DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/19/2021 has been entered.

Claims 1-7, 10-16 and 19-20 are pending.

Response to Arguments
The arguments/remarks filed by the applicant on 2/19/2021 have been fully considered and are responded in the following.

Applicant's amendments to claims have overcome claim objections and 112(b) claim rejections previously set forth in the Final Office Action mailed 9/18/2020. All previous claim objections and rejections have been withdrawn.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6, 10-13, 15, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Demopoulos (US 20050193429 A1) in view of Anderson (US 20030014665 A1).

Regarding claim 1, Demopoulos teaches a method of analyzing and reporting anomalous internet traffic data comprising: 
accepting, at a processor ([0056] processor) configured to offer a virtual security appliance, ([0056] networked appliances) a request for a connection to the virtual security appliance; ([Abstract] The monitoring system includes a security appliance and one or more security and monitoring technologies. The security appliance and the security and monitoring technologies may be implemented as separate and distinct modules or combined into a single security appliance. [0044] analyzing a data packet received from a communication network by the monitoring module.) Here the connection request is disclosed by “packet received”. 
collecting, using the processor, attribute data about the connection, wherein the attribute data includes date of the connection, a number of bytes associated with the connection, source IP address, or content of data sent through the connection; ([0044] The data packet includes information identifying the packet's source (e.g., a source IP address) and the packet's destination.)
applying, using the processor, a plurality of alert modules to at least some of the attribute data about the connection to identify an incident for reporting, wherein each of the plurality of alert modules is independently customizable and is configured to detect an anomaly in a different subset of the attribute data about the connection; and ([0043, 0065] The integrated security system includes a plurality of monitoring modules for screening a plurality of different types of communications, such as e-mail messages, VPN communications, and web page traffic. Based on event data generated by the monitoring modules upon determination of a potential threat, new rules are automatically developed by the integrated security system and implemented using one or more of the monitoring modules. The integrated monitoring system 200 includes a plurality of monitor modules 202, 204, 206, 208, 210. Each monitor module 202 may independently perform one or more different monitoring and security functions.)
automatically generating, using the processor, an alert concerning the identified incident. ([0071] The IDP may include an internal set of rules for use in evaluating and blocking messages in real time. Upon detection of a threat, the IDP system may report an alert, a threat ID and description, a timestamp, and the source and destination IP addresses of the message. Additional event data may also be reported depending on the implementation.)
Demopoulos teaches new rule being added to the set of rules used by the monitoring module according to satisfaction of one or more criteria (¶44), but does not explicitly teach each of the plurality of alert modules is added or deleted according to a predetermined schedule, satisfaction of one or more criteria, or as decided by a machine learning system. This aspect of the claim is identified as a difference.
However, Anderson in an analogous art explicitly teaches each of the plurality of alert modules is added or deleted according to a predetermined schedule, satisfaction of one or more criteria, or as decided by a machine learning system. ([0064] The Internet host 102 generates one or more DDoS squelch filters based on the identified attack traffic characteristics. The Internet host 102 transmits the one or more filters to the upstream router 302. Accordingly, once the filters are received by the upstream router 302, installation of the filters and dropping of matching network traffic should result in termination of the DDoS attack at the Internet host 102. [0073] FIG. 13, each installed filter includes an expiration time timestamp based on a pre-determined DDoS squelch TTL value which is set by an administrator of the respective router. That timestamp represents the time at which this DDoS squelch filter should be removed.) Here Anderson discloses that the attack traffic characteristics include one or more of a destination port of the attack traffic, a source port of the attack traffic, a source IP address of the attack traffic, a destination IP address of the attack traffic, and a time to live component of the attack traffic (¶63). Generating DDoS squelch filters based on the identified attack traffic characteristics as disclosed above is an example of adding alert modules according to “satisfaction of one or more criteria”. Removing DDoS squelch filters after expiration as disclosed above is an example of deleting 
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “integrated data traffic monitoring system” concept of Demopoulos, and the “generating/removing filter dynamically” approach of Anderson, for secure, automated response to attacks as well as preventing endless accumulation of outdated filters (Anderson [0025, 0073]).

Regarding claim 2, Demopoulos in view of Anderson teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein identifying the incident for reporting comprises identifying at least one anomalous connection attribute in the attribute data. ([Demopoulos 0044, 0070] analyzing a data packet received from a communication network by the monitoring module using a predetermined set of rules. The data packet includes information identifying the packet's source (e.g., a source IP address) and the packet's destination. For example, a stateful firewall monitor module that remembers the context of connections and continuously updates this state information in dynamic connection tables, may use one or more IP tables to identify known sources of threats and automatically block traffic from those IP addresses in the IP tables.)

Regarding claim 3, Demopoulos in view of Anderson teaches all the features with respect to claim 1, as outlined above. The combination further teaches supplying the alert to a user using a user interface. ([Demopoulos 0064] an alerting module 218 that transmits security alerts (such as to system administrators and users).) It would be obvious that these security alerts are transmitted using a user interface.

Regarding claim 4, Demopoulos in view of Anderson teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the alert concerning the identified incident includes the time at which the incident occurred. ([Demopoulos 0071] Upon detection of a threat, the IDP system may report an alert, a threat ID and description, a timestamp, and the source and destination IP addresses of the message. Additional event data may also be reported depending on the implementation.)

Regarding claim 6, Demopoulos in view of Anderson teaches all the features with respect to claim 1, as outlined above. The combination further teaches formatting, using the processor, the attribute data into at least one of a plot, table, or chart. ([Demopoulos 0070] a stateful firewall monitor module that remembers the context of connections and continuously updates this state information in dynamic connection tables, may use one or more IP tables to identify known sources of threats and automatically block traffic from those IP addresses in the IP tables.) Here IP address is the “attribute data” claim limitation.

Regarding claim 10 and 19, the scope of the claim is similar to that of claim 1. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 11, the scope of the claim is similar to that of claim 2. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 12 and 20, the scope of the claim is similar to that of claim 3. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 13, the scope of the claim is similar to that of claim 4. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 15, the scope of the claim is similar to that of claim 6. Accordingly, the claim is rejected using a similar rationale.

Claim 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Demopoulos (US 20050193429 A1) in view of Anderson (US 20030014665 A1) and Baradaran (US 20170126709 A1).

Regarding claim 5, Demopoulos in view of Anderson teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the alert module is automatically applied at fixed time intervals. This aspect of the claim is identified as a difference.
However, Baradaran in an analogous art explicitly teaches wherein the alert module is automatically applied at fixed time intervals. ([0080] In some embodiments, the monitoring agent 197 monitors, measures and collects data on a predetermined frequency.) The “predetermined frequency” implies claim limitation “automatically at fixed time intervals”.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “integrated data traffic monitoring system” concept of Demopoulos, and the “anomaly detection” approach of Baradaran, to provide effective and flexible techniques for detecting anomalous traffic.

Regarding claim 14, the scope of the claim is similar to that of claim 5. Accordingly, the claim is rejected using a similar rationale.

Claim 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Demopoulos (US 20050193429 A1) in view of Anderson (US 20030014665 A1) and Martin (US 20180004948 A1).

Regarding claim 7, Demopoulos in view of Anderson teaches all the features with respect to claim 1, as outlined above. But the combination does not teach filtering the collected attribute data and discarding standard attribute data using the processor. This aspect of the claim is identified as a difference.
However, Martin in an analogous art explicitly teaches filtering the collected attribute data and discarding standard attribute data using the processor. ([0038] The system can also discard various signals from the set in order to find a best-match with a particular cyber attack pattern in the attack database, thereby confirming a relationship between a subset of these signals and a possible cyber attack and refuting a relationship between this subset of signals and other signals in the set.) Here Martin discloses discarding irrelevant signals and keeping pertinent signals to find a particular cyber-attack pattern, which is analogous to claim limitation “filtering collected attribute data and discarding standard attribute data”.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “integrated data traffic monitoring system” concept of Demopoulos, and the “predicting and characterizing cyber-attacks” approach of Martin, because discarding irrelevant signals and keeping pertinent signals can reduce the noise from unnecessary data to facilitate the identification of a particular cyber-attack pattern (Martin [0038]).

Regarding claim 16, the scope of the claim is similar to that of claim 7. Accordingly, the claim is rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 9774611 B1, "Dynamically deploying a network traffic filter", by Zipperer, teaches dynamically deploying an upstream network traffic filter in a network. The upstream network filter is dynamically deployed in a location that is closer to an entry point of an attack such that attack traffic reaches the upstream network filter before reaching a network traffic filter that is configured to perform network traffic filtering for a computing resource that is under attack. The upstream network traffic filter includes rules that are based on at least a portion of the rules that are applied by the network traffic filter.
US 20140090014 A1, "Policy-based content filtering", by Crawford, teaches a firewall device maintains a policy database including multiple policies. The policies includes information regarding an action to take with respect to a network session based on a set of source internet protocol (IP) addresses, a set of destination IP addresses and/or a network service protocol. When the action is to allow the network session, the policy also includes information regarding a configuration scheme defining administrator-configurable content filtering processes to be performed on traffic associated with the network session. Policy-based content filtering is performed by the firewall device by (i) identifying a matching policy for the network session at issue; (ii) identifying multiple content filtering processes to .

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493

/Kevin Bechtel/Primary Examiner, Art Unit 2491