DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Priority
Examiner acknowledges Applicant’s claim to priority benefits of PCT/US2017/042390 filed 7/17/2017.


Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 11/5/2018 is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered if signed and initialed by the Examiner.


EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with DAN HU (40025) on 5/6/2021.



1.	(Currently Amended) A computing system, comprising:  
a storage to store[[:]] information about [[the]]a size of each set of a first group of sets, wherein each respective set of the first group of sets is associated with a respective different integer[[,]] and is associated with the respective different integer with respect to a prime number is performed on a difference between [[the]]a respective time indication and a first time indication, wherein the prime number does not comprise 5, and wherein the time indications are related to 
a processor to: 
	determine metrics related to [[the ]]differences between integers associated with the sets of the first group of sets;  
	detect a pattern indicative of a security intrusion based on the metrics;  and 
	output an indication that the security intrusion is detected.

2.	(Currently Amended) The computing system of claim 1, wherein the time indications are related to received network communications, and wherein the storage is to store a group of sets for each domain associated with a received network communication.

3.	(Currently Amended) The computing system of claim 1, wherein the storage is to further store information about a second group of sets, wherein [[the ]]sets [[in]]of the second group of sets are related to a modular operation with respect to a different prime number than the modular operation related to the first group of sets, wherein the different prime number does not comprise 5. 

 of a system comprising a hardware processor, comprising:
determining a difference between a received time indication and a previous time indication;
performing a modular arithmetic operation with respect to a first prime number on the difference, wherein the first prime number does not comprise 5;
incrementing a count related to a first set associated with [[the]]a result of the modular arithmetic operation;
comparing [[the ]]respective counts associated with respective sets of a plurality of sets including the first set, wherein each set of the plurality of sets is associated with a different integer result of [[a]]the modular arithmetic operation;
detecting an occurrence of a security intrusion based on the comparison; and
outputting an indication that the security intrusion is detected.

5.	(Original) The method of claim 4, further comprising translating a received symbol into numerical information used to determine the difference. 

6.	(Currently Amended) The method of claim 4, comprising:
computing, according to the comparison, a range based on the respective counts,
wherein the detecting of the occurrence of the security intrusion is based on the range.  

7.	(Currently Amended) The method of claim [[6]]4, wherein the detecting of the occurrence of the security intrusion comprises detecting malware activity

8.	(Currently Amended) The method of claim [[6]]4, wherein the first prime number is at least one of: 3, 7, 11, 13, and 17.

9.	(Currently Amended) The method of claim 4, wherein the detecting [[an]]of the occurrence of the security intrusion is based on the comparison indicating a range of the respective counts being less than 9, and an index of of the respective counts being less than .51

10.	(Currently Amended) The method of claim 4, wherein the detecting [[an]]of the occurrence of the security intrusion is further based on associated with a plurality of second sets related to a modular arithmetic operation performed with respect to a second prime number different from the first prime number, and wherein the second prime number does not comprise 5.

11.	(Currently Amended) The method of claim 4, wherein the comparison comprises at least one of: range, dispersion, standard deviation, interquartile range, [[and]]or relative spike in growth.

12.	(Currently Amended) A machine-readable non-transitory storage medium comprising instructions that upon execution cause a system to: 
store information associated with a first plurality of sets associated with network traffic of a first domain, wherein each set of the first plurality of sets is associated with a different integer result of a modular operation with respect to a prime number on time stamp differences of the network traffic of the first domain, wherein the prime number does not comprise 5;
compare [[the ]]respective sizes of the first plurality of sets; 
detect a likelihood of a security intrusion related to the first domain based on the comparison; 
output an indication that the security intrusion is detected.

13.	(Currently Amended) The machine-readable non-transitory storage medium of claim 12, further comprising instructions that upon execution cause the system to:
store information associated with a second plurality of sets associated with network traffic of a second domain, wherein each set of the second plurality of sets is associated with a different integer result of a modular operation with respect to a different prime number on time the network of the second domain, wherein the different prime number does not comprise 5.

14.	(Currently Amended) The machine-readable non-transitory storage medium of claim 12, further comprising instructions that upon execution cause the system to:
store information related to an initial time stamp associated with the network traffic of the first domain;
receive information related to a further time stamp associated with further network traffic of the first domain
perform [[a]]the modular operation on [[the]]a difference between the further time stamp and the initial time stamp; and
increment [[the]]a size of [[the]]a set associated with [[the]]an integer result of the modular operation on the difference between the further time stamp and the initial time stamp.

15.	(Currently Amended) The machine-readable non-transitory storage medium of claim 12, wherein the instructions to compare the respective sizes comprise instructions to determine: range, dispersion, standard deviation, interquartile range, [[and]]or relative spike in growth between the respective sizes

16.	(New) The computing system of claim 1, wherein the processor is to:
	increment a size of a given set of the first group of sets responsive to the modular operation producing a corresponding integer when applied to a difference between a current time indication and the first time indication.

17.	(New) The computing system of claim 16, wherein the metrics comprise a range based on differences between sizes of sets of the first group of sets.

18.	(New) The computing system of claim 16, wherein the metrics comprise a dispersion or standard deviation computed based on sizes of sets of the first group of sets.




REASONS FOR ALLOWANCE
The following is the Examiner’s statement of reasons for allowance:
Independent claims 1, 4, 12 all comprise (or are significantly similar to), among other things, determining a difference between a received time indication and a previous time indication; performing a modular arithmetic operation with respect to a first prime number on the difference, wherein the first prime number does not comprise 5; incrementing a count related to a first set associated with a result of the modular arithmetic operation; comparing respective counts associated with respective sets of a plurality of sets including the first set, wherein each set of the plurality of sets is associated with a different integer result of the modular arithmetic operation; detecting an occurrence of a security intrusion based on the comparison; and outputting an indication that the security intrusion is detected. The remaining dependent claims further limit the invention. 

Examiner supplements the record for the first action allowance. Examiner finds the statement in the specification that the system uses prime numbers but not the number five “to increase the likelihood of results sets to increase in size more uniformly.” (Spec, para. 23) This feature was in dependent Claim 7 as originally filed. Examiner contacted Counsel, and by agreement the feature is moved into all claims (including similar features of dependent Claims 3, 10 and 13. The scope should be read as excluding integer sets that include five as an integer. No prior art rejection is proper. See the attached 892 for references cited for the record. Examiner also highlights the IDS-cited Shalaginov NPL and Gopalan references as particularly relevant.
The remaining concern was that the claims may be a judicial exception. Taking previous Claim 1 as an example, the claim is conventional computer hardware (a storage and processor), 
Other issues such as antecedent basis or improper dependency (Claim 15 used to depend from the “method” of Claim 12) are also fixed by the above amendment. No 112 rejections are proper.
All claims are allowed as amended.

	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."




CORRESPONDANCE INFORMATION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS CELANI whose telephone number is (571)272-1205.  The examiner can normally be reached on M-F 830-5.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, VIVEK SRIVASTAVA can be reached on (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/NICHOLAS P CELANI/Examiner, Art Unit 2449