Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a reply to the application filed on 1/28/2019, in which, claims 1-20 are pending. Claims 1, 11, and 16 are independent.
When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.

Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings filed on 1/28/2019 are accepted.

Specification
The disclosure filed on 1/28/2019 is accepted.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 1-3, 5-9 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20160359872 A1 (hereinafter ‘Yadav’) in view of Ye, Xiaoming, et al. "An anomalous behavior detection model in cloud computing." Tsinghua Science and Technology 21.3 (2016): 322-332 (hereinafter ‘Ye’).

As regards claim 1, Yadav (US 20160359872 A1) discloses: A method (Yadav: ¶10, i.e., detecting attacks using flows in a datacenter) comprising: receiving data flow information, from an 
wherein the data flow information characterizes a data flow pattern for the customer logic in a data center; (Yadav: Fig. 1, ¶16-¶18, ¶23-¶26, i.e., characterizing traffic flow pattern for components such as VMs (i.e., customer logic) in the datacenter)
identifying a compromised customer logic in the data center based on a comparison of the data flow pattern of the customer logic to a past data flow pattern (Yadav: Fig. 1, ¶23-¶26, i.e., characterizing traffic flow pattern for components such as VMs (i.e., customer logic) in the datacenter and matching with machine-learned previous flows to detect anomaly/malware)
However, Yadav does not but in analogous art, Ye teaches: for a previously-identified compromised customer logic; and (Ye: Abstract, pages 2-5, i.e., detection of anomalous behavior of VMs using machine learned VM profiles wherein the profiles are built over time and include any known/unknown anomalous behavior feature of the VMs and wherein the profile behavior is matched against the collected behavior using traffic flows to determine anomalous VM behavior)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art 
Yadav et al combination further discloses: mitigating a threat posed by the compromised customer logic in the data center by changing a characteristic of execution of the customer logic. (Yadav: Fig. 1, ¶23-¶30, ¶197, ¶470, if the an anomalous/malware behavior is found regarding a component, then a number of measures can be taken such as shut the component down or shutting down a specific process within the component)

As regards claim 2, Yadav et al combination discloses the method of claim 1, wherein the data flow information does not include private information. (Yadav: Fig. 1, ¶17, ¶23-¶30, ¶636, i.e., the threat detection model includes IP, ports, temporal components, i.e., non private data) 

As regards claim 3, Yadav et al combination discloses the method of claim 1, wherein the past data flow pattern is characterized by a threat feature, and wherein the threat feature comprises one or more of an IP-based feature, a port feature, a temporal feature, a spatial feature, and/or an aggregated feature. (Yadav: Fig. 1, ¶17, ¶23-¶30, ¶636, i.e., 

As regards claim 5, Yadav et al combination discloses the method of claim 1, wherein the method further comprises generating a confidence score that indicates a level of confidence that the customer logic is compromised. (Yadav: ¶479-¶480, ¶487, i.e., the confidence indicator)

As regards claim 6, Yadav et al combination discloses the method of claim 1, wherein mitigating the customer logic includes placing the customer logic in a sandbox. (Yadav: ¶16-¶17, i.e., the sandbox environment)

As regards claim 7, Yadav et al combination discloses the method of claim 1, wherein the threat feature is generated from data flow information previously collected from the interface. (Yadav: Fig. 1, ¶16-¶18, ¶23-¶26, i.e., characterizing traffic flow pattern for components such as VMs (i.e., customer logic) in the datacenter)

As regards claim 8, Yadav et al combination discloses the method of claim 7, wherein the method further comprises: receiving a data flow summary from the interface including data 

As regards claim 9, Yadav et al combination discloses the method of claim 8, wherein the method further comprises: receiving the data flow summary; (Yadav: Fig. 1, ¶16-¶18, ¶23-¶26, i.e., characterizing traffic flow pattern for components such as VMs (i.e., customer logic) in the datacenter and storing the records) identifying the previously-identified compromised customer logic; (Ye: Abstract, pages 2-5, i.e., detection of the kth anomalous VM based on the traffic data) constructing the past data flow pattern for the previously-identified compromised customer logic; and (Ye: Abstract, pages 2-5, i.e., detection of anomalous behavior of VMs using machine learned VM profiles (i.e., flow pattern) wherein the profiles are built over time and include any known/unknown anomalous behavior VMs traffic flows and wherein the profile behavior is matched against the collected behavior using traffic flows to determine anomalous VM 

Claim 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yadav in view of Ye in view of Singh, Kamaldeep, et al. "Big data analytics framework for peer-to-peer botnet detection using random forests." Information Sciences 278 (2014): 488-497 (hereinafter ‘Singh’)

As regards claim 4, Yadav et al combination discloses the method of claim 1. Although Yadav explicitly discloses machine learning algorithms to perform traffic flow analysis and evaluation (Yadav: ¶26), Yadav does not explicitly teach Random Forest algorithm: wherein the comparison is a random forest analysis of an evaluation tree.
In analogous art, Singh teaches using Random Forest machine learning algorithm for classifying and detecting malicious traffic, thus teaching: wherein the comparison is a random forest analysis of an evaluation tree. (Singh: Abstract, pages 7-9)


Claims 11-13, 15-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yadav in view of US 20060107321 A1 (hereinafter ‘Tzad’) in view of Ye.

As regards claim 11, Yadav (US 20160359872 A1) discloses: A computer storage media having stored thereon computer-executable instructions that when executed by a processor cause the processor to perform a method (Yadav: ¶10, i.e., detecting attacks using flows in a datacenter), the method comprising: receiving, by a collection agent, a data flow summary from a virtual switch application (vSwitch) in communication with a virtual machine (VM) executed in a data center, the data flow summary including data about two or more flows of data associated with communications with a compromised VM; (Yadav: Fig. 1, ¶10-¶21, i.e., datacenter sensors (i.e., vSwicth) capturing multiple traffic flows between VMs (i.e., customer 
However, Yadav does not explicitly disclose but in analogous art, Tzad (US 20060107321 A1) teaches collecting traffic flows from compromised machines (Tzad: ¶38), thus teaching: compromised.
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify Yadav to include collecting traffic flows from a compromised machine as taught by Tzad with the motivation to extract features from the traffic to detect future infected traffic (Tzad: ¶38)
Yadav et al combination further teaches: storing, by the collection agent, data from the data flow summary in a data structure in a distributed store; (Yadav: ¶21, collectors providing storage)
receiving, by an analysis agent, the data from the data flow summary from the distributed store; (Yadav: Fig. 1, ¶23-¶26)
However, Yadav does not but in analogous art, Ye teaches: identifying, by the analysis agent, a previously-identified compromised VM; (Ye: Abstract, pages 2-5, i.e., detection of anomalous behavior of VMs using machine learned VM profiles 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Yadav’s traffic flow patterns of the VMs to include any known/known anomalous behavior of the VMs as taught by Ye with the motivation to detect anomalous performance of VMs (Ye: pages 2-5)
 Yadav et al combination further discloses: constructing, by the analysis agent, a past data flow pattern for the previously-identified compromised VM; (Ye: Abstract, pages 2-5, i.e., detection of anomalous behavior of VMs using machine learned VM profiles (i.e., flow pattern) wherein the profiles are built over time and include any known/unknown anomalous behavior VMs traffic flows and wherein the profile behavior is matched against the collected behavior using traffic flows to determine anomalous VM behavior)
generating, by the analysis agent, machine learning to train an evaluation agent to compare future data flows with the past data flow pattern for the previously-identified compromised VM; (Ye: Abstract, pages 2-5, i.e., detection of anomalous behavior of VMs using machine learned VM profiles (i.e., flow 
receiving, by the evaluation agent, new data flow information, from the vSwitch in communication with the VM, characterizing a data flow pattern for the VM in the data center; (Yadav: Fig. 1, ¶23-¶26, i.e., characterizing traffic flow pattern for components such as VMs (i.e., customer logic) in the datacenter and matching with machine-learned previous flows to detect anomaly/malware. See also, Ye: Abstract, pages 2-5, i.e., detection of anomalous behavior of VMs using machine learned VM profiles (i.e., flow pattern) wherein the profiles are built over time and include any known/unknown anomalous behavior VMs traffic flows and wherein the profile behavior is matched against the collected behavior using traffic flows to determine anomalous VM behavior. See also, Tzad: ¶51-¶62)
identifying, by the evaluation agent, the VM as compromised based on the a comparison of the data flow pattern of the VM to the past data flow pattern for the previously-identified compromised VM; and (Yadav: Fig. 1, ¶23-¶26, i.e., characterizing traffic flow pattern for components such as VMs (i.e., customer logic) in the datacenter and matching with machine-learned previous flows to detect anomaly/malware. See 
mitigating a threat posed by the compromised VM in the data center. (Yadav: Fig. 1, ¶23-¶30, ¶197, ¶470, if the an anomalous/malware behavior is found regarding a component, then a number of measures can be taken such as shut the component down or shutting down a specific process within the component)

Claim 16 recites substantially the same features recited in claim 11 above, and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 12, Yadav et al combination discloses the computer storage media of claim 11, wherein the data flow information does not include private information. (Yadav: Fig. 1, ¶17, ¶23-¶30, ¶636, i.e., the threat detection model includes IP, ports, temporal components, i.e., non private data) 

Claim 17 recites substantially the same features recited in claim 12 above, and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 13, Yadav et al combination discloses the computer storage media of claim 11, wherein the past data flow pattern is characterized by a threat feature, and wherein the threat feature comprises one or more of a IP- based feature, a port feature, a temporal feature, a spatial feature, and/or an aggregated feature. (Yadav: Fig. 1, ¶17, ¶23-¶30, ¶636, i.e., the threat detection model includes IP, ports, temporal components)

Claim 18 recites substantially the same features recited in claim 13 above, and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 15, Yadav et al combination discloses the computer storage media of claim 11, wherein the method further comprises generating a confidence score that indicates a level of confidence that the VM is compromised. (Yadav: ¶479-¶480, ¶487, i.e., the confidence indicator)

Claim 20 recites substantially the same features recited in claim 15 above, and is rejected based on the aforementioned rationale discussed in the rejection.

Claims 14 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yadav in view of Tzad in view of Ye in view of Singh.

As regards claim 14, Yadav et al combination discloses the computer storage media of claim 11. Although Yadav explicitly discloses machine learning algorithms to perform traffic flow analysis and evaluation (Yadav: ¶26), Yadav does not explicitly teach Random Forest algorithm: wherein the comparison is a random forest analysis of the evaluation tree.
In analogous art, Singh teaches using Random Forest machine learning algorithm for classifying and detecting malicious traffic, thus teaching: wherein the comparison is a random forest analysis of an evaluation tree. (Singh: Abstract, pages 7-9)
Before the effective filing date of the claimed invention, it would have been obvious to a skilled artisan to modify Yadav’s machine learning algorithm for classifying and detecting traffic anomalies to include Random Forest algorithm as taught by Singh with the motivation to perform traffic classification 

Claim 19 recites substantially the same features recited in claim 14 above, and is rejected based on the aforementioned rationale discussed in the rejection.

Claim Objections
Claim 10 is objected.  Claim recites allowable subject matter: “wherein access to private data associated with the previously-identified compromised customer logic is allowed because the previously-identified compromised customer logic is a customer logic owned by the data center or a customer logic that a user authorized access to private data” not taught by prior art taken alone or in combination. Claim would be allowable if rewritten in independent form including all of the limitations of the respective base claims and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995.  The examiner can normally be reached on Monday-Thursday: 5:30AM-5:30PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/SYED A ZAIDI/Primary Examiner, Art Unit 2432