Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02-27-2021 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Terminal Disclaimer
The terminal disclaimer filed on 03-08-2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 16086142 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
Applicant’s arguments, see Remarks, Pgs. 1-2, filed 02-27-2021, with respect to objections to specification and claims have been fully considered and are persuasive in light of new amendments to specifications and claims.  The objections to specification and claims have been withdrawn. 
Applicant's arguments Remarks, Pg. 2, filed 02-27-2021, with respect to rejection of claims under 35 USC 112 have been fully considered and are persuasive in light of new amendments to specifications and claims. The 35 USC 112 rejection of claims have been withdrawn.
Applicant's arguments Remarks, Pg. 2, filed 02-27-2021, with respect to double patenting (DP) rejection of claims have been fully considered and are not persuasive with the filing of e-TD on 03-08-2021. The DP rejection is withdrawn.
Applicant's arguments Remarks, Pgs. 3-6, filed 02-27-2021, with respect to 35 USC 103 rejection of claims have been fully considered but they are not persuasive. The attorney argues that “First, a pattern-based detection rule as in Zhang specifies patterns that are not acceptable, as discussed in paragraph [0044]: "[N]etwork traffic protocols that form a part of a traffic file can be matched against a defined protocol pattern such as a regular expression pattern to confirm if the network traffic protocols match the defined one or more protocol patterns and are therefore indicative of the existence of a network security threat." (Emphasis added.) Thus, such a rule is not "a definition of acceptable network communication characteristics" as in claim 1 - instead, it is the opposite. Second, Zhang's pattern matching detection rule is not "for each of a plurality of communication protocols" as recited in claim 1. In contrast, Zhang discloses "determin[ing] one or more network protocol(s) being used," not defining acceptable communication characteristics for each of a plurality of communication protocols”. The examiner respectfully disagrees with the arguments. The attorney was called and explained that the prior arts do teach the claimed concept and the examiner did not find allowable subject matter in the current set of claims. See interview summary for details. First, the acceptable network characteristics are taught by both Zhang and Friedrichs. In Zhang, [0036] recites “the network traffic capture system configured to capture and analyze all traffic, but only to save network traffic having particular characteristics (e.g., traffic carried within one or more predefined or configurable protocols, traffic originating from one or more predefined or configurable sources, traffic directed to one or more predefined or configurable destinations, 0069, Fig. 6] when the network traffic protocols are not indicative of any network security threat, the traffic file and packets therein can be processed as normal” – these indicate that the predefined protocols are acceptable network protocol characteristics. The corollary stated in [0069] is also true that if the protocols do not indicate any threat they are considered normal i.e., acceptable characteristic of the traffic. In Friedrichs, [0018, 37] recites “1) the source IP address of the event, 2) the source port of the event, 3) the destination IP address of the event, 4) the destination port of the event, 5) the protocol associated with the event… individual security devices that are observing higher than normal occurrences of a particular event, individual security devices that are observing higher than normal occurrences of activity on a particular port… the frequency of occurrence for a given type of security event is calculated. This frequency is then be compared to stored baseline values to determine if the frequency is sufficiently different from the baseline values to constitute a validated security threat” – these indicate that the normal occurrences of events (IP – network layer) and traffic at ports (TCP – transport layer) – which are normal characteristics of protocols and baseline values are also acceptable characteristics, deviations from which, shall constitute a threat. Therefore the teachings from the Friedrichs can used be combined by using alternatively to Zhang, by replacing identifying threat based protocols to baseline acceptable characteristics of protocols or in addition to the Zhang’s abnormal characteristics or defined protocol characteristics, baseline or normal events occurring at different protocols, [0009] so that demographic and geographic trends are identified. Second, different threats are identified at different protocols namely, HTTP at application layer [0006] or network protocols [Transport and network layers 0028-29]. Therefore it is for plurality of protocols the characteristics are defined and it is taught. Hence, it MPEP 2141.02 VI). Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:

2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al (US Pub. #: 20160381070), hereafter Zhang and Friedrichs et al (US Pub. #: 20030084349), hereafter Friedrichs.
Claim 1: Zhang teaches a computer implemented method to identify a computer security threat based on communication via a computer network, the method comprising (Summary): receiving a definition of [acceptable] network communication characteristics for each of a plurality of communication protocols; ([0031] a set of defined protocol patterns is received as a detection rule set, wherein the pattern can be selected from a set comprising regular expression based pattern, string match based pattern, and script language implemented pattern [0044] so the traffic can be matched against a defined pattern of protocols);
([0032, 0036] the network traffic capture system is configured to capture and analyze all traffic, but only save network traffic having particular characteristics... security device uses various characteristics (e.g., the protocol used, a specified domain, the source or destination port and/or the source or destination address i.e., characteristic) of the traffic contained therein to identify potential infections and/or threats, by a malicious bot associated with a known botnet and/or an Advanced Persistent Threat (APT));
for each security event in the set of security events: identifying a communication protocol associated with the security event, ([0009] determine whether the network traffic relates to a network protocol that is indicative of existence of a network security threat within the private network among a plurality of threats);
detecting deviations of the network communication characteristics of the security event from the acceptable network communication characteristics for the identified communication protocol, ([0037] traffic entering or leaving the private network is processed against such a list of suspicious network traffic protocols to determine if the traffic uses any of the suspicious protocols and is therefore indicative of a network security threat (e.g., malware, malicious content, a compromised client and the like));
and generating a record of each deviation identifying a communication characteristic for which the deviation is detected; ([0045] the system generates a list of threats whenever it detects/observes a network protocol used for circulating malicious content, used as a botnet communication protocol, used as a botnet C2 protocol and/or for conducting cyber-attacks);
([0039] once at least one network protocol being used by a traffic file is determined, protocol information/attributes of the network protocol can be analyzed to confirm if the protocol is indicative of or is associated with a network security threat such as a botnet or APT);
Zhang teaches the claimed concept but is silent on receiving a definition of acceptable network communication characteristics for each of a plurality of communication protocols.
However, the analogous art Friedrichs teaches receiving a definition of acceptable network communication characteristics for each of a plurality of communication protocols. ([0037] after receiving the vendor specific security events with common, vendor-independent event types, and the security event data undergoes a security event analysis and correlation during Security Analysis… along with the stored baseline values which are based on normal occurrences of a particular events, normal occurrences of ports, associated protocols etc).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zhang to include receiving baseline values of network characteristics as taught by Friedrichs thus identifying demographic and geographic trends in security events as part of a security analysis ([0044]).
Claim 12: Zhang teaches a computer system comprising: (Summary) a processor and memory storing computer program code for identifying a computer security threat based on communication via a computer network, the processor and memory configured to (Fig. 8): receive a definition of acceptable network communication characteristics for each of a plurality of communication protocols; receive a set of security events for the communication, each security event including network communication characteristics for the communication; for each the network communication characteristics of the security event from the acceptable network communication characteristics for the identified communication protocol, and generate a record of each deviation identifying a communication characteristic for which the deviation is detected; and identify a computer security threat for the communication based on the records generated for the set of security events. ([0031] a set of defined protocol pattern is received as a rule set, wherein the pattern can be selected from a set comprising regular expression based pattern, string match based pattern, and script language implemented pattern [0044] so the traffic can be matched against a defined pattern of protocols; [0032, 0036] the network traffic capture system is configured to capture and analyze all traffic, but only save network traffic having particular characteristics... security device uses various characteristics (e.g., the protocol used, a specified domain, the source or destination port and/or the source or destination address) of the traffic contained therein to identify potential infections and/or threats, by a malicious bot associated with a known botnet and/or an Advanced Persistent Threat (APT); [0009] determine whether the network traffic relates to a network protocol that is indicative of existence of a network security threat within the private network among a plurality of threats; [0037] traffic entering or leaving the private network is processed against such a list of suspicious network traffic protocols to determine if the traffic uses any of the suspicious protocols and is therefore indicative of a network security threat (e.g., malware, malicious content, a compromised client and the like); [0045] the system generates a list of threats whenever it detects/observes a network protocol used for circulating malicious content, used as a botnet communication protocol, used as a botnet C2 protocol and/or for conducting cyber-attacks; [0039] once at least one network protocol being used by a traffic file is determined, protocol information/attributes of the network protocol can be analyzed to confirm if the protocol is indicative of or is associated with a network security threat such as a botnet or APT);
Zhang teaches the claimed concept but is silent on receiving a definition of acceptable network communication characteristics for each of a plurality of communication protocols.
However, the analogous art Friedrichs teaches receive a definition of acceptable network communication characteristics for each of a plurality of communication protocols. ([0037] after receiving the vendor specific security events with common, vendor-independent event types, and the security event data undergoes a security event analysis and correlation during Security Analysis… along with the stored baseline values which are based on normal occurrences of a particular events, normal occurrences of ports, associated protocols etc.).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zhang to include receiving baseline values of network characteristics as taught by Friedrichs thus identifying demographic and geographic trends in security events as part of a security analysis ([0044]).
Claim 2: the combination of Zhang and Friedrichs teaches the method of claim 1, further comprising: receiving a definition of one or more computer security threats, each computer security threat being defined, for each of one or more communication protocols, by a set of deviations from the acceptable network communication characteristic for the communication protocol, wherein identifying a computer security threat for the communication includes comparing the records generated for the set of security events to the received definition of one or more computer security threats. (Zhang: [0037] the list of suspicious network traffic protocols used for different types of network security threats/attacks can be manually/automatically compiled and/or updated at regular intervals or in real-time. The list of suspicious network traffic protocols are indicative of network security threats, such as botnets or APTs... traffic entering or leaving the private network is processed against such a list of suspicious network traffic protocols to determine if the traffic uses any of the suspicious protocols and is therefore indicative of a network security threat (e.g., malware, malicious content, a compromised client and the like)).
Claim 3: the combination of Zhang and Friedrichs teaches the method of any preceding claim 1 wherein the definition of acceptable network communication characteristics for each of the plurality of [[a]] communication protocols is based on a specification of the communication protocol. (Zhang: [0028] identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on information or characteristics of the network protocol of such traffic).
Claim 4: the combination of Zhang and Friedrichs teaches the method of claim 2, wherein the one or more computer security threats [[is]] are further defined by an extent or range of extents of the deviation from the acceptable network communication characteristics for the communication protocol. (Friedrichs: [0037] the frequency of occurrence for a given type of security event is calculated. This frequency can then be compared to stored baseline values to determine if the frequency is sufficiently different from the baseline values to constitute a validated security threat).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zhang to include determining deviation [0044]).
Claim 5: the combination of Zhang and Friedrichs teaches the method of claim 1 wherein the one or more of the records of each deviation further identifies an extent of the deviation between the network communication characteristics of the security event from the acceptable network communication characteristics for the identified communication protocol. (Friedrichs: [0037-38] frequency can then be compared to stored baseline values to determine if the frequency is sufficiently different from the baseline values to constitute a validated security threat... identification of linked series of security events is a complement to the technique of looking for an increased frequency of events of a single event type and provides another way of detecting validated security threats where the individual security events do not indicate the true scope of the validated threat).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zhang to include determining deviation as frequency of occurrences as taught by Friedrichs thus identifying demographic and geographic trends in security events as part of a security analysis ([0044]).
Claim 6: the combination of Zhang and Friedrichs teaches the method of claim 1 wherein the network communication characteristics include one or more of: a size, a range of sizes, a volume, a range of volumes, a rate or a range or rates of data in the communication; a size or a range of sizes of a header of a message in the communication; characteristics of a source entity to the communication; characteristics of a destination entity to the communication; or features of [[a]] the communication protocol. (Zhang: [0036] network traffic having particular characteristics (e.g., traffic containing encrypted data, traffic carried within one or more predefined or configurable protocols, traffic originating from one or more predefined or configurable sources, traffic directed to one or more predefined or configurable destinations, traffic using one or more predefined or configurable source or destination ports and the like). Network security device performs post processing network security device using various characteristics (e.g., the protocol used, a specified domain, the source or destination port and/or the source or destination address) of the traffic).
Claim 7: the combination of Zhang and Friedrichs teaches the method of claim 6, wherein the features of [[a]] the communication protocol include one or more of: an order of messages or types of message according to one or more protocol definitions; or a message structure or format. (Zhang: [0058] the system captures and stores network traffic having one or more data packets in the form of say a traffic file or any other configuration data structure format so that the data packets can be evaluated for characteristics (e.g., use of a particular protocol, interaction with a particular domain, etc.)).
Claim 8: the combination of Zhang and Friedrichs teaches the method of claim 6, wherein the characteristics of the source entity include one or more of: a particular port of the source entity; a set of ports of the source entity; or a number of ports of the source entity. (Zhang: [0003, 0036] threats are identified based on characteristics of the traffic (e.g., the protocol used, the source or destination port and/or the source or destination address)).
Claim 9: the combination of Zhang and Friedrichs teaches the method of claim 6, wherein the characteristics of the destination entity include one or more of: a particular port of the destination entity; a set of ports of the destination entity; or a number of ports of the destination entity. (Zhang: [0036] network traffic having particular characteristics (e.g., traffic containing encrypted data, traffic carried within one or more predefined or configurable protocols, traffic originating from one or more predefined or configurable sources, traffic directed to one or more predefined or configurable destinations, traffic using one or more predefined or configurable source or destination ports and the like)).
Claim 10: the combination of Zhang and Friedrichs teaches the method of claim 1 wherein the security events are received from one or more computer security services. (Zhang: [0033-35, Fig. 1] network security device can report suspicious traffic files from one or more client devices that are connecting to the plurality of servers along with security threat details).
Claim 11: the combination of Zhang and Friedrichs teaches the method of claim 10, wherein the one or more of the computer security services include: an intrusion detection system; a malware detection system; a firewall; a proxy; an antivirus system; or a spyware detection system. (Zhang: [0039, Fig. 1] network security device can report suspicious traffic files along with security threat details to one or more network devices such as firewall, antivirus, IDS/IPS, or to other security controlling devices/applications).
Claim 13: the combination of Zhang and Friedrichs teaches the non-transitory computer-readable storage medium storing a computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer system to perform the method as claimed in claim 1. (Zhang: [0021-27] steps are performed by hardware components comprising machine-executable instructions, used to cause a general-purpose or special-purpose processor programmed with the instructions to perform various steps. Steps are performed by a combination of hardware, software, firmware and/or by human operators executing the associated software).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 






/BADRINARAYANAN /Examiner, Art Unit 2438.