DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This Office Action is directed to the Applicant’s response files 12-14-2020.

3.	Claims 1-4, 6-13, and 15-20 are pending and have been examined.

Terminal Disclaimer
4.	The terminal disclaimer filed on 12-14-2020 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent 10,404,748 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
5.	The Applicant’s arguments filed 12-14-2020 have been fully considered with the following results:
	Double Patenting Rejections:
	The Applicant has filed a Terminal Disclaimer directed to U.S. Patent 10,404,748 and therefore the double patenting rejections are withdrawn.
	35 USC Sec. 102 Rejections: 

As per the discussion during the Applicant-initiated interview held 8-18-2020, the Examiner agrees with the Applicant’s argument and therefore the rejections of the claims made under 35 USC Sec. 102 are overcome by the changes made in the latest amendment. However, the Applicant’s arguments are moot because a new ground of rejection has been necessitated by the amendment that does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. New prior art: Bingham et al. has been used to teach this feature, as well as the new limitation directed to an analysis engine configured to analyze the behavior of host pairs for anomalies.
The balance of the Applicant’s arguments are dependent on those already addressed supra.

Claim Rejections - 35 USC § 103
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


8.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

9.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

s 1-3, 10-12, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield et al, US 2004/0220984 A1, and Bingham et al. US 2005/0157662.

As for claim 1, Dudfield teaches a method comprising:
receiving, at a device in a network, traffic records indicative of network traffic between different sets of host address pairs ([0050]: data collectors dispersed throughout a network collect information regarding data traffic between host pairs; [0054]-[0057] and fig. 4: an aggregator receives the information from the collectors and constructs a connection table that stores source and destination address information for data traffic at a host and maps host pairs; [0058] and [0060]: connection table stores information on communicating host pairs; [0085]: anomaly detector examines traffic between one host and many other hosts to determine if it is a victim of a DoS attack, reading on examining traffic records between sets of host pairs, [0058] and [0169]: sets of host pairs are grouped by roles that are based on connection habits);
identifying, by the device, one or more address grouping constraints for the 
sets of host address pairs ([0085]: anomaly detector examines traffic between one host and many other hosts to determine if it is a victim of a DoS attack, the grouping constraint used is whether the number of different hosts that are in communication with the one host suspected of being the target of a DoS attack is above a predetermined level based on a historical profile as per [0090]) 
determining, by the device, address groups for the host addresses in the sets of host address pairs based on the one or more address grouping constraints ([0085]: 
providing, by the device, an indication of the address groups to an anomaly detector ([0085]: anomaly detector examines traffic record of data traffic received by one host from many other hosts, reading on an address group, to determine if it is a victim of a DoS attack).
Dudfield teaches the additional features wherein the one or more address grouping constraints indicates that a particular host address pair must be associated with one of: traffic sent from an internal network to an external network, traffic sent from an external network to an internal network, or traffic between two internal networks ([0063]: data collectors can be configured to track and report data records for traffic between only internal host pairs, or between external and internal host pairs).
Bingham offers a more explicit teaching of the feature wherein the one or more address grouping constraints indicates that a particular host address pair must be associated with one of: traffic sent from an internal network to an external network (fig. 1: Reverse Tunnel, [0049]: analysis of the data traffic between hosts will indicate if an internal network has been compromised by a reverse tunnel sending traffic to an external network, [0106]: traffic may by organized and analyzed by host pairs), traffic sent from an external network to an internal network, or traffic between two internal 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated this feature into the invention of Dudfield. It would have been desirable to do so since the use of an analysis engine to analyze the behavior of a network for anomalies based on the use of a grouping constraint indicating a particular host pair is associated with traffic sent from an internal network to an external network would increase the accuracy of Dudfield’s invention n detecting a network intrusion and thereby increase the utility of his system.
As for claim 2, the combination of Dudfield and Bingham teaches the method as in claim 1. Dudfield teaches the additional feature wherein a particular one of the one or more address groups comprises host addresses associated with an external network that is external to the network  ([0063]: data related to external hosts is tracked and collected).
 
As for claim 3, the combination of Dudfield and Bingham teaches the method as in claim 2. Dudfield teaches the additional features wherein a second one of the address groups comprises host addresses associated with an internal network that is 

As for claim 10, the combination of Dudfield and Bingham teaches the method as in claim 1. Dudfield teaches the additional features wherein the anomaly detector uses the address groups to analyze traffic for host clusters that are based on the address groups ([0085]: anomaly detector uses the connection tables to examine traffic between one host and many other hosts to determine if it is a victim of a DoS attack, the grouping constraint used is whether the number of different hosts that are in communication with the one host suspected of being the target of a DoS attack is above a predetermined level based on a historical profile as per [0090]).

As for claims 11, 12, and 19, these claims are drawn to the apparatus that corresponds to the method of claims 1-3 and 10. Claims 11, 12, and 19 recite substantially the same limitations as claims 1-3 and 10 and are rejected on the same basis.

As for claim 20, this claim is drawn to the computer program-product embodied in a tangible non-transitory memory medium that corresponds to the method of claim 1. Claim 20 recites substantially the same limitations as claim 1 and is rejected on the same basis.

s 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield, Bingham, and further in view of Ben-Souayeh et al., Formal Checking of Multiple Firewalls, IJCSI Journal, Volume 9, Issue 3, No. 2, May 2012, pages 1-9.

As for claim 4, the combination of Dudfield and Bingham teaches the method as in claim 1, but not further wherein determining the address groups for the host addresses in the sets of host pairs comprises: using, by the device, a satisfiability modulo theories (SMT) solver on the identified one or more address grouping constraints for the sets of host address pairs. However, Ben-Souayeh, in analogous prior art, does teach the use of SMT techniques to analyze data traffic between different host pairs in the form of firewalls (Sec. 5: Automatic Verification Tools: satisfiability solver modulo theories techniques were used to analyze packet traffic between firewalls). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the applicant’s claimed invention to incorporate this feature into the invention of Dudfield and Bingham. It would have been desirable to do so since the use of SMT analysis techniques would provide a more efficient analysis tool for parsing data and thereby increase the volume and accuracy of anomaly detection.
 
As for claim 13, this claim is drawn to the apparatus that corresponds to the method of claim 4. Claim 13 recites substantially the same limitations as claim 4 and is rejected on the same basis.

s 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield, Bingham, and further in view of Huang, et al. "In-Network PCA and Anomaly Detection", Advances in Neural Information Processing Systems (NIPS), Dec. 2006, pages 1-8.

As for claim 6, the combination of Dudfield and Bingham teaches the method as in claim 1. Dudfield teaches the additional feature wherein the device is a supervisory device and the traffic records are received from a plurality of distributed devices ([0050]: data collectors dispersed throughout a network collect information regarding data traffic between host pairs; [0054]-[0057] and fig. 4: an aggregator, reading on a supervisory device, receives the information from the collectors and constructs a connection table that stores source and destination address information for data traffic at a host and maps host pairs). The combination of Dudfield and Bingham does not teach the additional steps wherein the distributed devices are learning agents configured to execute anomaly detectors. However, Huang in analogous prior art, does teach an anomaly detection system based on learning agents at distributed local nodes in a network performing anomaly detection (Sec. 1: Introduction). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the Applicant’s claimed invention to have incorporated this feature into the system of Dudfield and Bingham. It would have been desirable to do so since this would facilitate analysis of high volumes of traffic data while reducing the amount of data reported back to the aggregator, i.e. the supervisory device, and thereby allowing the system to handle higher traffic volumes.

As for claim 15, this claim is drawn to the apparatus that corresponds to the method of claim 6. Claim 15 recites substantially the same limitations as claim 6 and is rejected on the same basis.

13.	Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield, Bingham, and further in view of Rodriguez US 2012/0173710 A1.
. 
 	As for claim 8, the combination of Dudfield and Bingham teaches the method as in claim 1, but not further comprising receiving, at the device, address groups from a second device in the network; comparing, by the device, the determined address groups to the received address groups; and providing, by the device, a result of the comparison to the second device in the network. However, Rodriguez in analogous prior art, does teach these steps ([0033]-[0034]: an analysis module may receive data from client devices and send data to client devices, the Examiner construes a client device and an administrator device as synonymous, [0058]-[0059]: analysis server will compare later received data to earlier received data  stored in a data dictionary to calculate a deviation score indicative of an anomaly in network traffic data, [0083]: analysis server may output data indicative of an anomaly to an administrator device). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the Applicant’s claimed invention to have incorporated this feature into the system of Dudfield and Bingham. It would have been desirable to do so since this would facilitate 

As for claim 17, this claim is drawn to the apparatus that corresponds to the method of claim 8. Claim 17 recites substantially the same limitations as claim 8 and is rejected on the same basis.

14.	Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield, Bingham, and further in view of Cisco Inc. Product Data Sheet: “Cisco Traffic Anomaly Detector Module”, Updated Jan. 6, 2014, Document ID:1457308827212731, retrieved from the Internet 9-16-2018 at:  >https://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-7600-router-traffic-anomaly-detector-module/product_data_sheet0900aecd80220a6e.html<

As for claim 9, the combination of Dudfield and Bingham teaches the method as in claim 1, but not further wherein the device is a border router and hosts the anomaly detector. However, Cisco Product Data Sheet does disclose a router that may be an edge or border router comprising a network traffic anomaly detector (page 2: Cisco Traffic Anomaly Detector Module Benefits, Recognition and Learning: Cisco discloses a series 7600 router that comprises an anomaly detection module, page 4 Table 2: Attack Recognition: Border Gateway Protocol attacks are detected). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the 

As for claim 18, this claim is drawn to the apparatus that corresponds to the method of claim 9. Claim 18 recites substantially the same limitations as claim 9 and is rejected on the same basis. 

Allowable Subject Matter
15.	Claims 7 and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

16.	The following is a statement of reasons for the indication of allowable subject matter:  The closest prior art in the field does not teach the combination of features of the claimed invention, particularly including the confirmation step as recited by claims 7 and 16.

Conclusion
17.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  The following US Patent documents teach methods for network anomaly detection based on analysis of host pair traffic similar to the instant application:

Chen		2018/0183680 A1
Weber		2006/0173992 A1

18.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


19.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAUL E CALLAHAN whose telephone number is (571)272-3869.  The examiner works a part-time schedule can normally be reached on Th-F, M-Tu (consecutive weeks): 8am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  
/PAUL E CALLAHAN/Examiner, Art Unit 2437