DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	This is in response to communication filed on 9/23/19 in which claims 1-20 are pending.

Claim Rejections - 35 USC § 102
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


3.	Claims 1-3, 8-10, 15-20 are rejected under 35 U.S.C. 102 (a)(1) as being anticipated by U.S. Publication No. 2016/0359887 to Yadav et al..

a. 	As per claim 1, Yadav et al teaches a method for discovering the origin of network traffic on a computer running an operating system (OS) comprising: initiating a first tool that captures at least packet headers of transmitted or received packets (See paragraph [0046, 0047], as the sensors capture communications), said tool reporting an identifying exemplar for each packet time periods; [0053-0054]) ; reporting the originating PID of the DNS communication when said exemplars match within the predetermined time window (See paragraph [0048, 0060], match packets to identify traffic flows).  

b.  	AS per claim 2, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein said exemplar is a 4-tuple containing source address, source port, destination address and destination port (See paragraph [0049]).  

c. 	As per claim 8, Yadav et al teaches a method for discovering the origin of network traffic on a computer running an operating system (OS) comprising: initiating a first tool that captures packet data (See paragraph [0046, 0047], the sensors capture communications), said tool reporting an identifying 4- tuple for each packet captured (See paragraph [0049]); causing the first tool to monitor a particular port (See paragraph [0070 and 0106], connected to a network device's monitoring port); initiating a second tool that captures the identifying 4-tuple for each packet transmitted or received by a particular process and the process identification (PID) of the process transmitting or receiving the packet (See paragraph [0042 and 0049] and ; comparing captured 4-tuples from captured packets to 4-tuples from processes that occur within a match packets to identify traffic flows).  

d. 	As per claims 3 and 10, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the predetermined time window is approximately one second (See paragraph [0046]).  

e. 	As per claim 9, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the particular port is Port 53 (See paragraph [0107]).  

f. 	As per claim 10, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the predetermined time window is approximately one second (See paragraph [0046]).  

g.	As per claim 15, Yadav et al teaches a method of discovering an origin of network traffic comprising: correlating a captured packet with a kernel packet transmit event in a predetermined time interval (See paragraph [0023, 0045, 0088]).  

h. 	As per claim 16, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the correlation occurs when the captured packet and the kernel packet transmit event include the same 4-tuple occurring within the predetermined time interval (See paragraph [0049]).  


j. 	As per claim 18, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the origin of the network traffic implicates a particular process (See paragraph [0040]).  

k. 	As per claim 19, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the network traffic is a DNS communication (See paragraph [0020 and 0022]).  

l. 	As per claim 20, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein capture of the packet and the kernel packet transmit event are effected by using infrastructures and capabilities supplied by the operating system (OS) (See paragraph [0067 and 0070]).  

Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

5.	Claims 4, 6, 11 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 2016/0359887 to Yadav et al in view of U.S. Publication No. 2016/0142931 to Mondal et al.

a. 	As per claims 4 and 11, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al fails to explicitly teach wherein the first tool is libpcap.  
	Mondal et al teaches wherein the first tool is libcap (See paragraph [0074]).
	It would have been obvious to one with ordinary skill in the art to incorporate the teaching of Mondal in the claimed invention of Yadav et al in order to capture network traffic.



	Mondal et al teaches wherein the first tool is Winpcap (See paragraph [0074]).
It would have been obvious to one with ordinary skill in the art to incorporate the teaching of Mondal in the claimed invention of Yadav et al in order to capture network traffic.

6.	Claims 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 2016/0359887 to Yadav et al in view of U.S. Publication No. 2016/0164901 to Mainieri et al.

a. 	As per claims 5 and 12, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al fails to teach wherein the second tool is KProbes.  
	Mainieri et al teaches wherein the second tool is KPRobes (see paragraph [0061]).
	It would have been obvious to one with ordinary skill in the art to incorporate the teaching of Mainieri et al in the claimed invention of Yadav et al in order to trace kernel functions.

7.	Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 2016/0359887 to Yadav et al in view of U.S. Publication No. 2010/0192201 to Shimoni et al 

a. 	As per claims 7 and 14, Yadav et al teaches the claimed invention as described above.  Furthermore, Yadav et al teaches wherein the second tool is EventViewer.  

	It would have been obvious to one with ordinary skill in the art to incorporate the teaching of Shimoni et al in order to display event information (See paragraph [0084]).

Conclusion
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
U.S. Publication No. 2015/0009840 to Pruthi et al teaches monitoring network devices and identifying packet anomalies.
U.S. Publication No. 2018/0212989 to Mavani teaches monitoring and capturing network activities and producing network activity.
U.S. Publication No. 2015/0215177 to Pietrowicz et al teaches system and method for network traffic profiling and visualization.
9.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to DJENANE BAYARD whose telephone number is (571)272-3878.  The examiner can normally be reached on 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571)272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/DJENANE M BAYARD/Primary Examiner, Art Unit 2444