DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 2/7/2019 and 2/9/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  
Authorization for this examiner’s amendment was given in telephone interviews with Mark Harrington (Reg. No. 31,686) on 3/2/2021 and 3/3/2021. 
The application has been amended as follows:
Please cancel Claims 3, 6, 17, and 20.
Please replace Claim 14 with the following:
14. (Currently Amended) A computer program product stored on a non-transitory distribution medium readable by a computer and comprising program instructions which, when loaded into an apparatus, execute the method according to claim 1. 
Allowable Subject Matter
Claims 1-2, 4-5, 7-16, and 18-19 are allowed.
The following is an examiner’s statement of reasons for allowance:
Regarding Claim 1, although the closest prior art of record (such as Bartos et al., (US 20170155668 A1), Zuk et al., (US 20150026794 A1), Torres Ramon et al., (US 20120033581 A1)) teaches A method comprising performing, in a network apparatus, the steps of classifying traffic flows containing packets based on packet features; providing a copy of a packet contained in a traffic flow to a cluster node; and in response to receiving from the detector node a flow indication on the traffic flow, controlling a switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.
However, none of the prior art, alone or in combination teaches controlling the cluster node to select at least one detector node based on the features of the packet and to forward said copy to the selected detector node to find out based on said copy whether the packet is malicious or not in view of other limitations of the independent claims.
Regarding Claim 2, although the closest prior art of record (such as Bartos et al., (US 20170155668 A1), Zuk et al., (US 20150026794 A1), Torres Ramon et al., (US 20120033581 A1)) teaches A method comprising performing, in a network apparatus, the steps of obtaining a copy of a packet contained in a traffic flow from a switch node; checking packet features. 
selecting, based on the packet features, at least one detector node among one or more detector nodes capable of checking based on said copy whether the packet is malicious or not; and forwarding said copy to the selected detector node for checking whether the packet is malicious or not in view of other limitations of the independent claims.
Regarding Claim 4, although the closest prior art of record (such as Bartos et al., (US 20170155668 A1), Zuk et al., (US 20150026794 A1), Torres Ramon et al., (US 20120033581 A1)) teaches A method comprising performing, in a network apparatus, the steps of classifying traffic flows containing packets based on packet features; providing a sample of a traffic flow to a cluster node; in response to receiving, from the detector node, a flow indication on the traffic flow, controlling the switch node to perform at least one flow control action on the traffic flow, the action including one or more of flow removal, flow modification and flow installation.
However, none of the prior art, alone or in combination teaches receiving, from the cluster node, information on one or more detector nodes selected in the cluster node for features of the sample; controlling a switch node to forward the traffic flow based on rules extracted from the cluster node to the selected detector node to find out whether a packet contained in said traffic flow is malicious or not in view of other limitations of the independent claims.
Regarding Claim 5, although the closest prior art of record (such as Bartos et al., (US 20170155668 A1), Zuk et al., (US 20150026794 A1), Torres Ramon et al., (US 20120033581 A1)) teaches A method comprising performing, in a network apparatus, the steps of obtaining a sample of a traffic flow from a switch node; checking features of the sample.
However, none of the prior art, alone or in combination teaches based on the checking, selecting at least one detector node among one or more detector nodes capable of checking whether a packet is malicious or not; and indicating to a control node the at least one detector node selected for traffic flow anomaly detection in view of other limitations of the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW J STEINLE whose telephone number is (571)272-9923.  The examiner can normally be reached on M-F 10am-6pm CT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ANDREW J STEINLE/Primary Examiner, Art Unit 2497