Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.        Claims 1 - 21 are pending.  Claims 1, 15, 16, 21 are independent.    File date is 5-31-2019.  

Claim Rejections - 35 USC § 102  
2.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

3.        Claims 1 - 9, 13 - 21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ahmed et al. (US Patent No. 10/320,813).     	

Regarding Claim 1, 15, 16, Ahmed discloses a method for detecting and mitigating anomalous network traffic and a non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform a method comprising operations and an apparatus, comprising the operations of:
a)  with at least one processor in a network, obtaining information regarding network traffic flows; (Ahmed col 3, ll 21-36: threat detection and mitigation platform employing machine learning and machine models to understand and classify the behavior of network endpoints, behavior that is visible in the form of network traffic emitted from 
b)  with the at least one processor in the network, generating a classification model based on the obtained information, the classification model comprising one or more classification rules for classifying network traffic as normal or anomalous; (Ahmed col 3, ll 25-31: employ machine models to classify the behavior of network endpoints, behavior that is visible in the form of traffic (i.e. network traffic))    
c)  with the at least one processor in the network, classifying the network traffic as anomalous or normal based on the generated classification model; (Ahmed col 3, ll 42-45: classify a communication as being malicious or “good” (normal); col 4, ll 47-55: security platform maintains a library of fingerprints of different types of network traffic, classifying the traffic and categorizing the traffic as being malicious or benign (i.e. normal)) and
d)  with the at least one processor in the network, initiating at least one mitigation action based on the network traffic being classified as anomalous. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting either malicious behavior or good behavior; if behavior is classified as malicious, then method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken)    

Furthermore for Claim 16, Ahmed discloses wherein a memory; and at least one processor, 

Regarding Claim 2, Ahmed discloses the method of claim 1, wherein the information comprises netflow records from a network device. (Ahmed col 15, ll 25-28: generating observations/records and providing the records to inference engines as streams of events)    

Regarding Claim 3, Ahmed discloses the method of claim 1, wherein the information comprises DNS flow records from a DNS server. (Ahmed col 11, ll 10-20: inference engine determines that a large number of requests and responses are directed to and from a DNS server (i.e. DNS flow records), indicating that an attack is very likely in progress; (i.e. analyze network traffic associated with a DNS server))    

Regarding Claim 4, Ahmed discloses the method of claim 1, further comprising blocking or rate limiting the anomalous network traffic in response to determining that the network traffic is anomalous. (Ahmed col 14, ll 2-5: configured to assess communication and initially classify it as malicious and if necessary initiate an action to block traffic (i.e. block network communication or “network traffic” if malicious traffic detected); col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance”, including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify the user)    

Regarding Claim 5, Ahmed discloses the method of claim 1, further comprising notifying a user in response to the network traffic being classified as anomalous. (Ahmed col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance”, including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify the user)    

Regarding Claim 6, Ahmed discloses the method of claim 1, further comprising soliciting a user to review and approve the mitigation action before the mitigation action is initiated. (Ahmed col 19, ll 31-43: the event and the corresponding action taken can be provided to a security platform console so that the event and the response are made visible to a user (i.e. a reviewer); the reviewer may validate or override the response action that was taken automatically; if a determination is made that the behavior was not malicious or that the automatic response was unwarranted, then steps can be taken to return the instance to its previous state)     

Regarding Claim 7, Ahmed discloses the method of claim 1, further comprising defining one or more mitigation rules. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat) 

Regarding Claim 8, Ahmed discloses the method of claim 7, further comprising configuring a network device to route the network traffic based on the one or more mitigation rules. (Ahmed 

Regarding Claim 9, Ahmed discloses the method of claim 8, wherein the network device is configured to route normal network traffic to its original destination. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken; (normal network traffic continues to original destination))  

Regarding Claim 13, Ahmed discloses the method of claim 1, wherein the one or more classification rules are determined using supervised learning based on a set of historically classified normal network flows and anomalous network flows. (Ahmed col 14, ll 6-19: security platform aggregates, organizes information such as policy and historical records and serves the information via data streams; provides a method of responding to malicious activity by composing a sequence of actions comprising a response workflow)    

Regarding Claim 14, Ahmed discloses the method of claim 1, wherein the one or more classification rules are based on normal behavior of a given network traffic flow. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good 

Regarding Claim 17, Ahmed discloses the apparatus of claim 16, the operations further comprising blocking or rate limiting anomalous network traffic in response to determining that the network traffic is anomalous. (Ahmed col 14, ll 2-5: configured to assess communication and initially classify it as malicious and if necessary initiate an action to block traffic (i.e. block network communication or “network traffic” if malicious traffic detected); col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance” including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify user)    

Regarding Claim 18, Ahmed discloses the apparatus of claim 16, the operations further comprising notifying a user in response to network traffic being classified as anomalous. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken) 

Regarding Claim 19, Ahmed discloses the apparatus of claim 16, further comprising soliciting a user to review and approve the mitigation action before the mitigation action is initiated. 

Regarding Claim 20, Ahmed discloses the apparatus of claim 16, further comprising defining one or more mitigation rules. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken)    

Regarding Claim 21, Ahmed discloses a method for classifying network traffic, comprising the operations of:
a)  with at least one processor in a network, obtaining information regarding network traffic flows; (Ahmed col 3, ll 21-36: threat detection and mitigation platform employing machine learning and machine models to understand and classify the behavior of network endpoints, behavior that is visible in the form of network traffic emitted from machine, instance, or endpoint; col 32, ll 19-37: processors implementing an instruction set, memory configured to store instructions, program instructions executed and processing data in order to implement one or more desired functions (i.e. methods, 
b)  with the at least one processor in the network, classifying the network traffic based on one or more classification rules and the obtained information; (Ahmed col 3, ll 25-31: employ machine models to classify the behavior of network endpoints, behavior that is visible in the form of traffic (i.e. network traffic)) and
c)  with the at least one processor in the network, initiating at least one notification based on the classification of the network traffic. (Ahmed col 14, ll 2-5: configured to assess communication (i.e. network traffic) and initially classify network traffic as malicious and if necessary initiate an action to block traffic (i.e. block network communication or “network traffic” if malicious traffic is detected); col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance” including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify the user)     

Claim Rejections - 35 USC § 103  
4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 10 - 12 are rejected under 35 U.S.C. 103 as being unpatentable over Ahmed in view of Vejman et al. (US PGPUB No. 20200236131).

Regarding Claim 10, Ahmed discloses the method of claim 8, including routing anomalous network traffic. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken)     
Ahmed does not explicitly disclose routing anomalous network traffic for deep packet inspection. 
However, Vejman discloses wherein the network device is configured to route the anomalous network traffic for deep packet inspection. (Vejman ¶ 040, ll 1-7: analyze packet headers to capture feature information about traffic flow; ¶ 041, ll 1-3: access payload of packet to capture information about traffic flow; perform deep packet inspection on one or more packets; ¶ 049, ll 6-7: security agents are executed to detect the presence of malware)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ahmed for routing anomalous network traffic for deep packet inspection as taught by Vejman. One of ordinary skill in the art would have been motivated to employ the teachings of Vejman for the benefits achieved from a system that enables additional type of inspections for network traffic such as deep packet inspection in the determination of malicious network traffic.  (Vejman ¶ 041; ¶ 049)  

Regarding Claim 11, Ahmed-Vejman discloses the method of claim 10, further comprising routing the network traffic to an original destination and updating the one or more classification rules based on information from the deep packet inspection regarding a false 

Regarding Claim 12, Ahmed-Vejman discloses the method of claim 10, wherein the deep packet inspection triggers a blocking or rate limiting of the anomalous network traffic in response to confirming that the network traffic is anomalous. (Ahmed col 14, ll 2-5: configured to assess communication and initially classify it as malicious and if necessary initiate an action to block traffic (i.e. block network communication or “network traffic” if malicious traffic is detected); col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance” including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify user)    

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920.  The examiner can normally be reached on M - F 12pm - 8pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KYUNG H SHIN/                                                                                                               May 6, 2021Primary Examiner, Art Unit 2443