DETAILED ACTION
This office action is in response to the correspondence filed on 06/03/2019. This application has a provisional application filed 01/16/2019. Claims 1-20 are pending and are examined.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Objection
There are two sets of claims and abstracts that are deemed to be the same by the examiner. There are also two sets of specifications that are at least mostly the same. Please clarify if one set should be used over the other. 

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: transaction correlation module configured to correlate, host input module to take, merged record creator configured to create, output module configured to send, network policy enforcement module to give, network data flow module to take, audit module configured to interrogate in claims 1-10. A correlator includes these modules but it is unclear if a correlator is a hardware processor or something else. Please clarify.
Because this/these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim limitations: transaction correlation module configured to correlate, host input module to take, merged record creator configured to create, output module configured to send, network policy enforcement module to give, network data flow module to take, audit module configured to interrogate in claims 1-10 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
The specification is devoid of adequate structure to perform the claimed function. The specification states the claimed functions of correlating network flow information, taking in records, creating a merged record, sending a merged record, giving information, taking in the network data traffic flow information, and interrogating computing host devices are performed by the stated modules which is included in a correlator. There is no disclosure of any particular structure, either explicitly or inherently, to perform these functions including the correlator. The use of the terms correlation module, host input module, merged record creator, output module, network policy enforcement module, network data flow module, audit module for performing the correlating, taking, creating, sending, giving, taking, and interrogating functions because they do not describe a particular structure for performing the functions. As would be recognized by those of ordinary skill in the art, the terms correlating, taking, creating, sending, giving, taking, and interrogating refer to some kind of data manipulations and analyses which can be performed in any number of ways in hardware, software or a combination of the two. The specification does not provide sufficient details such that one of ordinary skill in the art would understand which structure or structures perform(s) the claimed functions. 
Therefore, the claims are indefinite and are rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Regarding claim 2, the limitation recites “…when a match has been made” and it is unclear what “a match” is referring to. Please clarify.
Regarding claim 7, it recites “the network policy enforcement module” which was never recited before in claim 7. There is insufficient antecedent basis for this limitation in the claim. 
Regarding claim 9, it recites “the record creator module” which was never recited before in claim 9. There is insufficient antecedent basis for this limitation in the claim. 
Regarding claim 19, it recites “the record creator module” which was never recited before in claim 19 even though it is introduced in claim 15. There is insufficient antecedent basis for this limitation in the claim. 
	Please clarify and define these modules and thoroughly review the claim set for accuracy. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 11, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Stute et al. (US Pub No. 2009/0178139 A1, referred to as Stute), in view of Ling et al. (US Pub No. 2017/0041297 A1, referred to as Ling).
Regarding claims 1, 11, and 16, taking claim 1 as exemplary, Stute discloses,
1. An apparatus, comprising:
a correlator that includes a number of modules cooperating with each other, where the modules at least include,  (Stute: [0024].)
a transaction correlation module configured to correlate network flow information for one or more network packet flows corresponding to one or more host- agent network-transaction records on whom participated in a first network packet flow, (Stute: [0024], [0033]; a combination of modules (correlation module) could learn and remember any information (network-transaction records) associated with any binary network packet data associated with the network activity or traffic such as source information and destination information, other suitable network related information, or any combination thereof that could be associated with a particular transaction, access attempt, database, network location, user, user's location, or any other network related information when accessing network servers.)  where the one or more host-agent network-transaction records at least contain source information selected from information that includes i) an application that caused the one or more network packet flows, ii) a user associated with the one or more network packet flows, and iii) a combination of the application information and the user information for the one or more network packet flows, (Stute: [0034]; one of the detection and prevention modules (DPMs), trusted computing base (TCB) DPM could learn and remember any protocols, IP ports, addressing information, other 
a host input module having one or more inputs to take in the one or more host-agent network-transaction records over a host network from each host agent on its host computing device connecting to the correlator, (Stute: [0025], [0029]; facility/enterprise 202 could include, for example, a company, a group of companies, a department, a group of departments, a user, a group of users, a database, a group of databases, applications, a group of applications, any suitable entity, or any combination thereof (group of computers associated with the entities can be connected to the system). Enterprise 202 could include one or more external detection and prevention modules (DPMs) could perform, for example, data packet collection and behavioral packet analysis.)
a merged record creator configured to create a merged record for corresponding matches of one or more of the host-agent network-transaction records to one or more of the network packet flows, where the merged record contains both details of network flow information from a matching network packet flow and details of source information from a corresponding host-agent network-transaction record, and (Stute: [0024], [0033]; a combination of modules (merged record creator) could learn and remember any information (network-transaction records) associated with any binary network packet data associated (matching) with the network activity or traffic such as source information and destination information, other suitable network related information, or any combination thereof that could be associated with a particular transaction, access attempt, database, network location, user, user's location, or any other network related information when accessing network servers.)  
Stute does not explicitly disclose, however Ling teaches,
an output module configured to send the merged record containing the network flow information and the source information to a network policy enforcement module to give the network policy enforcement module enough information of both the network traffic flow information along with the source information that participated in one or more of the network packet flows in order to apply one or more network polices against the one or more network packet flows. (Ling: [0008], [0016]; upon receiving the source user-based information of a data packet, the processor can evaluate whether the authenticated user is authorized to transmit the sensitive information out of the enterprise network based on network data leakage prevention (DLP) policies. There are corresponding DLP policies for each user.)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings Ling of into the teachings of Stute with a motivation to prevent network data leakage with unified source user checking of data packets by applying user specific DLP policies to outgoing data packets (Ling abstract, [0002], [0008]).

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Stute, in view of Ling, further in view of Wood et al. (US Pub No. 2009/0290492 A1, referred to as Wood).
Regarding claim 12, the combination of Stute and Ling discloses, 
12. The method of claim 11, further comprising:
Stute discloses,
taking in the network data traffic flow information, including its associated metadata, for the one or more network packet flows from one or more network data flow collection daemons, (Stute: [0033]; a combination of modules could learn and remember any information (network-transaction records) associated with any binary network packet data associated with the network activity or traffic such as source information and destination information, access time, other suitable network related 
storing details for the one or more network data flows and their associated metadata including time stamps, and (Stute: [0032], [0033]; DPMs have storage. Network packet associated data including time information.)
Stute does not explicitly disclose, however Wood teaches,
programming to remove details of one or more of the one or more network data flows from storage locations as space is needed, based on a set time limit, and any combination of both of these. (Ling: [0013]; determining an algorithm (programming) to extract a meta-data having information relevant to network traffic visibility based on the type of the header, extracting the metadata from the header, determining that a storage device does not have capacity to store the meta-data, and discarding a last recently used data when the storage device does not have capacity to store the meta-data such that a sliding window is formed in the storage device that discards the last recently used data when making room for the meta-data and future meta-data (space and time are considered for removal of old metadata).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Wood into the combination of Stute and Ling with a motivation to manage a storage device for identifying network packets when it is limited in the storage capacity by applying a last recently used algorithm to discard information from the storage device (Wood abstract).
	
	
Allowable Subject Matter
Claims 2-10, and 13-15, and 17-20 contain allowable subject matter but are objected to as being dependent upon rejected base claims. Claims 2-10, and 19 are also rejected under 112. The above claims would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims; and the stated rejection(s) are resolved.
The following is an examiner’s statement of reasons for allowance: 
Although prior arts Stute, Ling and Wood above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses a network flow correlator including a user programmable filter to remove details from network data flows as space is needed; a host input module to cooperate with a merged record creator to create queues for storing host-agent network-transaction records from a first and second host agents; an auditing module to interrogate network packet flow relating to network packet flow external to the host network; and filters programmable that limit an amount of host agent network-transaction records that are made based on specific processor and storage capabilities of the host computing device and the correlator as described in the claims.
At the effective filing date of the application, the above limitations would not have been obvious over the prior arts of record. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The listed references disclose relevant inventions of detecting data exfiltration, identifying users who initiated network traffic, and applying a security policy to the network traffic flow according to the application type.

Kan; Dan et al. (US 20100064353 A1) 
Teal; Richard S. (US 20190081983 A1) 
Please see PTO-892. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435