Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
2.    NO restrictions warranted at initial time of filing for patent.

Information Disclosure Statement
3.    The information disclosure statement (IDS) submitted on 03/18/2020, 03/18/2020, 10/21/2020, 01/22/2021, and 0426/2021, the submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Oath/Declaration
4.    Applicant’s Oath was filed on 03/16/2020.

Drawings
5.    Applicant’s drawings filed on 03/16/2020 has been inspected and is in compliance with MPEP 608.01.
Specification
6.    Applicant’s specification filed on 03/16/2020 has been inspected and is in compliance with MPEP 608.02.
Claim Objections
7.    NO objections warranted at initial time of filing for patent.

Remarks
8.	Examiner request Applicant review relevant prior art under the conclusion of this office action.

Double Patenting
9.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 

Claims 1 is provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of Patent No. 10594718. Although the claims at issue are not identical, they are not patentably distinct from each other because both the instant application claim 1 and Patented App. claim 1 are almost the same in scope.
Instant Application claim 1
Patent ‘718 claim 1
1. A method for monitoring network traffic using one or more network computers, wherein execution of instructions by the 




The instant application claim 1 and Patent No. ‘718 are both directed towards method for monitoring network traffic using one or more network computers, monitoring network traffic associated with a plurality of entities in one or more networks to provide one or more metrics,  generating a device relation model for representing direct and indirect relationships between the plurality of entities, determining an anomaly based on the one or more metrics exceeding one or more threshold values and monitoring an investigation of the anomaly.
One of ordinary skill in the art would understand from the teachings found in Patented App ‘718 would not be significantly different from those found in the Instant application relates to monitoring network traffic using one or more network computers to determine if any anomalies are occurring between entities. This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Allowance of the instant application claim 1 would result in an unjustified time-wise extension of the monopoly granted for the invention defined by Patent No. 718 claim 1. Therefore, the provisional obviousness-type double patenting is appropriatebecause the conflicting claims have not in fact been patented. Instant application claim 1 corresponds to Patent No. ‘718 claim 1. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
1 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20150007314 hereinafter Vaughan in view of US 20160357967 hereinafter Mulchandani, and further in view of U.S. Patent No. 9,729,416 hereinafter Khanal.

As per claim 1, Vaughan discloses:
A method for monitoring network traffic using one or more network computers (para 0022 “Examples disclosed herein monitor packets on a packet-switched network to detect changes in the types of packets over time that form the packet traffic on the network.”),
wherein execution of instructions by the one or more network computers perform the method (para 0046) comprising:
monitoring network traffic associated with a plurality of entities in one or more networks (para 0056 “At block 402, packets received for delivery to devices on a network are monitored. The packets may be received by network protection device 104 from outside the network 154 and/or from inside the network 152 for delivery to a device within the network, e.g., a services/mobiles network.”)
to provide one or more metrics (para 0057 “At block 404, a historic packet profile is developed. The historic packet profile may be developed by examining the monitored packets received during a plurality of time periods preceding a time period of interest (the "instant" time period).” Para 0060 “At block 406, an instant packet profile is developed. The instant packet profile may be developed by examining the monitored packets received during a time period 
and determining an anomaly based on the one or more metrics exceeding one or more threshold values (para 0062 “At block 408, the instant packet profile is compared to the historic packet profile to determine deviation. Packet analyzer 120 (e.g., packet processor 318) may compare the packet profiles to determine whether a deviation exceeding a predetermined statistical threshold deviation between the instant packet profile and historic packet profile is present. Packet processor 318, for example, may compare a packet ratio (e.g., numbers of TCP to UDP, TCP/UDP, or total packets) in the instant packet profile to an average of the packet ratios from the individual time periods in the historic packet profile to determine a difference.” Para 0063 “At block 410, the existence of a network attack is identified. The existence of a network attack is identified in response to determining that the deviation of the instant packet profile to the historic packet profile exceeds the predetermined statistical threshold deviation.”);
monitoring an investigation of the anomaly (para 0071 “Packet analyzer 120 (e.g., packet processor 318) may develop the post attack packet profile as described above for the instant packet profile at block 406. The time period following the identification of the attack may be the same duration as the time periods used to generate the current and historic packet profiles, e.g., 10 minutes. Thus, the post attack packet profile in this example includes a 10 minute 

Vaughan does not disclose:
dynamically modifying a device relation model based on one or more priorities of one or more direct and indirect relationships to one or more of a plurality of entities, 
wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships
and modifying a performance score that is associated with the investigation based on an occurrence of one or more investigation activities and a completion status of the investigation.

Mulchandani discloses:
 modifying a performance score that is associated with the investigation based on an occurrence of one or more investigation activities and a completion status of the investigation (para 0057 “Current risk scores can be determined (328) and deviations in risk scores can be continuously tracked and monitored over time (330). For example, the system administration process or similar process can continuously monitor risk scores for deviations that may indicate risks associated with the current/observed form of the particular process. The 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of monitoring packets on a packet-switched network to detect changes in the types of packets over time that form the packet traffic on the network of Vaughan to include modifying a performance score that is associated with the investigation based on an occurrence of one or more investigation activities and a completion status of the investigation, as taught by Mulchandani
The motivation would have been to continuously track and monitor risk scores to provide a current and accurate risk scores.

Vaughan in view of Mulchandani does not disclose:

wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships

Khanal discloses:
dynamically modifying a device relation model based on one or more priorities of one or more direct and indirect relationships to one or more of a plurality of entities (Col. 20 Lines 54-63 “However, in at least one of the various embodiments, NMCs may be arranged to provide a device relation model that represents the relationships between the agents. Initially, in some embodiments, the NMC may define the initial relationships in the network based on which agents communicate with each other. However, in at least one of the various embodiments, as the NMC collects more information about the agents and their relationships to other agents, the NMC may modify device relation model 700 to reflect the deeper understanding of these relationships.” Col. 21 Lines  4-16 “In at least one of the various embodiments, some of the initial relationships may be determined to be incidental, spurious, or otherwise unimportant. Accordingly, the NMC may be arranged to remove (or de-prioritize) edges from device relation model 700 that correspond to such relationships. For example, in at least one of the various embodiments, agents (e.g., Windows network domain controllers) in Col. 26 Lines 33-47 “At block 1108, in at least one of the various embodiments, the NMC may be arranged to analyze the error signals using the device relation model. In at least one of the various embodiments, the NMC may be arranged to perform an analysis to determine whether one or more error signals may be correlated with an anomaly. In some embodiments, many errors signals may simply be indicative of normal operations. For example, if many of the clients communicating with a monitored network are mobile phones, it may expect that several mobile phone client may appear to spontaneously quit responding. In this example, clients dropping connections may be normal as they may often drop out of connectivity. However, for example, if clients are dropping connections because of an agent further downstream, there NMC may make this correlation and report an anomaly.” Col. 26 Line 57- Col. 2, “At decision block 1110, in at least one of the various embodiments, if an anomaly is detected, control may flow to block 1112. At block 1112, in at least one of the various embodiments, the NMC may report or otherwise generate and store a record of the anomaly. In at least one of the various embodiments, the NMC may be arranged to prioritize anomalies or otherwise, associate one or more actions that should be taken for a given anomaly. For example, some anomalies may cause a trouble ticket to be created and provided to an organization information technology teams. In other examples, the NMC may be arranged to report other anomalies to a live dashboard user-interface, or the like.”)
wherein the one or more priorities are based on communication between the plurality of entities that are employed to generate one or more of a type or a weight for the one or more direct and indirect relationships Col. 21 Lines  4-16 “In at least one of the various embodiments, some of the initial relationships may be determined to be incidental, spurious, or otherwise unimportant. Accordingly, the NMC may be arranged to remove (or de-prioritize) edges from device relation model 700 that correspond to such relationships.” Col. 21 Lines 27-30 “In some embodiments, the NMCs may be arranged to use the collected metrics and its understanding of the communication protocol to establish and/or prioritize relationships between the agents in the networks.” Col. 24 Lines 21-33 “In at least one of the various embodiments, the NMC may be arranged to generate device relation model 1000 based on the relationships that the agents have with each other. Accordingly, in some embodiments, the edges in the graph may be selected and/or prioritized (e.g., weighted) based on the type and/or strength of the relationship. In at least one of the various embodiments, the metrics used for prioritizing the edges in a device relation model may be selected/computed based on configuration information that includes rules, conditions, pattern matching, scripts, or the like. NMCs may be arranged to apply this configuration to the observed network packets (e.g., headers and payload, alike) to identify and evaluate relationships.”)

The motivation would have been to generating a device relation model to use in order properly identify anomalies in a network.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

U.S. Publication No. 20180198812 discloses on paragraph 0030 “For each context class that the network device identifies, the network device may create a machine-learning model (e.g., a behavior classifier model) from the network traffic packets associated with that context. These behavior classifier models may be scored by the network device based on their maturity (e.g., based on an accuracy of 

U.S. Publication No. 20150341379 discloses on paragraph 0051 “The monitoring device 202 may use any appropriate algorithm to create the network model and/or to categorize one or more devices, e.g., as having a high node anomaly score or a low node anomaly score. For instance, modules included in the monitoring device 202, e.g., used to categorize devices, can be modular to allow replacement with a different module that uses a different model, set of models, and/or probabilistic forecasts. The monitoring device 202 may use the same module or a different module to categorize the connections and the devices. One requirement for the module may be that the module outputs a probability, e.g., between zero and one, that represents whether or not network traffic with a device is anomalous.”

	U.S. Publication No. 20180191755 discloses on paragraph 0071 “In some embodiments, anomaly detection may be made more dependable and more reliable by continuously updating a model of network traffic and using the updated model to (a) determine whether activity levels or other characteristics constitute an anomaly and (b) continuously modify the size of inflated files (e.g., "honey files") stored in the system and intended to be large enough in size to reliably cause an anomaly to be detected if exfiltration of an inflated file is detected. As described below, a network traffic model 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/GARY S GRACIA/Primary Examiner, Art Unit 2491