DETAILED ACTION
This first non-final action is in response to applicants’ filing on 10/23/2018.  Claims 1-23 are currently pending and have been considered as follows.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings filed on 10/23/2018 are accepted.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/11/2018, 03/17/2020, and 11/17/2020 have been placed in the application file, and the information referred therein has been considered as to the merits.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 15-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 15 recites the limitation "the feedback analysis system" in line 4.  There is insufficient antecedent basis for this limitation in the claim.
Claim 16 recites the limitation "the feedback analysis system" in line 4.  There is insufficient antecedent basis for this limitation in the claim.
Claim 17 recites the limitations "the first network device" in line 2 and “the second network device” in line 3.  There is insufficient antecedent basis for these limitations in the claim.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-3, 8-11, 13-15, and 20-22 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ferdinand et al. (US 20140173712 A1, IDS submitted 11/17/2020, hereinafter Ferdinand).
As to Claim 1:
Ferdinand discloses a system for automatically adjusting the scope of network traffic that is subject to security inspection (e.g. Ferdinand “FIGS. 2B and 2C are diagrams illustrating an exemplary process pertaining to the network security system with the customizable rule-based analytics engine. According to this exemplary process, the network security system is capable of providing application layer/service layer protection from non-malicious behavior through malicious behavior and/or another type of behavior” [0036]), comprising:
a first network device (e.g. Ferdinand any one of application devices including communication servers, communications manager, or session border controller device that includes routing functionality [0022]; router device [0031]; conferencing server device includes a network device that provides routing [0033]) that in operation provides request routing of client requests, said request routing including directing at least some client requests to a second network device for inspection (e.g. Ferdinand network security appliance [0037]) according to a first configuration (e.g. Ferdinand [0033]-[0035]), and that produces first logs of the request routing performed by the first network device (e.g. Ferdinand “Referring to FIG. 2B, assume that a public endpoint initiates a traffic flow to use the video conferencing service. The traffic flow includes signaling and media components. Network security appliance 205 performs conventional packet handling (e.g., access control lists (ACLs), firewall, distributed denial of service attacks (DDoS), routing, marking, etc.), as well as providing informational real-time logs to analytics engine device 215. According to an exemplary implementation, analytics engine device 215 includes a log handler. The log handler formats or normalizes log data received. Additionally, as illustrated, conferencing bridge device 220, one of conferencing server devices 225, and communication manager device 235 provide logs to analytics engine device 215 to the extent that the video conferencing service is provided during the session. The log handler also formats or normalizes the log data received from the service-providing devices” [0037]);
a second network device that in operation receives client requests routed by the first device to the second network device for inspection (e.g. Ferdinand network security appliance [0024] which handles user device requests and provides real-time logs to analytics engine [0025]), and inspects for network security threats at least one of: (i) the received client requests (e.g. Ferdinand “Network security appliance 205 performs conventional packet handling (e.g., access control lists (ACLs), firewall, distributed denial of service attacks (DDoS), routing, marking, etc.), as well as providing informational real-time logs to analytics engine device 215” [0037]; [0041]) and (ii) responses to the client requests generated by a remote host, said inspection being performed according to a second configuration at the second network device (e.g. Ferdinand network security appliance uses blacklist to block IP addresses [0044]; [0046]);
the second network device in operation producing second logs of the results of the inspections (e.g. Ferdinand “activity logs are obtained from the security device and the device. For example, analytics engine device 215 obtains logs from network security appliance 205 and conferencing bridge device 220, conferencing server device 225, and communication manager device 235. The logs include information pertaining to the network activity resulting from the user using the service or the application provided. The logs include information pertaining to various communication layers (e.g., network, session, etc.) of the network activity including the application layer. By way of example, the logs include information pertaining to session event times, URIs, network addresses (source, destination, network address translation information, etc.), user device type, supported codecs, action(s) performed by the security device, and action(s) performed by one or multiple application/service-providing devices that provide the service or the application to the user” [0061]);
a feedback analysis system that in operation receives the first logs and the second logs (e.g. Ferdinand analytics engine obtains logs pertaining to the user sessions from other network devices such as network security appliance and one or more other network devices that provided the service used to the user [0025]; analytics engine device [0030]), and based on processing thereof produces at least one adjustment to at least one of the first configuration and the second configuration (e.g. Ferdinand “the analytics engine updates the network security appliance so as to block the network address(es) associated with the session. For example, the analytics engine adds one or multiple entries to a blacklist, which is stored by the network security appliance, to block the user from accessing the service” [0029]; “Analytics engine device 215 obtains logs that indicate that the same user device 140 has an increasing number of failed sessions over time. In response, analytics engine device 215 generates a notification that recommends to block or to adjust the IP address routing and/or handling associated with user device 140 because of the repeated failed attempts… In response to the notification, a blacklist entry is added to network security appliance 205 to prevent the user from accessing the video conferencing service” [0046]), said at least one adjustment comprising at least one of:
a) an indication of network traffic that should be blocked at the first network device, where said network traffic was previously routed to the second network device for inspection (e.g. Ferdinand blocking of IP addresses, secure all specific resources associated with conferencing bridge device 220, conferencing server device 225, and communication manager device 235 [0040]; “Analytics engine device 215 interprets the logs in order to make a decision to notify or automate blocking of a particular offending host or IP address” [0041]; [0043]),
b) an indication of network traffic to whitelist at the first network device, where said network traffic was previously routed to the second network device for inspection, and,
c) an indication of network traffic that the first network device should route to the second network device for inspection (e.g. Ferdinand “The network security system validates the traffic flow at various layers, including the application layer, so as to protect any resource associated with the video conferencing service from unwanted consumption. Analytics engine device 215 screens the logs against the customized rule set. Analytics engine device 215 interprets the logs in order to make a decision to notify or automate blocking of a particular offending host or IP address” [0041]);
the first network device, the second network device, and the feedback analysis system comprising one or more or hardware processors and memory storing computer program instructions to operate the first network device, the second network device, and the feedback analysis system as specified above (e.g. Ferdinand “FIG. 4 is a diagram illustrating exemplary components of a device 400 that may correspond to one or more of the devices depicted in the figures. As illustrated, according to an exemplary embodiment, device 400 includes a processor 405, memory/storage 410 that stores software 415, a communication interface 420, an input 425, and an output 430. According to other embodiments, device 400 may include fewer components, additional components, different components, and/or a different arrangement of components than those illustrated in FIG. 4” [0048]; “Device 400 may perform processes and/or functions, as described herein, in response to processor 405 executing software 415 stored by memory/storage 410. By way of example, the instructions may be read into memory/storage 410 from another memory/storage 410 or read into memory/storage 410 from another device via communication interface 420. The instructions stored by memory/storage 410 may cause processor 405 to perform one or more processes described herein. Alternatively, for example, according to other implementations, device 400 may perform one or more processes described herein based on fixed function hardware and/or other well-known architectures” [0056]).
As to Claim 2:
Ferdinand discloses the system of claim 1, wherein the indication of network traffic in any of (a) and (b) comprises any of: a list of domain names and a list of IP addresses (e.g. Ferdinand blocking of IP addresses [0040]; automate blocking of particular IP addresses [0044]).
As to Claim 3:
Ferdinand discloses the system of claim 1, wherein said at least one adjustment comprises: a) an indication of network traffic that should be blocked at the first network device, where said network traffic was previously routed to the second network device for inspection (e.g. Ferdinand blocking of IP addresses, secure all specific resources associated with conferencing bridge device 220, conferencing server device 225, and communication manager device 235 [0040]; “Analytics engine device 215 interprets the logs in order to make a decision to notify or automate blocking of a particular offending host or IP address” [0041]; [0043]);
wherein the adjustment is based on a determination by the feedback analysis system that inspected traffic exhibits an incidence of security violations that exceeds a threshold (e.g. Ferdinand “the analytics engine identifies whether a violation occurred during the user's session. For example, the analytics engine calculates a score by applying the customized rules to the logs. If the score is above a threshold score, then the analytics engine determines that a violation occurred” [0028]; [0063]).
As to Claim 8:
Ferdinand discloses the system of claim 1, wherein the second network device comprises a network security gateway (e.g. Ferdinand “Network security devices or appliances offer various security capabilities to prevent attacks and intrusions. Typically, a network security device attempts to detect or prevent attacks that are malicious” [0009]; [0040]; [0059]).
As to Claim 9:
Ferdinand discloses the system of claim 1, wherein the first network device and the second network device each comprise a multi-tenant device, and the first configuration and the second configuration are each associated with a first tenant (e.g. Ferdinand user(s) and service provider(s) [0021]; [0058]) and applicable to traffic associated with the first tenant, the first and second network devices operable to store third and fourth configurations (e.g. Ferdinand customized rules [0039]; [0045]), respectively, that are each associated with a second tenant (e.g. Ferdinand “Depending on the device providing a log to analytics engine device 215, the log may include various types of information associated with various layers of traffic flow activity. By way of example, the log may include information pertaining to session event times, dialed URI or digits (e.g., user, host, tags), calling URI or digits (e.g., user, host, tags), network addresses (e.g., source address, destination address, etc.), network address translation information, if present, user device type, supported codecs, action(s) performed by the network security appliance 205, actions performed by network security appliance 205 (e.g., port blocked, etc.), and actions performed by conference bridge device 220, conferencing server device 225, and communication manager device 235 (e.g., incomplete session, invalid session, digits, etc.)” [0038]; “analytics engine device 215 uses timers and counters for each log in order to associate the received logs against a particular IP address, a range of IP addresses, a user identity, a time window, or some other parameter. For example, according to an exemplary implementation, analytics engine device 215 includes a rotating database that stores the timers and the counters and compares them against historical data. Analytics engine device 215 cyclically applies the customized rules against the new historical log data received. Analytics engine device 215 determines whether a violation has occurred” [0042]).
As to Claim 10:
Ferdinand discloses the system of claim 9, wherein the first tenant comprises any of: a particular enterprise (e.g. Ferdinand enterprise site [0027]) and a particular internet service provider (e.g. Ferdinand “Network 105 may be associated with a service provider that provides a service or an application” [0021]; [0058]).
As to Claim 11:
Ferdinand discloses the system of claim 1, wherein at least one of the first configuration and the second configuration comprises any of: a list of domain names and a list of IP addresses (e.g. Ferdinand network security appliance stores multiple entries to a blacklist of IP network addresses [0029]; [0040]; “when network security appliance 205 includes an entry in a blacklist to block an IP address(s) or range of IP addresses, access and use of the service or the application is prevented” [0066]).
As to Claim 13:
Ferdinand discloses a method for automatically adjusting the scope of network traffic that is subject to security inspection by a network security system (e.g. Ferdinand “FIGS. 2B and 2C are diagrams illustrating an exemplary process pertaining to the network security system with the customizable rule-based analytics engine. According to this exemplary process, the network security system is capable of providing application layer/service layer protection from non-malicious behavior through malicious behavior and/or another type of behavior” [0036]), the method performed by the network security system having one or more computers comprising one or more or hardware processors and memory storing computer program instructions to perform the method above (e.g. Ferdinand “FIG. 4 is a diagram illustrating exemplary components of a device 400 that may correspond to one or more of the devices depicted in the figures. As illustrated, according to an exemplary embodiment, device 400 includes a processor 405, memory/storage 410 that stores software 415, a communication interface 420, an input 425, and an output 430. According to other embodiments, device 400 may include fewer components, additional components, different components, and/or a different arrangement of components than those illustrated in FIG. 4” [0048]; “Device 400 may perform processes and/or functions, as described herein, in response to processor 405 executing software 415 stored by memory/storage 410. By way of example, the instructions may be read into memory/storage 410 from another memory/storage 410 or read into memory/storage 410 from another device via communication interface 420. The instructions stored by memory/storage 410 may cause processor 405 to perform one or more processes described herein. Alternatively, for example, according to other implementations, device 400 may perform one or more processes described herein based on fixed function hardware and/or other well-known architectures” [0056]), the method comprising:
providing request routing of client requests, said request routing including directing at least some client requests to a network device for inspection according to a first configuration (e.g. Ferdinand “Referring to FIG. 2B, assume that a public endpoint initiates a traffic flow to use the video conferencing service. The traffic flow includes signaling and media components. Network security appliance 205 performs conventional packet handling (e.g., access control lists (ACLs), firewall, distributed denial of service attacks (DDoS), routing, marking, etc.), as well as providing informational real-time logs to analytics engine device 215. According to an exemplary implementation, analytics engine device 215 includes a log handler. The log handler formats or normalizes log data received. Additionally, as illustrated, conferencing bridge device 220, one of conferencing server devices 225, and communication manager device 235 provide logs to analytics engine device 215 to the extent that the video conferencing service is provided during the session. The log handler also formats or normalizes the log data received from the service-providing devices” [0037]);
producing first logs of the request routing performed (e.g. Ferdinand “Additionally, as illustrated, conferencing bridge device 220, one of conferencing server devices 225, and communication manager device 235 provide logs to analytics engine device 215 to the extent that the video conferencing service is provided during the session. The log handler also formats or normalizes the log data received from the service-providing devices” [0037];
receiving client requests routed to the network device for inspection (e.g. Ferdinand network security appliance [0024] which handles user device requests and provides real-time logs to analytics engine [0025]), and inspecting for network security threats (e.g. Ferdinand “Network security appliance 205 performs conventional packet handling (e.g., access control lists (ACLs), firewall, distributed denial of service attacks (DDoS), routing, marking, etc.), as well as providing informational real-time logs to analytics engine device 215” [0037]; [0041]) at least one of : (i) the received client requests and (ii) responses to the client requests generated by a remote host, said inspection being performed according to a second configuration (e.g. Ferdinand network security appliance uses blacklist to block IP addresses [0044]; [0046]);
producing second logs of the results of the inspections (e.g. Ferdinand “activity logs are obtained from the security device and the device. For example, analytics engine device 215 obtains logs from network security appliance 205 and conferencing bridge device 220, conferencing server device 225, and communication manager device 235. The logs include information pertaining to the network activity resulting from the user using the service or the application provided. The logs include information pertaining to various communication layers (e.g., network, session, etc.) of the network activity including the application layer. By way of example, the logs include information pertaining to session event times, URIs, network addresses (source, destination, network address translation information, etc.), user device type, supported codecs, action(s) performed by the security device, and action(s) performed by one or multiple application/service-providing devices that provide the service or the application to the user” [0061]);
receiving the first logs and the second logs (e.g. Ferdinand analytics engine obtains logs pertaining to the user sessions from other network devices such as network security appliance and one or more other network devices that provided the service used to the user [0025]; analytics engine device [0030]), and based on processing thereof producing at least one adjustment to at least one of the first configuration and the second configuration (e.g. Ferdinand “the analytics engine updates the network security appliance so as to block the network address(es) associated with the session. For example, the analytics engine adds one or multiple entries to a blacklist, which is stored by the network security appliance, to block the user from accessing the service” [0029]; “Analytics engine device 215 obtains logs that indicate that the same user device 140 has an increasing number of failed sessions over time. In response, analytics engine device 215 generates a notification that recommends to block or to adjust the IP address routing and/or handling associated with user device 140 because of the repeated failed attempts… In response to the notification, a blacklist entry is added to network security appliance 205 to prevent the user from accessing the video conferencing service” [0046]), said at least one adjustment comprising at least one of:
a) an indication of network traffic that should be blocked, where said network traffic was previously routed to the network device for inspection (e.g. Ferdinand blocking of IP addresses, secure all specific resources associated with conferencing bridge device 220, conferencing server device 225, and communication manager device 235 [0040]; “Analytics engine device 215 interprets the logs in order to make a decision to notify or automate blocking of a particular offending host or IP address” [0041]; [0043]),
b) an indication of network traffic to whitelist, where said network traffic was previously routed to the network device for inspection, and,
c) an indication of network traffic to be routed to the network device for inspection (e.g. Ferdinand “The network security system validates the traffic flow at various layers, including the application layer, so as to protect any resource associated with the video conferencing service from unwanted consumption. Analytics engine device 215 screens the logs against the customized rule set. Analytics engine device 215 interprets the logs in order to make a decision to notify or automate blocking of a particular offending host or IP address” [0041]).


As to Claim 14:
Ferdinand discloses the method of claim 13, wherein the indication of network traffic in any of (a) and (b) comprises any of: a list of domain names and a list of IP addresses (e.g. Ferdinand blocking of IP addresses [0040]; automate blocking of particular IP addresses [0044]).
As to Claim 15:
Ferdinand discloses the method of claim 13, wherein said at least one adjustment comprises: a) an indication of network traffic that should be blocked, where said network traffic was previously routed to the network device for inspection (e.g. Ferdinand blocking of IP addresses, secure all specific resources associated with conferencing bridge device 220, conferencing server device 225, and communication manager device 235 [0040]; “Analytics engine device 215 interprets the logs in order to make a decision to notify or automate blocking of a particular offending host or IP address” [0041]; [0043]);
wherein the adjustment is based on a determination by the feedback analysis system that inspected traffic exhibits an incidence of security violations that exceeds a threshold (e.g. Ferdinand “the analytics engine identifies whether a violation occurred during the user's session. For example, the analytics engine calculates a score by applying the customized rules to the logs. If the score is above a threshold score, then the analytics engine determines that a violation occurred” [0028]; [0063]).


As to Claim 20:
Ferdinand discloses the method of claim 13, wherein the network device comprises a network security gateway (e.g. Ferdinand “Network security devices or appliances offer various security capabilities to prevent attacks and intrusions. Typically, a network security device attempts to detect or prevent attacks that are malicious” [0009]; [0040]; [0059]).
As to Claim 21:
Ferdinand discloses the method of claim 13, wherein the first configuration and the second configuration are each associated with a first tenant (e.g. Ferdinand user(s) and service provider(s) [0021]; [0058]) and applicable to traffic associated with the first tenant, the first and second network devices operable to store third and fourth configurations (e.g. Ferdinand customized rules [0039]; [0045]), respectively, that are each associated with a second tenant (e.g. Ferdinand “Depending on the device providing a log to analytics engine device 215, the log may include various types of information associated with various layers of traffic flow activity. By way of example, the log may include information pertaining to session event times, dialed URI or digits (e.g., user, host, tags), calling URI or digits (e.g., user, host, tags), network addresses (e.g., source address, destination address, etc.), network address translation information, if present, user device type, supported codecs, action(s) performed by the network security appliance 205, actions performed by network security appliance 205 (e.g., port blocked, etc.), and actions performed by conference bridge device 220, conferencing server device 225, and communication manager device 235 (e.g., incomplete session, invalid session, digits, etc.)” [0038]; “analytics engine device 215 uses timers and counters for each log in order to associate the received logs against a particular IP address, a range of IP addresses, a user identity, a time window, or some other parameter. For example, according to an exemplary implementation, analytics engine device 215 includes a rotating database that stores the timers and the counters and compares them against historical data. Analytics engine device 215 cyclically applies the customized rules against the new historical log data received. Analytics engine device 215 determines whether a violation has occurred” [0042]).
As to Claim 22:
Ferdinand discloses the method of claim 13, wherein at least one of the first configuration and the second configuration comprises any of: a list of domain names and a list of IP addresses (e.g. Ferdinand network security appliance stores multiple entries to a blacklist of IP network addresses [0029]; [0040]; “when network security appliance 205 includes an entry in a blacklist to block an IP address(s) or range of IP addresses, access and use of the service or the application is prevented” [0066]).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ferdinand in view of Pope et al. (US 20140304803 A1, hereinafter Pope).
As to Claim 6:
Ferdinand discloses the system of claim 1, but does not specifically disclose:
the adjustment is associated with an expiration time.
However, the analogous art Pope does disclose the adjustment is associated with an expiration time (e.g. Pope a temporary rule is set up for packet stream, associated with a time period [0185]; temporary rule associated with action of sending packets to a further auditing entity [0186]; time period for which the set up temporary rule is valid has not expired [0188]).  Ferdinand and Pope are analogous art because they are from the same field of endeavor in network traffic management.
(e.g. see Pope, “At step 702, a temporary rule, for example a filter, is set up for the packet stream. The rule may for example explicitly identify the packet or packet stream and indicate that communication is allowed on a temporary basis. This temporary rule may be for example associated with a time period” [0185]; [0186]; “At step 704, it is determined whether the temporary rule is still valid. For example… if the time period for which the temporary rule is valid has not expired” [0188]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Ferdinand and Pope before him or her, to modify the invention of Ferdinand with the teachings of Pope to include the adjustment is associated with an expiration time as claimed because Ferdinand provides network security devices with multiple security capabilities to monitor traffic flow activity by processing real-time logs that are sent to an analytics engine device for adjusting network security appliances for desired operations (Ferdinand e.g. [Abstract]; [0009]; [0040]) which could include temporary rule set up with expiration time periods (Pope [0185]; [0186]; [0188]).  The suggestion/motivation for doing so would have been so that a stream may be audited for undesirable behavior or alternatively may be allowed until a control application determines whether or not the communication may be allowed (Pope [0183]-[0187]).  Therefore, it would have been obvious to combine Ferdinand and Pope to obtain the invention as specified in the instant claim(s).
As to Claim 18:
Ferdinand discloses the method of claim 13, but does not specifically disclose:
the adjustment is associated with an expiration time.
Pope does disclose the adjustment is associated with an expiration time (e.g. Pope a temporary rule is set up for packet stream, associated with a time period [0185]; temporary rule associated with action of sending packets to a further auditing entity [0186]; time period for which the set up temporary rule is valid has not expired [0188]).  Ferdinand and Pope are analogous art because they are from the same field of endeavor in network traffic management.
(e.g. see Pope, “At step 702, a temporary rule, for example a filter, is set up for the packet stream. The rule may for example explicitly identify the packet or packet stream and indicate that communication is allowed on a temporary basis. This temporary rule may be for example associated with a time period” [0185]; “The temporary rule may additionally be associated with an action. For example the packet stream may be audited by duplicating the packets and sending them to a further auditing entity” [0186]; “At step 704, it is determined whether the temporary rule is still valid. For example… if the time period for which the temporary rule is valid has not expired” [0188]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Ferdinand and Pope before him or her, to modify the invention of Ferdinand with the teachings of Pope to include the adjustment is associated with an expiration time as claimed because Ferdinand provides network security devices with multiple security capabilities to monitor traffic flow activity by processing real-time logs that are sent to an analytics engine device for adjusting network security appliances for desired operations (Ferdinand e.g. [Abstract]; [0009]; [0040]) which could include temporary rule set up (Pope [0185]; [0186]; [0188]).  The suggestion/motivation for doing so would have been so that a stream may be audited for undesirable behavior or alternatively may be allowed until a control application determines whether or not the communication may be allowed (Pope [0183]-[0187]).  Therefore, it would have been obvious to combine Ferdinand and Pope to obtain the invention as specified in the instant claim(s).
Claims 7 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ferdinand in view of Jakobsson (US 20180091453 A1, IDS submitted 11/17/2020).
As to Claim 7:
Ferdinand discloses the system of claim 1, but does not specifically disclose:
wherein the first network device comprises a DNS server.
However the analogous art Jakobsson does teach, wherein the first network device comprises a DNS server (Jakobsson, “determining the measure of global reputation for the sender includes analyzing domain registration history and Domain Name System (i.e., DNS) activity of the sender… In some embodiments, determining the measure of global reputation includes utilizing a component factor value determined based on the domain registration history and DNS activity analysis (e.g., add, multiply, subtract, etc. using the factor value). For example, the factor value is based at least in part on a length of time since registration of a domain of the sender, an amount of time between registration of the domain and a first use of the domain to send a message, Internet content (e.g., webpage) located at a URI utilizing the domain of the sender, an entity that registered the domain of the sender, etc” [0083]).  Ferdinand and Jakobsson are analogous art because they are from the same field of endeavor in network monitoring.
It would have been obvious to one of ordinary skilled in art before the effective filing date of the claimed invention to modify the teachings of Ferdinand that network security devices provide multiple security capabilities to monitor traffic flow activity at an application layer with logs included to preventing attacks and intrusions (Ferdinand e.g. [Abstract]; [0009]) with the teachings of Jakobsson ([0083]) to include the DNS analysis system for the purpose of allowing the recipient to access non-risky components while the second-phase filtering is performed and once the filtering is brought to a decision the neutralization will be reverted and blocking action will follow (Jakobsson [0083]).
As to Claim 19:
Ferdinand discloses the method of claim 13, but does not specifically disclose:
wherein the requesting routing is provided by a DNS server.
However the analogous art Jakobsson does teach, wherein the requesting routing is provided by a DNS server (Jakobsson, “determining the measure of global reputation for the sender includes analyzing domain registration history and Domain Name System (i.e., DNS) activity of the sender… In some embodiments, determining the measure of global reputation includes utilizing a component factor value determined based on the domain registration history and DNS activity analysis (e.g., add, multiply, subtract, etc. using the factor value). For example, the factor value is based at least in part on a length of time since registration of a domain of the sender, an amount of time between registration of the domain and a first use of the domain to send a message, Internet content (e.g., webpage) located at a URI utilizing the domain of the sender, an entity that registered the domain of the sender, etc” [0083]).  Ferdinand and Jakobsson are analogous art because they are from the same field of endeavor in network monitoring.
It would have been obvious to one of ordinary skilled in art before the effective filing date of the claimed invention to modify the teachings of Ferdinand that network security devices provide multiple security capabilities to monitor traffic flow activity at an application layer with logs included to preventing attacks and intrusions (Ferdinand e.g. [Abstract]; [0009]) with the teachings of Jakobsson ([0083]) to include the DNS analysis system for the purpose of allowing the recipient to access non-risky components while the second-phase filtering is performed and once the filtering is brought to a decision the neutralization will be reverted and blocking action will follow (Jakobsson [0083]).
Claims 12 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over Ferdinand in view of Di Pietro et al. (US 20170099310 A1, hereinafter Di Pietro).
As to Claim 12:
Ferdinand discloses the system of claim 1, but does not specifically disclose:
the feedback analysis system comprises a machine learning component that ingests data derived from the first and second logs to produce the at least one adjustment, which comprises: c) an indication of network traffic that the first network device should route to the second network device for inspection.
However, the analogous art DI PIETRO does disclose the feedback analysis system comprises a machine learning component (e.g. DI PIETRO machine learning-based anomaly detector [0014] that takes input empirical data such as network statistics and performance indicators [0044]; DLA monitors network conditions (router states, traffic flows) using machine learning models and perform local mitigations actions [0049]) that ingests data derived from the first and second logs to produce the at least one adjustment (e.g. DI PIETRO architecture implements a control mechanism that uses feedback to dynamically adjust which packets are captured and analyzed using deep packet inspection [0077]), which comprises: c) an indication of network traffic that the first network device should route to the second network device for inspection (e.g. DI PIETRO CCC may change the packet capture criteria for inspection and cause control enforcer process to adjust which packets are captured for further inspection [0075]; SCA may adjust which packets are captured for deep packet inspection by DLA [0078]).  Ferdinand and DI PIETRO are analogous art because they are from the same field of endeavor in network traffic management.
(e.g. see DI PIETRO, “a device in a network receives an anomaly detection result from a machine learning-based anomaly detector. The anomaly detection result is based in part on one or more traffic metrics and based in part on deep packet inspection results for a first set of packets. The first set of packets is captured based on a first packet capture criterion. The device determines a second packet capture criterion. The device causes, using the second packet capture criterion, a second set of packets to be captured for deep packet inspection and results of the deep packet inspection of the second set of packets to be used as input to the machine learning-based anomaly detector” [0014]; “SLN process 248 may [0044]; “A DLA may be configured to monitor network conditions (e.g., router states, traffic flows, etc.), perform anomaly detection on the monitored data using one or more machine learning models, report detected anomalies to the SCA, and/or perform local mitigation actions” [0049]; [0071]; [0072]; “the CCC may change the packet capture criteria for deep packet inspection by providing control instructions to the CCE, which is responsible for reconfiguring the packet capture on the fly. For example, as shown, capture control process 247 may provide a packet inspection/capture adjustment 414 to control enforcer process 249, which causes control enforcer process 249 to adjust which packets are captured for further inspection by packet inspection process 245” [0075]; “architecture 400 implements a control mechanism that uses feedback to dynamically adjust which packets are captured and analyzed using deep packet inspection, for input to an anomaly detector” [0077]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Ferdinand and DI PIETRO before him or her, to modify the invention of Ferdinand with the teachings of DI PIETRO to include the feedback analysis system comprises a machine learning component that ingests data derived from the first and second logs to produce the at least one adjustment, which comprises: c) an indication of network traffic that the first network device should route to the second network device for inspection as claimed because Ferdinand provides network security devices with multiple security capabilities to monitor traffic flow activity by processing real-time logs that are sent to an analytics engine device (Ferdinand e.g. [Abstract]; [0009]; [0040]) which could include machine learning models for monitoring the data to make adjustments as to which packets are captured for further inspection (DI PIETRO [0014]; [0044]; [0075]; [0077]).  The suggestion/motivation for doing so would have been to improve the precision and sensitivity of an anomaly detector that relies on the results of the deep packet inspection by dynamically controlling which subset of packets are inspected (DI PIETRO [0108]).  Therefore, it would have been obvious to combine Ferdinand and DI PIETRO to obtain the invention as specified in the instant claim(s).
As to Claim 23:
Ferdinand discloses the method of claim 13, but does not specifically disclose:
the network security system uses a machine learning component to ingest data derived from the first and second logs to produce the at least one adjustment, which comprises: c) an indication of network traffic that should be routed to the network device for inspection.
However, the analogous art DI PIETRO does disclose the network security system uses a machine learning component (e.g. DI PIETRO machine learning-based anomaly detector [0014] that takes input empirical data such as network statistics and performance indicators [0044]; DLA monitors network conditions (router states, traffic flows) using machine learning models and perform local mitigations actions [0049]) to ingest data derived from the first and second logs to produce the at (e.g. DI PIETRO architecture implements a control mechanism that uses feedback to dynamically adjust which packets are captured and analyzed using deep packet inspection [0077]), which comprises: c) an indication of network traffic that should be routed to the network device for inspection (e.g. DI PIETRO CCC may change the packet capture criteria for inspection and cause control enforcer process to adjust which packets are captured for further inspection [0075]; SCA may adjust which packets are captured for deep packet inspection by DLA [0078]).  Ferdinand and DI PIETRO are analogous art because they are from the same field of endeavor in network traffic management.
(e.g. see DI PIETRO, “a device in a network receives an anomaly detection result from a machine learning-based anomaly detector. The anomaly detection result is based in part on one or more traffic metrics and based in part on deep packet inspection results for a first set of packets. The first set of packets is captured based on a first packet capture criterion. The device determines a second packet capture criterion. The device causes, using the second packet capture criterion, a second set of packets to be captured for deep packet inspection and results of the deep packet inspection of the second set of packets to be used as input to the machine learning-based anomaly detector” [0014]; “SLN process 248 may utilize machine learning techniques, to perform anomaly detection in the network. In general, machine learning is concerned with the design and the development of techniques that take as input empirical data (such as network statistics and performance indicators), and recognize complex patterns in these data” [0044]; “A DLA may be configured to monitor network conditions (e.g., router states, [0049]; [0071]; [0072]; “the CCC may change the packet capture criteria for deep packet inspection by providing control instructions to the CCE, which is responsible for reconfiguring the packet capture on the fly. For example, as shown, capture control process 247 may provide a packet inspection/capture adjustment 414 to control enforcer process 249, which causes control enforcer process 249 to adjust which packets are captured for further inspection by packet inspection process 245” [0075]; “architecture 400 implements a control mechanism that uses feedback to dynamically adjust which packets are captured and analyzed using deep packet inspection, for input to an anomaly detector” [0077]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Ferdinand and DI PIETRO before him or her, to modify the invention of Ferdinand with the teachings of DI PIETRO to include the network security system uses a machine learning component to ingest data derived from the first and second logs to produce the at least one adjustment, which comprises: c) an indication of network traffic that should be routed to the network device for inspection as claimed because Ferdinand provides network security devices with multiple security capabilities to monitor traffic flow activity by processing real-time logs that are sent to an analytics engine device (Ferdinand e.g. [Abstract]; [0009]; [0040]) which could include machine learning models for monitoring the data to make adjustments as to which packets are captured for further inspection (DI PIETRO [0014]; [0044]; [0075]; [0077]).  The suggestion/motivation for doing so would have been to improve the precision and sensitivity of an anomaly detector that relies on the results of the deep packet inspection by dynamically controlling which subset of packets are inspected (DI PIETRO [0108]).  Therefore, it would have been obvious to combine Ferdinand and DI PIETRO to obtain the invention as specified in the instant claim(s).
Allowable Subject Matter
Claims 4, 5, 16, and 17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and amended to overcome the 35 U.S.C. 112(b) rejection.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Afek et al. (US 20020083175 A1)
Neves et al. (US 20060276209 A1)
Neystadt et al. (US 20080244748 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530.  The examiner can normally be reached on Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

03.10.2021