DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office Action is in response to Application filed on July 26, 2019 in which claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Reves US Publication No. 2007/0064617.

by providing a traffic anomaly analysis for the detection of aberrant network code (See Reves Title, Abstract; Paragraph 0001 describing techniques for detecting the presence of aberrant code in a computer network), comprising: “identifying a first one of a plurality of network nodes as infected” (Paragraph 0019 describing method for detecting nodes in an enterprise network infected with aberrant code); “collecting a first set of network data from the first network node including one or more anomalous activities performed by the first network node” (through data collector Figure 7, Components 110, 114) and ; “generating an anomalous behavior model using the first set of network data” (Paragraph 0019 describing determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information, and analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes); “collecting a second set of network data from a second one of the plurality of network nodes including one or more anomalous activities performed by the second network node (through data collector Figure 7, Components 110, 114); “comparing the second set of data to the generated anomalous behavior model” (Figure 7, Component 119; Paragraph 0073 describing a threshold comparator 119 to compare a metric associated with an attribute for each source in the traffic conversation information matrix 8 to the current normal threshold 126 to determine whether attribute of the corresponding source host is out of "normal" operating range. If so, the threshold processor 124 may add the source host 128 to the list 130 of "suspected infected" source hosts); “determining, from the comparison, that a similarity between a first characteristic associated with the one or more anomalous activities performed by the first network node and a second characteristic associated with the one or more anomalous activities performed by the second network node exceeds a predefined threshold” (Figure 8, Paragraphs 0074-0075 describing conversation sizes are also analyzed at this point to identify conversations that are mostly similar in size--that is, the standard deviation of the conversations is low. Suspected infected nodes are ranked based upon this initial analysis) and ascertaining, based on the determination, the second network node as an infected network node” by providing method for detecting nodes in an enterprise network infected with aberrant code in which traffic conversation information representative of traffic conversation in the enterprise network over an analysis period is obtained. Analysis of the obtained traffic conversation information identifies suspected infected nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors. Anomaly analysis may be performed on traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes in the enterprise network (See Reves Title, Abstract; Figure 6; Paragraphs 0069). 

As per claim 2, Reves discloses “determining a first timestamp corresponding to when the first network node is identified as infected (Paragraphs 0013, 0033, 0102); and collecting the first set of network data to include the one or more anomalous activities Figures 11, 12, 13; Paragraphs 0033, 0034, 0035).

As per claim 3, Reves discloses “wherein the first characteristic includes at least one of a recurring interval of the one or more anomalous activities performed by the first network node or an occurrence time of each of the one or more anomalous activities performed by the first network node, and the second characteristic includes at least one of a recurring interval of the one or more anomalous activities performed by the first network node and an occurrence time of each of the one or more anomalous activities performed by the second network node” (Paragraphs 0033-0035, 0090, 0100-0103).

As per claim 4, Reves discloses “wherein the first characteristic includes a data size of the first set of network data, and the second characteristic includes a data size of the second set of network data” (Paragraphs 17, 57, 66).

As per claim 5, Reves discloses “wherein the first characteristic includes a data type of the first set of network data, and the second characteristic includes a data type of the second set of network data” (Paragraphs 66, 67, 75, 81, 83, 98, 99).

As per claim 6, Reves discloses “wherein the first characteristic includes a destination point to which the first set of network data is transmitted, and the second characteristic includes a destination point to which the second set of network data is transmitted” (Paragraphs 0012, 0017, 0021, 0037, 0044).

As per claim 7, Reves discloses “communicating with a threat detection system to ascertain that the first network node is infected prior to collecting the first set of network data” (Paragraphs 0007, 0017, 0053-0059).

Regarding claim 8, Reves discloses “a computing device (Figure 1; Paragraph 0023, 0053) comprising: a memory; and one or more processors operatively coupled to the memory,” by providing a traffic anomaly analysis for the detection of aberrant network code (See Reves Title, Abstract; Paragraph 0001 describing techniques for detecting the presence of aberrant code in a computer network), the one or more processors being to: “identify a first one of a plurality of network nodes as infected” (Paragraph 0019 describing method for detecting nodes in an enterprise network infected with aberrant code); “collect a first set of network data from the first network node including one or more anomalous activities performed by the first network node” (through data collector Figure 7, Components 110, 114) and ; “generate an anomalous behavior model using the first set of network data” (Paragraph 0019 describing determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information, and analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes); “collect a second set of network data from a second one of the plurality of network nodes including one or more anomalous activities performed by the second network node (through data collector Figure 7, Components 110, 114); “compare the second set of data to the generated anomalous behavior model” (Figure 7, Component 119; Paragraph 0073 describing a threshold comparator 119 to compare a metric associated with an attribute for each source in the traffic conversation information matrix 8 to the current normal threshold 126 to determine whether attribute of the corresponding source host is out of "normal" operating range. If so, the threshold processor 124 may add the source host 128 to the list 130 of "suspected infected" source hosts); “determine, from the comparison, that a similarity between a first characteristic associated with the one or more anomalous activities performed by the first network node and a second characteristic associated with the one or more anomalous activities performed by the second network node exceeds a predefined threshold” (Figure 8, Paragraphs 0074-0075 describing conversation sizes are also analyzed at this point to identify conversations that are mostly similar in size--that is, the standard deviation of the conversations is low. Suspected infected nodes are ranked based upon this initial analysis) and ascertain, based on the determination, the second network node as an infected network node” by providing method for detecting nodes in an enterprise network infected with aberrant code in which traffic conversation information representative of traffic conversation in the enterprise network over an analysis period is obtained. Analysis of the obtained traffic conversation information identifies suspected infected nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors. Anomaly analysis may be performed on traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes in the enterprise network (See Reves Title, Abstract; Figure 6; Paragraphs 0069). 

As per claim 9, Reves discloses “wherein the one or more processors are further to: determine a first timestamp corresponding to when the first network node is identified as infected” (Paragraphs 0013, 0033, 0102); and “collect the first set of network data to include the one or more anomalous activities that each occurred at a timestamp substantially close to the first timestamp” (Figures 11, 12, 13; Paragraphs 0033, 0034, 0035).

As per claim 10, Reves discloses “wherein the first characteristic includes at least one of a recurring interval of the one or more anomalous activities performed by the first network node or an occurrence time of each of the one or more anomalous activities performed by the first network node, and the second characteristic includes at least one of a recurring interval of the one or more anomalous activities performed by the first network node and an occurrence time of each of the one or more anomalous activities performed by the second network node” (Paragraphs 0033-0035, 0090, 0100-0103).

As per claim 11, Reves discloses “wherein the first characteristic includes a data size of the first set of network data, and the second characteristic includes a data size of the second set of network data” (Paragraphs 17, 57, 66).

Paragraphs 66, 67, 75, 81, 83, 98, 99).

As per claim 13, Reves discloses “wherein the first characteristic includes a destination point to which the first set of network data is transmitted, and the second characteristic includes a destination point to which the second set of network data is transmitted” (Paragraphs 0012, 0017, 0021, 0037, 0044)

As per claim 14, Reves discloses “wherein the one or more processors are further to communicate with a threat detection system to ascertain that the first network node is infected prior to collecting the first set of network data” (Paragraphs 0007, 0017, 0053-0059).

Regarding claim 15, Reves discloses “a non-transitory computer readable medium storing program instructions” by providing a traffic anomaly analysis for the detection of aberrant network code (See Reves Title, Abstract; Paragraph 0001; Figure 1, Paragraphs 0023, 0053 describing techniques for detecting the presence of aberrant code in a computer network), for causing one or more processors to: “identify a first one of a plurality of network nodes as infected” (Paragraph 0019 describing method for detecting nodes in an enterprise network infected with aberrant code); “collect a first set of network data from the first network node including one or more anomalous activities performed by the first network node” (through data collector Figure 7, Components 110, 114) and ; “generate an anomalous behavior model using the first set of network data” (Paragraph 0019 describing determining normal behavior associated with one or more traffic conversation factors from the traffic conversation information, and analyzing the traffic conversation information to identify nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors as suspected infected nodes); “collect a second set of network data from a second one of the plurality of network nodes including one or more anomalous activities performed by the second network node” (through data collector Figure 7, Components 110, 114); “compare the second set of data to the generated anomalous behavior model” (Figure 7, Component 119; Paragraph 0073 describing a threshold comparator 119 to compare a metric associated with an attribute for each source in the traffic conversation information matrix 8 to the current normal threshold 126 to determine whether attribute of the corresponding source host is out of "normal" operating range. If so, the threshold processor 124 may add the source host 128 to the list 130 of "suspected infected" source hosts); “determine, from the comparison, that a similarity between a first characteristic associated with the one or more anomalous activities performed by the first network node and a second characteristic associated with the one or more anomalous activities performed by the second network node exceeds a predefined threshold” (Figure 8, Paragraphs 0074-0075 describing conversation sizes are also analyzed at this point to identify conversations that are mostly similar in size--that is, the standard deviation of the conversations is low. Suspected infected nodes are ranked based upon this initial analysis) and ascertain, based on the determination, the second network node as an infected network node” by providing method for detecting nodes in an enterprise network infected with aberrant code in which traffic conversation information representative of traffic conversation in the enterprise network over an analysis period is obtained. Analysis of the obtained traffic conversation information identifies suspected infected nodes in the enterprise network that exhibit behavior outside of the normal behavior associated with the one or more traffic conversation factors. Anomaly analysis may be performed on traffic conversation information associated with the suspected infected nodes to identify any existing infected nodes in the enterprise network (See Reves Title, Abstract; Figure 6; Paragraphs 0069). 

As per claim 16, Reves discloses “wherein the program instructions further cause the one or more processors to: determine a first timestamp corresponding to when the first network node is identified as infected (Paragraphs 0013, 0033, 0102); and collect the first set of network data to include the one or more anomalous activities that each occurred at a timestamp substantially close to the first timestamp” (Figures 11, 12, 13; Paragraphs 0033, 0034, 0035).

As per claim 17, Reves discloses “wherein the first characteristic includes at least one of a recurring interval of the one or more anomalous activities performed by the first network node or an occurrence time of each of the one or more anomalous activities performed by the first network node, and the second characteristic includes at least one Paragraphs 0033-0035, 0090, 0100-0103).

As per claim 18, Reves discloses “wherein the first characteristic includes a data size of the first set of network data, and the second characteristic includes a data size of the second set of network data” (Paragraphs 17, 57, 66).

As per claim 19, Reves discloses “wherein the first characteristic includes a data type of the first set of network data, and the second characteristic includes a data type of the second set of network data” (Paragraphs 66, 67, 75, 81, 83, 98, 99).

As per claim 20, Reves discloses “wherein the first characteristic includes a destination point to which the first set of network data is transmitted, and the second characteristic includes a destination point to which the second set of network data is transmitted” (Paragraphs 0012, 0017, 0021, 0037, 0044)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANTZ COBY whose telephone number is (571)272-4017.  The examiner can normally be reached on Monday-Thursday 7AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571 270-3037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FRANTZ COBY/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        

March 24, 2021