and may resemble conventional computing resources, such as web servers, application servers, content servers, remote workstations, etc., that have been instantiated by the customers of environment], each of the port scans comprising an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period; and [Sharifi: col.4, lines 18-50; the “predefined time period” is relative and thus, can be given the broadest reasonable interpretation (BRI) as any determined time or period of time, which according to the limitation is related to identifying traffic] 
upon detecting a port scan by one of the nodes comprising accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, to initiate a preventive action. [Sharifi: col.5, line 45-col.6, line 11; for example, the port scan determines the network activity indicates the threat actors access three ports. The system may take any suitable action based on the threat level score, such as report the threat level score, combine the score with previous threat level scores or other threat intelligence, generate one or more alerts if the threat is sufficiently severe, or perform automated remediation tasks. A “prevention action” can be given the BRI as a remediation task]

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEYNNA TRUVAN whose telephone number is (571) 272-3851.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM, EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



LEYNNA T TRUVAN
Examiner
Art Unit 2435



/L.TT/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435