Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Summary
2.	Claims 1-6, 8-10 and 12-20 were pending.
3.	Claims 1, 10, and 16 are amended.
4.	No new claims were added and no claims were cancelled.
5.	Examiner would like to thank attorney of record Daniel Lee for consider Examiner’s proposed amendments. No agreement was reached.

Continued Examination Under 37 CFR 1.114
6.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/04/2021 has been entered.

Response to Arguments
7.	Applicant’s arguments filed on 02/08/2021, with respect to 35 U.S.C 101 rejection of claims 1-6, 8-9, and 12-20 have been fully considered and are persuasive.  The 101 rejection of claims 1-6, 8-9, and 12-20 has been withdrawn. 

8.	Applicant’s arguments filed on 02/08/2021, with respect to the 35 U.S.C § 103 rejection of claims 1-6, 8-10, and 12-20 as being unpatentable over U.S. Patent No. 9,843,596 by Averbuch (hereinafter, “Averbuch”), in view of U.S. Publication No. 2018/0089303 by Miller (hereinafter, “Miller”) and further in view of "Hidden Markov models for malware classification" (hereinafter, “Annachhatre”) have been fully considered. However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
s 1 -6, 8-10, and 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 9843596 hereinafter Averbuch in view of U.S. Publication No. 20180089303 hereinafter Miller, and further in view of NPL document “Hidden Markov models for malware classification” hereinafter Annachhatre, and further in view of U.S. Publication No. 20140189159 hereinafter Morris.

As per claim 1, Averbuch discloses:
A method for processing malicious events implementing an attack analyzer (Col. 9 Lines 61-67 “FIG. 1 shows a flow chart with the main steps of a method of the invention. Step 100 represents the offline training procedure. In this step, a multi-dimensional data of an incoming data stream (also called a "training data") is received and processed using an algorithm of the invention (described in more detail below) to provide an embedding matrix.” Col. 29 Lines 49-55 “Intrusion Detection Evaluation Data (IDED) DARPA intrusion detection evaluation dataset. These datasets are the most comprehensive evaluation datasets publicly available for evaluating the performance of intrusion detection systems. In other words, they are used as benchmarks for evaluating and developing intrusion detection systems, and appear in many references.”), 
 detected by a firewall communicatively coupled between clients and a server (Col. 32 Lines 9-15 “Apache ModSecurity IDS (hereinafter MODSEC) is an open source signature-based intrusion detection and prevention engine for web applications. It is classified as a web application firewall.”), the method comprising:
(Col. 2 Lines 39-42 “An intrusion detection system attempts to detect all types of malicious network traffic and malicious computer uses (" attacks") which cannot be detected by conventional protection means such as firewalls.” Col. 30 Lines 63-67 “The governmental networks are protected using several network security tools: signature-based tools, anomaly-based tools, firewalls and proxies and VPNs. FIG. 7 describes the governmental network architecture including some of its major security tools. The governmental networks datasets were collected during several days using the tcpdump program. The resulting corpus size was of several terabytes of raw data.” Col. 32 Lines 9-15 “Apache ModSecurity IDS (hereinafter MODSEC) is an open source signature-based intrusion detection and prevention engine for web applications. It is classified as a web application firewall.”);
wherein the firewall is configured to block a request associated with the malicious event from reaching the server or generate an alert describing the request associated with the malicious event, wherein the firewall is further configured to allow requests that are determined to be legitimate to reach the server (Col. 30 Lines 63-67 and Col. 32 Lines 9-15 “Techopedia and other technical dictionaries disclose a Firewalls filter packets that attempt to enter or leave a network and either accept or reject them depending on the predefined set of filter rules. This type of firewall decides whether to accept or deny individual packets, based on examining fields in the packet's IP and protocol headers which is well known within the art without undue experimentation.)
determining a set of distances using a non-Euclidean distance function and the first set of features, the set of distances indicating levels of similarity between the first set of features and a second set of features, generating a statistical distribution object using the set of distances (Col. 12 Lines 4-8 “1. As mentioned, in step 200, the traffic analyzer is applied to the original (source) multi-dimensional data to produce a matrix whose entries are modified to be the logarithm values of the original entries. Details of step 200 are shown in the flow chart of FIG. 3.” Col. 12 Lines 49-CoL 13 Line 51 “2. Step 202 is described in more detail in the flow chart of FIG. 4. If the statistical data type is metadata, normalization Is done in step 406. If it Is payload, n-gram training is generated in step 408 and the size of the statistical matrix is reduced by consecutive application of coarse graining (step 410) followed by the application of random projection (step 412). The same sequence of operations will be used to generate the statistical matrices in the OLIDMD and OUDPL algorithms. Each column (feature vector) of the statistical matrix is normalized as follows: a. Pairwise distances between statistical matrix elements are computed to produce a similarity matrix; b. The similarity matrix is analyzed via the application of diffusion maps (RLDM) or diffusion bases (AADB). The normalized output matrix from this procedure is described by a selected group of r discriminating eigenvectors of the distances matrix, where r.gtoreq.2; c. Each column vector (which describes a feature) of the normalized output matrix is set to the selected 

Averbuch does not disclose:
wherein a non-Euclidean distance function is used to determine whether different Internet Protocol (IP) addresses included in the first set of features and second set of features are from a same or different geographical region or autonomous system
a statistical distribution object including information describing a cluster of at least the malicious event
wherein the cluster is formed based on splitting an existing cluster and adding the malicious event to a split-off of the existing cluster responsive to a determination that the malicious event is more similar to a subset of malicious events included in the existing cluster compared to other malicious events included in the existing cluster
storing information describing the statistical distribution object

Miller discloses:
a statistical distribution object including information describing a cluster of at least the malicious event and storing information describing the statistical distribution object (para 0120 “At block 318, the indexer stores the events with an associated timestamp in a data store 208. Timestamps enable a user to search para 0233 “As indicated above, in various implementations, underlying raw data is maintained for events. This allows users and the system to continue to investigate and learn valuable insights about the raw data. For example, the raw data of different events may include latent similarities, which can facilitate additional understanding of the events. These similarities can be leveraged in various ways, such as to determine that certain events correspond to the same data type, share the same schema, or otherwise have similar structure.” Para 0234 “As described herein, events can be clustered, or arranged into groups, based on the similarity between any of the various data assigned to the events, such as the raw data or other underlying data of the event. In this regard, events can be detected as similar, and thereby clustered when data assigned to the events are similar.”)
storing information describing the statistical distribution object (para 0186)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify of the method
of processing a multi-dimensional data of an incoming data stream of Averbuch to include a statistical distribution object including information describing a cluster of at least the malicious event and storing information describing the statistical distribution object, as taught by Miller.


Averbuch in view of Miller does not disclose:
wherein a non-Euclidean distance function is used to determine whether different Internet Protocol (IP) addresses included in the first set of features and second set of features are from a same or different geographical region or autonomous system
wherein the cluster is formed based on splitting an existing cluster and adding the malicious event to a split-off of the existing cluster responsive to a determination that the malicious event is more similar to a subset of malicious events included in the existing cluster compared to other malicious events included in the existing cluster

Annachhatre discloses:
wherein the cluster is formed based on splitting an existing cluster and adding the malicious event to a split-off of the existing cluster responsive to a determination that the malicious event is more similar to a subset of malicious events included in the existing cluster compared to other malicious events included in the existing cluster (pg. 63, first column, 3rd and 4th bullet point, - Agglomerative versus divisive: In an agglomerative approach, each point is initially considered as a cluster in itself. The two “nearest” clusters are
In contrast, divisive is a “top down” approach where all observations start in one cluster, and splits are performed recursively as the
clustering algorithm proceeds. - Hierarchical versus partitional: As the name implies, hierarchical clustering algorithms break up the data into a hierarchy of clusters. In contrast, partitional algorithms divide the data set into mutually disjoint partitions. Hierarchical clustering algorithms produce a hierarchy of clusters called a dendogram, either by merging smaller clusters into larger ones or dividing larger clusters to smaller ones [9]. One of the most popular partitional clustering algorithms is the k-means clustering algorithm, which we now discuss in more detail.)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify of the method of processing a multi-dimensional data of an incoming data stream of Averbuch in view of Miller to include wherein the cluster is formed based on splitting an existing cluster and adding the malicious event to a split-off of the existing cluster responsive to a determination that the malicious event is more similar to a subset of malicious events included in the existing cluster compared to other malicious events included in the existing cluster, as taught by Annachhatre.
The motivation would have been to split clusters in a manner to properly sort malicious events.

Averbuch in view of Miller and Annachhatre does not disclose:
wherein a non-Euclidean distance function is used to determine whether different Internet Protocol (IP) addresses included in the first set of features and second set of features are from a same or different geographical region or autonomous system

	Morris discloses:
wherein a non-Euclidean distance function is used to determine whether different Internet Protocol (IP) addresses included in the first set of features and second set of features are from a same or different geographical region or autonomous system (para 0019 “Methods and systems are described for identifying a protocol address in a scope-specific address space. In one aspect, the method includes detecting first address information that identifies at least one of a first-second protocol address that, according to a network protocol, identifies a second node to a first node in the network and a second-first protocol address that, according to the network protocol, identifies the first node to the second node.” Para 0187 “In an aspect, a node, referred to as a first origin node, in a network in a first region having a first scope-specific address space may assign a protocol address, of a network protocol, identifying a location of a representation of the node as an origin according to a coordinate system for a metric space that includes a network topology representing the network based on the network protocol.” Para 0188 “Given a mapping rule between the first scope-specific address space and the second scope-specific address space and a mapping between the second scope-specific address space and third scope-specific address space based on a third coordinate space identifying a third origin in the metric space, a mapping from the first coordinate space to the third coordinate space may be determined. A mapping between coordinate spaces for a metric space may include a coordinate shift and/or a rotation, for example. The mapping may be pre-specified and accessible to nodes in one or both address spaces. Mapping between locations in a number of different metric spaces are well known in mathematics.” para 0190 “Exemplary metric spaces include Euclidean spaces, non-Euclidean spaces, and geometric spaces. A Cartesian coordinate system is an exemplary address space for a Euclidean space. Another example of a geometric address space is a geospatial address space such as used currently in geo-location services. Networks have topologies that may be represented in a geo-space including locations addressed via a geometric address space. A metric space including a network topology of a network may be multi-dimensional space. For example, nodes are included in a real-world three-dimensional space that may be associated with a geospatial address space. In one aspect, locations of nodes in a network topology in a metric space may be located based on any suitable metric. Exemplary metrics may measure and/or otherwise may be based on physical distance in the real world between nodes, data transmission times, energy unitization, network congestion, latency, and the like. Exemplary metric spaces include non-Euclidean spaces as well as Euclidean spaces.”)

The motivation would have been to utilize a non-Euclidean distance function to determine and measure data between two different IP address to proper assess and analyze data.

As per claim 2, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 1„ wherein the statistical distribution object is updated in streaming mode as malicious events are detected (Averbuch Col. 5 Liens 60- Col. 6 Line 10 “2. Detection: This is the offline or online application of automatic (unsupervised) tools which detect events (anomalies) that deviate from the normal behavior determined in the training procedure. The detection procedure classifies each newly arrived data point as either normal (belonging to a normal cluster derived in the training procedure) or abnormal (representing either intrusion or "strange" behavior). The classification is inventively done by the application of the out-of-sample extension algorithm, which provides coordinates for each newly arrived data point in the reduced 

As per claim 3, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 1, wherein the second set of features describe clusters of previously detected malicious events (Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55).

As per claim 4, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 3, further comprising: determining an additional set of features describing a different malicious event (Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55)
detected by the firewall (Averbuch Col. 2 Lines 39-42 ‘An intrusion detection system attempts to detect all types of malicious network traffic and malicious computer uses (" attacks") which cannot be detected by conventional protection means such as firewalls.” Col. 30 Lines 63-67 “The governmental networks are protected using several network security tools: signature-based tools, anomaly-based tools, firewalls and proxies and VPNs.

determining an additional set of distances using the non-Euclidean distance function and the additional set of features, the additional set of distances indicating levels of similarity between the additional set of features and the other features (Averbuch Figs. 3-5 Col. 12 Lines 4-Col. 13 Line 51 and Col. 20 Lines 13-33);
responsive to determining that a distance of the additional set of distances is less than a threshold distance: modifying another cluster to include the different malicious event (Figs. Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55)
and responsive to determining that each of the additional set of distances is greater than or equal to the threshold distance (Averbuch Col. 24, Table 8) and (Miller para 0224)
generating a new cluster including at least the different malicious event and a subset of the previously detected malicious events of one of the clusters (Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55).

As per claim 5, Averbuch in view of Miller, Annachhatre and Morris discloses:


As per claim 6, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 3, further comprising: responsive to generating the statistical distribution object (Averbuch Figs, 3-5),
updating the firewall to protect servers from receiving requests from a source of the malicious event (Miller para 0144, 0172, 0179, and 0226).

As per claim 8, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 1, further comprising: determining, prior to determining the set of distances using the non-Euclidean distance function, groups of malicious events based at least on common features between the malicious events (Averbuch Col. 12 Line 60- Col. 13 Line 23) and (Miller para 0003).

As per claim 9, Averbuch in view of Miller, Annachhatre and Morris discloses:

by processing a plurality of clusters including at least the cluster; and modifying the plurality of clusters based on the rule (Miller para 0004, 0071,
0237, 0239, 0244, and 0261).

As per claim 10, the implementation of the method of claims 1, 4 and 7 will execute the method of claim 10. The claim is analyzed with respect to claims 1 and 4.

As per claim 12, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 10, wherein generating the second plurality of clusters comprises: generating a new cluster using at least one cluster of the first plurality of clusters (Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55).

As per claim 13, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 10, wherein the second plurality of dusters includes at least one cluster different from the first plurality of clusters and at least another
cluster in common with the first plurality of clusters (Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55).
As per claim 14, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 10, further comprising: determining a weighted sum of the first plurality of distances, the first plurality of clusters generated using the weighted sum (Miller para 0224) and (Averbuch Figs. 3-5 Col. 12 Lines 4-Col. 13 Line 51 and Col. 20 Lines 13-33).

As per claim 15, Averbuch in view of Miller, Annachhatre and Morris discloses:
The method of claim 10, wherein determining the first plurality of distances using the first non-Euclidean distance function comprises: for each pair of malicious events of the plurality of malicious events: comparing the pair of malicious events using the corresponding features of the first set of features to determine a level of similarity (Averbuch Figs. 3-5 Col. 18 Line 50 -Col. 19 Line 61 and Col. 24 Lines 7-55).

As per claim 16, the Implementation of the method of claim 1 will execute the computer program product comprising a non-transitory computer readable storage medium having instructions (Miller paragraph 0078) of claim 16. The claim is analyzed with respect to claim 1.

As per claim 17, the claim is analyzed with respect to claims 2.

As per claim 18, the claim is analyzed with respect to claims 3.

As per claim 19, the claim is analyzed with respect to claims 8.

As per claim 20, the claim is analyzed with respect to claims 9.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/GARY S GRACIA/Primary Examiner, Art Unit 2491