DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is in response to the communication filed on 03/29/2021.
Claims 1, 11 and 20 were amended.
No Claims were added.
No Claims were canceled.
Claims 1-20 were previously examined and rejected.
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, found at http:/www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax, which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. 

Information Disclosure Statement
No additional information disclosure statement (IDS) has been filed.

Priority
The instant application, filed 10/22/2018, does not claim priority.

Response to Arguments
In response to the objections, dated 02/04/2021, Applicant amended claims 1 and 11 to address the Examiner’s concerns. Accordingly, the objections are withdrawn.
In response to the rejections under 35 U.S.C. 101, dated 02/04/2021, Applicant amended claims 1 and 20 to address the Examiner’s concerns. Accordingly, the objections are withdrawn.
In response to the rejections under 35 U.S.C. 103, dated 02/04/2021, the Applicant amended independent Claims 1, 11 and 20. Since the newly amended claims changed the scope and necessitate new grounds of rejection, Applicant’s arguments are moot.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Examiner’s note: text in bold correspond to the cited prior art reference, ad verbatim. Comments in brackets { } include the Examiner’s mapping of the claimed feature to the cited reference, and observations thereof. 
Claims 1, 2, 3, 4, 8, 10, 11, 12, 13, 14, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 2005/0234920 (Rhodes) in view of U.S. PGPub No. 2014/0269339 (Jaafar).
Referring to independent Claim 1
Regarding Claim 1, Rhodes teaches a system for identifying suspicious traffic, the system comprising:
at least one traffic learning appliance comprising at least one hardware processor (The broadest reasonable interpretation of the term "appliance" includes an instrument, apparatus, or device for a particular purpose or use. See dictionary.com/browse/appliance. In light of the disclosure, the term "traffic learning appliance" is construed as a an instrument, apparatus, or device to compile statistical data for a plurality of hosts. Specification, ¶¶ 7, 22, 23. Furthermore, a host may include an appliance. Specification ¶ 26. Rhodes discloses a collection module 132 for collecting a stream of flow records... [FIG. 1C; ¶ 45]... a processor may be configured to execute the program instructions to perform a computer-executable method... [¶ 95].), the at least one traffic learning appliance being configured to:
compile statistical data for a plurality of hosts sending data traffic to a network device (The phrase "statistical data" is construed as a collection of any network appliances, clients, servers, Internet of things (IoT) devices, or other devices connected to a network, such as a personal computer (PC), a laptop, a smartphone, a tablet PC, a television set, a switch, a router, a smart device, home appliances, and so forth. Specification p. 7, ¶ 26. Rhodes discloses "traffic packets"... [w]hen passed through a network usage data reporting system, network usage data is collected {i.e. compile}... and then correlated and/or aggregated to create a summary record (or "flow record"). [¶ 23]. [S]ummarized information about multiple traffic packets... may include, for example, a source identifier (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time, and one or more traffic packet statistics {i.e. statistical data}... [¶ 49].  As shown in FIG. 3, the method may begin in box 310 by collecting a stream of flow records... [¶ 70]. [T]he source address and the destination port may be collected from each flow record... A distribution may be chosen to characterize the number of unique source addresses, which are sending traffic {i.e. plurality of hosts sending data traffic; in Rhodes, a "source" is an entity connected to a network that is responsible for excessive traffic [¶ 35]}... FIG. 4B illustrates an exemplary statistical result (410) displaying the number of unique source addresses that are sending network traffic to more than 250 unique destination (or local) ports on each of the top N servers {i.e. statistical data for a plurality of hosts sending data traffic to a network device}. If statistical result 410 is used for monitoring network activity, one may suspect that up to six sources {i.e. plurality of hosts} may be sending scanning traffic to servers "mail1" {i.e. a network device} and "web3." [¶ 75].); and
based on the statistical data, generate data lists associated with the plurality of hosts, wherein a host of the plurality of hosts is associated with a data list of the data lists (The term "data lists" is construed as tabulated/stored host or FIG. 4B illustrates... unique source addresses {i.e. data lists associated with the plurality of hosts; note that a unique source address is an identifier} that are sending network traffic {i.e. sending data traffic} to more than 250 unique destination (or local) ports {i.e. parameters or factors} on each of the top N servers. [¶ 75]. FIG. 4C illustrates... subscribers (i.e., designated by unique source addresses), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. sending data traffic to a network device})... [¶ 81]. FIG. 5 plots the ratio of offered load to channel capacity for the Top N subscriber IDs {i.e. here, each subscriber ID is a host of the plurality of hosts; note the horizontal axis identifies each host by its subscriber ID}. [¶ 90].);
a security controller in communication with the at least one traffic learning appliance (Rhodes discloses capture module 135 includes a collection module 132 {i.e. traffic learning appliance} for collecting a stream of flow records… [FIG. 1C; ¶ 45]… [and] an analysis module 136 for analyzing the statistical result generated by statistical module 134 {i.e. together, modules 134 and 136 comprise the security controller; FIG. 1C illustrates modules 132, 134 and 136 in communication}. [¶ 56].), the security controller being configured to:
[[receive a data packet from the host]], the data packet being associated with a plurality of parameters, the data packet being sent by the host to the network device (Rhodes discloses six sources {i.e. host} may be sending scanning traffic to servers "mail1" {i.e. data packet being sent by the host} and "web3." [¶ 75]. [For] multiple traffic packets... metadata (i.e., data about data) may include, for example, a source identifier (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time {i.e. the data packet being associated with a plurality of parameters}... [¶ 49]... [and] subscribers (i.e., designated by unique source addresses {i.e. the host}), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. the data packet being sent by the host})... [FIG. 4C; ¶ 81].);
analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host (Rhodes discloses analysis result 430 illustrates the percentage of subscribers (i.e., designated by unique source addresses {i.e. host}), which are contributing traffic to less than a particular number of unique destination ports {i.e. one or more of the plurality of parameters of the data packet} on a particular server (e.g., server "mail1" {i.e. a network device})... abnormal activity may be detected, for example, if the percentage of subscribers contributing traffic to less than 10 unique destination ports decreases from about 95% to about 80%. In other words, the percentage of subscribers contributing traffic to more than 10 unique destination ports has increased from about 5% to about 20%. [FIG. 4D; ¶ 82]. FIG. 4B illustrates {i.e. analyze; the broadest reasonable interpretation of the term “analyze” includes tabulate, visualize an summarize. See OneLook.com.}... unique source addresses {i.e. analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host; note that FIG. 4B is plotting/summarizing tabulated data} that are sending network traffic {i.e. sending data traffic} to more than 250 unique destination (or local) ports on each of the top N servers. [¶ 75]. FIG. 4C illustrates... subscribers (i.e., designated by unique source addresses {i.e. the host}), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. sending data traffic to a network device})... [¶ 81]. FIG. 5 plots the ratio of offered load to channel capacity for the Top N subscriber IDs {i.e. here, each subscriber ID is a host of the plurality of hosts; note the horizontal axis identifies each host by its subscriber ID}. [¶ 90].);
based on the analysis, determine that the one or more of the plurality of parameters are outside a predetermined tolerance zone (Rhodes discloses abnormal network activity may be detected from the analysis results if the amount of network activity {i.e. one or more of the plurality of parameter} sent to (or from) an observation point exceeds a predefined threshold value {i.e. are outside a predetermined tolerance}. [¶ 77].); and
based on the determination, selectively initiate a mitigation action associated with the host (Rhodes discloses after abnormal activity is detected, to alter a magnification level by which a subset of the network activity is monitored. [Abstract]. For example, the network IDS may initially aggregate the raw data stream in a manner that enables network traffic volume to be tracked per server port. If abnormal network activity is detected (or at least suspected) on a particular server port, the aggregation process may be updated to include subscriber identifying information (e.g., a subscriber ID number, source address or port), which may help to identify the particular subscriber(s) responsible for the abusive traffic sent to the busy server port. [¶ 34]. For example, the network IDS may provide a mechanism for obtaining additional information about the abnormal network activity that was not previously collected or analyzed by the system. Such a mechanism would enable real-time investigations into the abnormal activity, such as detecting a type or source of the attack {i.e. selectively initiate a mitigation action} or abuse (i.e., an event or entity responsible for the excessive traffic). [¶ 35].); and
a storage node in communication with the at least one traffic learning appliance and the security controller, the storage node being configured to store at least the data lists (Rhodes discloses data storage system 140. [¶ 38]. The computer software program, including capture module(s) 135, may also be stored in data storage system 140... data storage system 140 may be included within data analysis system 130 {i.e. FIG. 1A illustrates the storage system in communication with capture modules 135, which are the claimed learning appliance and security controller}... [¶ 44].).
explicitly teach the following feature limitations that Jaafar teaches:
receive a data packet from the host, [[the data packet being associated with a plurality of parameters, the data packet being sent by the host to the network device]] (Jaafar discloses to: receive current network traffic information associated with a remote access server {i.e. receiving data packet(s) from the host}... [¶ 32-33]... network traffic information is based on at least one of the following network parameters associated with the remote access server: network traffic usage `in` per port, network traffic usage `out` per port, point to point protocol (PPP) sessions per port, utilisation ratio of total traffic `in` per slot group, utilisation ratio of total traffic `out` per slot group, and utilisation ratio of total traffic PPP sessions per slot {i.e. data packet being associated with a plurality of parameters}. [¶ 54]. The methods… are implemented… using a computing device, such as a personal or networked computer, that is in communication with the B-RAS {i.e. the host}… to receive network information from the B-RAS including network traffic usage {i.e. receiving data packet(s) from the host}. [¶ 86].).
Rhodes and Jaafar are from a similar field of technology. In particular, Jaafar teaches the following feature limitations that are also disclosed in Rhodes (as discussed above):
at least one traffic learning appliance comprising at least one hardware processor (Jaafar discloses one or more dedicated hardware modules. [¶ 87].), the at least one traffic learning appliance being configured to:
compile statistical data (Jaafar discloses current network traffic information associated with the B-RAS {i.e. host} is obtained... current network traffic information relates to network traffic usage associated with the current day. A similarity value between the current network traffic information and the historical network traffic information is determined... [FIG. 1; ¶ 66].); and
reference network traffic information is generated based on the determined similarity value {i.e. based on the statistical data, distance-based analysis method ¶ 66}. If the similarity value is greater than or equal to a predefined threshold... of 95%, then the current network traffic information is used to generate the reference network traffic information {i.e. generate data lists}... stored as reference network traffic information in a normal usage table {i.e. data list}. [¶ 67].);
a security controller (Jaafar discloses one or more dedicated hardware modules. [¶ 87].), the security controller being configured to:
analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host (Jaafar discloses reference network traffic information {i.e. data lists} is analysed to determine the first quartile (Q1), third quartile (Q3) and the inter-quartile range (IQR) for use in calculating lower and upper boundaries... The current network traffic {i.e. data packet} information is analysed for values {i.e. parameters} that fall within the lower and upper boundaries... [¶ 79].);
based on the analysis, determine that the one or more of the plurality of parameters are outside a predetermined tolerance zone (Jaafar discloses current network traffic information is analysed and values {i.e. parameters} that are below the lower boundary {i.e. outside a predetermined boundary} or that are above the upper boundary {i.e. outside a predetermined boundary} are identified as outliers... [FIG. 2; ¶ 81].); and
based on the determination, selectively initiate a mitigation action associated with the host (Jaafar discloses values are stored in the outlier data table and an alert is generated and communicated to the network administrator associated with the B-RAS {i.e. associated with the host, broadband remote access server ¶ 1}... the network administrator can then investigate the anomalous data that was identified as an outlier {i.e. selectively initiate a mitigation action} as appropriate. [¶ 82].); and
a storage node (Jaafar discloses current network traffic information {i.e. data lists} is stored as reference network traffic information in a normal usage table 404 of a normal behaviour profile database 406 {i.e. storage node}. [¶ 88]. The anomaly detection system 402 performs the statistical analysis of the current network traffic information and outliers that are identified in steps 110, 208 are stored in the outlier data table 408, which is part of the normal usage profile database 406. [¶ 91].).
Rhodes and Jaafar are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for the detection of anomalous behaviour in network traffic. [Jaafar; ¶ 1].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the system for analysing network traffic of Jaafar with the method for monitoring network activity of Rhodes, thereby enabling the relevant party to investigate the anomaly.
Referring to independent Claim 11
Regarding Claim 1, Rhodes teaches a method for identifying intrusion traffic, the method comprising:
compiling statistical data for a plurality of hosts sending data traffic to a network device (The phrase "statistical data" is construed as a collection of quantitative data. See for example merriam-webster.com/dictionary/statistics. In light of the disclosure, the term "host" is interpreted as any network appliances, clients, servers, Internet of things (IoT) devices, or other devices connected to a network, such as a personal computer (PC), a laptop, a smartphone, a tablet PC, a television set, a switch, a router, a smart device, home appliances, and so forth. Specification p. 7, ¶ 26. Rhodes discloses "traffic packets"... [w]hen passed through a network usage data reporting system, network usage data is collected {i.e. compile}... and then correlated and/or aggregated to create a summary record (or "flow record"). [¶ 23]. [S]ummarized information about multiple traffic packets... may include, for example, a source identifier (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time, and one or more traffic packet statistics {i.e. statistical data}... [¶ 49].  As shown in FIG. 3, the method may begin in box 310 by collecting a stream of flow records... [¶ 70]. [T]he source address and the destination port may be collected from each flow record... A distribution may be chosen to characterize the number of unique source addresses {i.e. plurality of hosts; a "source" is an entity responsible for excessive traffic [¶ 35]}, which are sending traffic... FIG. 4B illustrates an exemplary statistical result (410) displaying the number of unique source addresses that are sending network traffic to more than 250 unique destination (or local) ports on each of the top N servers {i.e. statistical data for a plurality of hosts sending data traffic to a network device}. If statistical result 410 is used for monitoring network activity, one may suspect that up to six sources {i.e. plurality of hosts} may be sending scanning traffic to servers "mail1" {i.e. a network device} and "web3." [¶ 75].);
based on the statistical data, generating data lists associated with the plurality of hosts, wherein a host of the plurality of hosts is associated with a data list of the data lists (The term "data lists" is construed as tabulated/stored host or source identifiers and parameters (factors) collected regarding the data traffic related to the source identifiers. Rhodes discloses FIG. 4B illustrates... unique source addresses {i.e. data lists associated with the plurality of hosts; note that a unique source address is an identifier} that are sending network traffic {i.e. sending data traffic} to more than 250 unique destination (or local) ports {i.e. parameters or factors} on each of the top N servers. [¶ 75]. FIG. 4C illustrates... subscribers (i.e., designated by unique source addresses), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. sending data traffic to a network device})... [¶ 81]. FIG. 5 plots the ratio of offered load to channel capacity for the Top N subscriber IDs {i.e. here, each subscriber ID is a host of the plurality of hosts; note the horizontal axis identifies each host by its subscriber ID}. [¶ 90].); 
[[receiving a data packet from the host]], the data packet being associated with a plurality of parameters, the data packet being sent by the host to the network device (Rhodes discloses six sources {i.e. host} may be sending scanning traffic to servers "mail1" {i.e. data packet being sent by the host } and "web3." [¶ 75]. [For] multiple traffic packets... metadata (i.e., data about data) may include, for example, a source identifier (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time {i.e. the data packet being associated with a plurality of parameters}... [¶ 49]... [and] subscribers (i.e., designated by unique source addresses {i.e. the host}), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. the data packet being sent by the host})... [FIG. 4C; ¶ 81].); 
analyzing one or more of the plurality of parameters associated with the data packet using the data list, the data list being associated with the host (Rhodes discloses analysis result 430 illustrates the percentage of subscribers (i.e., designated by unique source addresses {i.e. host}), which are contributing traffic to less than a particular number of unique destination ports {i.e. one or more of the plurality of parameters of the data packet} on a particular server (e.g., server "mail1" {i.e. a network device})... abnormal activity may be detected, for example, if the percentage of subscribers contributing traffic to less than 10 unique destination ports decreases from about 95% to about 80%. In other words, the percentage of subscribers contributing traffic to more than 10 unique destination ports has increased from about 5% to about 20%. [FIG. 4D; ¶ 82]. FIG. 4B illustrates {i.e. analyzing; the broadest reasonable interpretation of the term “analyzing” includes tabulating, visualizing an summarizing. See OneLook.com.}... unique source addresses {i.e. analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host; note that FIG. 4B is plotting/summarizing tabulated data} that are sending network traffic {i.e. sending data traffic} to more than 250 unique destination (or local) ports on each of the top N servers. [¶ 75]. FIG. 4C illustrates... subscribers (i.e., designated by unique source addresses {i.e. the host}), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. sending data traffic to a network device})... [¶ 81]. FIG. 5 plots the ratio of offered load to channel capacity for the Top N subscriber IDs {i.e. here, each subscriber ID is a host of the plurality of hosts; note the horizontal axis identifies each host by its subscriber ID}. [¶ 90].); 
based on the analysis, determining that the one or more of the plurality of parameters are outside a predetermined tolerance zone (Rhodes discloses abnormal network activity may be detected from the analysis results if the amount of network activity {i.e. one or more of the plurality of parameter} sent to (or from) an observation point exceeds a predefined threshold value {i.e. are outside a predetermined tolerance}. [¶ 77].); and 
based on the determination, selectively initiating a mitigation action associated with the host (Rhodes discloses after abnormal activity is detected, to alter a magnification level by which a subset of the network activity is monitored. [Abstract]. For example, the network IDS may initially aggregate the raw data stream in a manner that enables network traffic volume to be tracked per server port. If abnormal network activity is detected (or at least suspected) on a particular server port, the aggregation process may be updated to include subscriber identifying information (e.g., a subscriber ID number, source address or port), which may help to identify the particular subscriber(s) responsible for the abusive traffic sent to the busy server port. [¶ 34]. For example, the network IDS may provide a mechanism for obtaining additional information about the abnormal network activity that was not previously collected or analyzed by the system. Such a mechanism would enable real-time investigations into the abnormal activity, such as detecting a type or source of the attack {i.e. selectively initiate a mitigation action} or abuse (i.e., an event or entity responsible for the excessive traffic). [¶ 35].).
Rhodes does not explicitly teach the following feature limitations that Jaafar teaches:
receiving a data packet from the host, [[the data packet being associated with a plurality of parameters, the data packet being sent by the host to the network device]] (Jaafar discloses to: receive current network traffic information associated with a remote access server {i.e. receiving data packet(s) from the host}... [¶ 32-33]... network traffic information is based on at least one of the following network parameters associated with the remote access server: network traffic usage `in` per port, network traffic usage `out` per port, point to point protocol (PPP) sessions per port, utilisation ratio of total traffic `in` per slot group, utilisation ratio of total traffic `out` per slot group, and utilisation ratio of total traffic PPP sessions per slot {i.e. data packet being associated with a plurality of parameters}. [¶ 54]. The methods… are implemented… using a computing device, such as a personal or networked computer, that is in communication with the B-RAS {i.e. the host}… to receive network information from the B-RAS including network traffic usage {i.e. receiving data packet(s) from the host}. [¶ 86].).
Rhodes and Jaafar are from a similar field of technology. It is noted that Jaafar teaches the following feature limitations that are also disclosed in Rhodes (as discussed above):
compiling statistical data (Jaafar discloses current network traffic information associated with the B-RAS {i.e. host} is obtained... current network traffic information relates to network traffic usage associated with the current day. A similarity value between the current network traffic information and the historical network traffic information is determined... [FIG. 1; ¶ 66].);
based on the statistical data, generating data lists (Jaafar discloses reference network traffic information is generated based on the determined similarity value {i.e. based on the statistical data, distance-based analysis method ¶ 66}. If the similarity value is greater than or equal to a predefined threshold... of 95%, then the current network traffic information is used to generate the reference network traffic information {i.e. generate data lists}... stored as reference network traffic information in a normal usage table {i.e. data list}. [¶ 67].); 
analyzing one or more of the plurality of parameters associated with the data packet using the data list, the data list being associated with the host (Jaafar discloses reference network traffic information {i.e. data lists} is analysed to determine the first quartile (Q1), third quartile (Q3) and the inter-quartile range (IQR) for use in calculating lower and upper boundaries... The current network traffic {i.e. data packet} information is analysed for values {i.e. parameters} that fall within the lower and upper boundaries... [¶ 79].); 
based on the analysis, determining that the one or more of the plurality of parameters are outside a predetermined tolerance zone (Jaafar discloses current network traffic information is analysed and values {i.e. parameters} that are below the lower boundary {i.e. outside a predetermined boundary} or that are above the upper boundary {i.e. outside a predetermined boundary} are identified as outliers... [FIG. 2; ¶ 81].); and 
based on the determination, selectively initiating a mitigation action associated with the host (Jaafar discloses values are stored in the outlier data table and an alert is generated and communicated to the network administrator associated with the B-RAS {i.e. associated with the host, broadband remote access server ¶ 1}... the network administrator can then investigate the anomalous data that was identified as an outlier as appropriate. [¶ 82].).
Rhodes and Jaafar are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for the detection of anomalous behaviour in network traffic. [Jaafar; ¶ 1].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the system for analysing network traffic of Jaafar with the method for monitoring network activity of Rhodes, thereby enabling the relevant party to investigate the anomaly.
Referring to Claims 2 and 12
Regarding Claim 2, the combination of Rhodes and Jaafar teaches the system of Claim 1.
The previous combination further teaches:
the statistical data include one or more of the following: a client address, a server address, a host address, a packet header, a packet size, data characteristics of data packets associated with the plurality of hosts, an amount of traffic, bandwidth associated with traffic, a traffic direction, packet content measurements, and frequency of sending traffic to or by the plurality of hosts (Jaafar discloses traffic information is based on at least one of the following network parameters associated with the remote access server: network traffic usage `in` per port {i.e. amount of traffic and traffic direction}, network traffic usage `out` per port {i.e. amount of traffic and traffic direction}, point to point protocol (PPP) sessions per port, utilisation ratio of total traffic `in` per slot group, utilisation ratio of total traffic `out` per slot group, and utilisation ratio of total traffic PPP sessions per slot. [¶ 28].).
Regarding Claim 12, the rejection of Claim 11 is incorporated. In addition, Claim 12 is a method claim that corresponds to system Claim 2.
Referring to Claims 3 and 13
Regarding Claim 3, the combination of Rhodes and Jaafar teaches the system of Claim 1.
The previous combination further teaches:
ummarized information about multiple traffic packets... may include, for example, a source identifier {i.e. identifiers associated with each of the plurality of hosts} (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time, and one or more traffic packet statistics {i.e. collecting the statistical data based on source identifiers}... [¶ 49].).
Regarding Claim 13, the rejection of Claim 11 is incorporated. In addition, Claim 13 is a method claim that corresponds to system Claim 3.
Referring to Claims 4 and 14
Regarding Claim 4, the combination of Rhodes and Jaafar teaches the system of Claim 1.
The previous combination further teaches:
the mitigation action includes one or more of the following: dropping the data packet, adding the host associated with the data packet to a black list, performing additional verification, and redirecting the data packet to a threat protection system (Jaafar discloses values are stored in the outlier data table and an alert is generated and communicated to the network administrator... the network administrator can then investigate the anomalous data {i.e. performing additional verification} that was identified as an outlier as appropriate. [¶ 82].).
Regarding Claim 14, the rejection of Claim 11 is incorporated. In addition, Claim 14 is a method claim that corresponds to system Claim 4.
Referring to Claims 8 and 18
Regarding Claim 8, the combination of Rhodes and Jaafar teaches the system of Claim 1.
The previous combination further teaches:
the security controller is further configured to determine, based on the statistical data, a network traffic behavior associated with each of the plurality of hosts, wherein the data lists store the network traffic behavior of each of the plurality of hosts (Jaafar discloses current network traffic information is received by an anomaly detection system 402. The anomaly detection system 402 is arranged to determine the similarity value between the current network traffic information and the reference network traffic information (or the historical network traffic information if reference network traffic information has not yet been determined). If the current and reference network traffic information has a sufficiently high similarity value, greater than or equal to 95% in this example {i.e. based on statistical data}, then the current network traffic information is stored as reference network traffic information in a normal usage table 404 of a normal behaviour profile {i.e. determine network traffic behavior associated with each host, in this case "normal"} database 406 {i.e. wherein the data lists store the network traffic behavior}. [¶ 88].).
Regarding Claim 18, the rejection of Claim 11 is incorporated. In addition, Claim 18 is a method claim that corresponds to system Claim 8.
Referring to Claim 10
Regarding Claim 10, the combination of Rhodes and Jaafar teaches the system of Claim 1.
The previous combination further teaches:
the intrusion data packet is associated with a one of the following attacks: a denial of service (DOS) attack, a distributed DOS (DDOS) attack, a Transmission Control Protocol (TCP) ACK+SYN attack, a domain name system (DNS) reflection attack, a DNS water torture attack, a DNS amplification attack, and a TCP reflection attack (Rhodes discloses to monitor network activity for "attack precursors," or events that provide early indication of a possible upcoming attack {i.e. the denial of service (DoS) attack mentioned at the beginning of [¶ 31]}. [¶ 31]. Scanning is one example of an attack {i.e. denial of service (DoS) attack} precursor… the network intrusion detection system described herein is able to detect scan traffic {i.e. intrusion data packet associated with DOS attack}… for early indication of upcoming attacks. [¶ 32].).
Claims 5, 6, 15 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 2005/0234920 (Rhodes) in view of U.S. PGPub No. 2014/0269339 (Jaafar) and further in view of U.S. PGPub No. 2010/0125900 (Dennerline).
Referring to Claims 5 and 15
Regarding Claim 5, the combination of Rhodes and Jaafar teaches the system of Claim 4.
The previous combination does not explicitly teach the following feature limitation that Dennerline teaches:
based on the additional verification, determine that the data packet is a legitimate data packet (Dennerline discloses responsive to a determination that the analyzing the received packet for intrusions before forwarding the received packet is warranted {i.e. based on the additional verification}, a determination may be made as to whether the received packet… does not indicate an intrusion {i.e. determine that the data packet is a legitimate data packet}... [¶ 7].); and
forward the data packet to a server (Dennerline discloses responsive to a determination that the received packet does not indicate an intrusion, the received packet may be forwarded. [¶ 7].).
Rhodes, Jaafar and Dennerline are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to provide improved techniques for use in a network intrusion prevention system. [Dennerline; ¶ 5].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the intrusion protection system of Dennerline in the method for monitoring network activity of Rhodes in order to provide improved techniques for use in a network intrusion prevention system.
Regarding Claim 15, the rejection of Claim 14 is incorporated. In addition, Claim 15 is a method claim that corresponds to system Claim 5.
Referring to Claims 6 and 16
Regarding Claim 6, the combination of Rhodes and Jaafar teaches the system of Claim 4.
The previous combination does not explicitly teach the following feature limitation that Dennerline teaches:
based on the additional verification, determine that the data packet is an intrusion data packet (Dennerline discloses responsive to a determination that the analyzing the received packet for intrusions before forwarding the received packet is warranted {i.e. based on the additional verification}, a determination may be made as to whether the received packet indicates an intrusion… [¶ 7].); and
drop the data packet (Dennerline discloses responsive to a determination that the received packet indicates an intrusion, the received packet may be discarded {i.e. drop the data packet} and an indication may be made that subsequent packets of the flow should be discarded {i.e. dropped}. [¶ 8].).
Rhodes, Jaafar and Dennerline are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to provide improved techniques for use in a network intrusion prevention system. [Dennerline; ¶ 5].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the intrusion protection system of Dennerline in the method for monitoring network activity of Rhodes in order to provide improved techniques for use in a network intrusion prevention system.
Regarding Claim 16, the rejection of Claim 14 is incorporated. In addition, Claim 16 is a method claim that corresponds to system Claim 6.
Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 2005/0234920 (Rhodes) in view of U.S. PGPub No. 2014/0269339 (Jaafar) and further in view of U.S. PGPub No. 2020/0099703 (Singh).
Referring to Claims 7 and 17
Regarding Claim 7, the combination of Rhodes and Jaafar teaches the system of Claim 4.
The previous combination does not teach the following feature limitation that Singh teaches:
in response to redirecting the data packet to the threat protection system, receive a modified data packet from the threat protection system, the modified data packet including the data packet modified by the threat protection system based on predetermined rules (Singh discloses the IP table rule {i.e. based on predetermined rules} may specify that any encrypted data packets are to be mirrored and routed to the intrusion detection system 325 {i.e. redirecting the packet to the threat protection system}... to execute intrusion detection functionality upon the unencrypted data packet 355... [¶ 44]. Accordingly {i.e. in response to redirecting the data packet}, at 220, the proxy {i.e. of the load balancer host - the threat protection system} is controlled to encrypt the unencrypted data packet to create an encrypted data packet 360 {i.e. data packet modified by the threat protection system}... [and] transmit the encrypted data packet 360 over the network 310 to the destination computing node 335 {i.e. receive a modified data packet from the threat protection system}... [¶ 48].).
Rhodes, Jaafar and Singh are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need to improve security provided by the network computing environment. [Singh; ¶ 17].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the intrusion detection on load balanced network traffic of Singh in the method for monitoring network activity of Rhodes in order to improve[] existing technological processes for load balancing by controlling the single load balancer host to perform a combination of intrusion detection and load balancing upon secure network traffic.
Regarding Claim 17, the rejection of Claim 14 is incorporated. In addition, Claim 17 is a method claim that corresponds to system Claim 7.
Claims 9 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 2005/0234920 (Rhodes) in view of U.S. PGPub No. 2014/0269339 (Jaafar) and further in view of U.S. PGPub No. 2018/0063161 (Kopp).
Referring to Claims 9 and 19
Regarding Claim 9, the combination of Rhodes and Jaafar teaches the system of Claim 1.
The previous combination does not explicitly teach the following feature limitation that Kopp teaches:
based on the determining that the one or more of the plurality of parameters are outside the predetermined tolerance zone, classify the data packet to be an intrusion traffic (Kopp discloses any network traffic with a detection statistic exceeding the threshold {i.e. based on the determining that the one or more of the plurality of parameters are outside the predetermined tolerance zone} will be classified as malicious {i.e. intrusion traffic}. [¶ 25].).
Rhodes, Jaafar and Kopp are from a similar field of technology. Prior to the instant application’s effective filing date, it was useful to track, identify, and/or safeguard against new malware, as well as mutating or shifting network threats. [Kopp; ¶ 12].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the rapid, targeted network threat detection of Kopp in the method for monitoring network activity of Rhodes for rapidly detecting network threats with targeted detectors.
Regarding Claim 19, the rejection of Claim 11 is incorporated. In addition, Claim 19 is a method claim that corresponds to system Claim 9.
Referring to independent Claim 20
Regarding Claim 20, Rhodes teaches a system for identifying suspicious traffic, the system comprising:
at least one traffic learning appliance comprising at least one hardware processor (The broadest reasonable interpretation of the term "appliance" includes an instrument, apparatus, or device for a particular purpose or use. See dictionary.com/browse/appliance. In light of the disclosure, the term "traffic learning appliance" is construed as a an instrument, apparatus, or device to compile statistical data for a plurality of hosts. Specification, ¶¶ 7, 22, 23. Furthermore, a host may include an appliance. Specification ¶ 26. Rhodes discloses a collection module 132 for collecting a stream of flow records... [FIG. 1C; ¶ 45]... a processor may be configured to execute the program instructions to perform a computer-executable method... [¶ 95].), the at least one traffic learning appliance being configured to: 
compile statistical data for a plurality of hosts sending data traffic to a network device, wherein the compiling of the statistical data for the plurality of hosts includes collecting the statistical data based on source identifiers associated with each of the plurality of hosts (The phrase "statistical data" is construed as a collection of quantitative data. See for example merriam-webster.com/dictionary/statistics. In light of the disclosure, the term "host" is any network appliances, clients, servers, Internet of things (IoT) devices, or other devices connected to a network, such as a personal computer (PC), a laptop, a smartphone, a tablet PC, a television set, a switch, a router, a smart device, home appliances, and so forth. Specification p. 7, ¶ 26. Rhodes discloses packets (or "traffic packets")... [w]hen passed through a network usage data reporting system, network usage data is collected {i.e. compile}... and then correlated and/or aggregated to create a summary record (or "flow record"). [¶ 23]. [S]ummarized information about multiple traffic packets... may include, for example, a source identifier {i.e. identifiers associated with each of the plurality of hosts} (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time, and one or more traffic packet statistics {i.e. collecting the statistical data based on source identifiers}... [¶ 49].  As shown in FIG. 3, the method may begin in box 310 by collecting a stream of flow records... [¶ 70]. [T]he source address and the destination port may be collected from each flow record... A distribution may be chosen to characterize the number of unique source addresses {i.e. plurality of hosts; a "source" is an entity responsible for excessive traffic [¶ 35]}, which are sending traffic... FIG. 4B illustrates an exemplary statistical result (410) displaying the number of unique source addresses that are sending network traffic to more than 250 unique destination (or local) ports on each of the top N servers {i.e. statistical data for a plurality of hosts sending data traffic to a network device}. If statistical result 410 is used for monitoring network activity, one may suspect that up to six sources {i.e. plurality of hosts} may be sending scanning traffic to servers "mail1" {i.e. a network device} and "web3." [¶ 75].); and 
based on the statistical data, generate data lists associated with the plurality of hosts, wherein a host of the plurality of hosts is associated with a data list of the data lists (The term "data lists" is construed as tabulated/stored host or FIG. 4B illustrates... unique source addresses {i.e. data lists associated with the plurality of hosts; note that a unique source address is an identifier} that are sending network traffic {i.e. sending data traffic} to more than 250 unique destination (or local) ports {i.e. parameters or factors} on each of the top N servers. [¶ 75]. FIG. 4C illustrates... subscribers (i.e., designated by unique source addresses), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. sending data traffic to a network device})... [¶ 81]. FIG. 5 plots the ratio of offered load to channel capacity for the Top N subscriber IDs {i.e. here, each subscriber ID is a host of the plurality of hosts; note the horizontal axis identifies each host by its subscriber ID}. [¶ 90].); 
a security controller in communication with the at least one traffic learning appliance (Rhodes discloses capture module 135 includes a collection module 132 {i.e. traffic learning appliance} for collecting a stream of flow records… [FIG. 1C; ¶ 45]… [and] an analysis module 136 for analyzing the statistical result generated by statistical module 134 {i.e. together, modules 134 and 136 comprise the security controller; FIG. 1C illustrates modules 132, 134 and 136 in communication}. [¶ 56].), the security controller being configured to: 
[[receive a data packet from the host]], the data packet being associated with a plurality of parameters, the data packet being sent by the host to the network device (Rhodes discloses six sources {i.e. host} may be sending scanning traffic to servers "mail1" {i.e. data packet being sent by the host} and "web3." [¶ 75]. [For] multiple traffic packets... metadata (i.e., data about data) may include, for example, a source identifier (e.g. a source address or port), a destination identifier (e.g. a destination address or port), a start time and end time {i.e. the data packet being associated with a plurality of parameters}... [¶ 49]... [and] subscribers (i.e., designated by unique source addresses {i.e. the host}), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. the data packet being sent by the host})... [FIG. 4C; ¶ 81].); 
analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host (Rhodes discloses analysis result 430 illustrates the percentage of subscribers (i.e., designated by unique source addresses {i.e. host}), which are contributing traffic to less than a particular number of unique destination ports {i.e. one or more of the plurality of parameters of the data packet} on a particular server (e.g., server "mail1" {i.e. a network device})... abnormal activity may be detected, for example, if the percentage of subscribers contributing traffic to less than 10 unique destination ports decreases from about 95% to about 80%. In other words, the percentage of subscribers contributing traffic to more than 10 unique destination ports has increased from about 5% to about 20%. [FIG. 4D; ¶ 82]. FIG. 4B illustrates {i.e. analyze; the broadest reasonable interpretation of the term “analyze” includes tabulate, visualize an summarize. See OneLook.com.}... unique source addresses {i.e. analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host; note that FIG. 4B is plotting/summarizing tabulated data} that are sending network traffic {i.e. sending data traffic} to more than 250 unique destination (or local) ports on each of the top N servers. [¶ 75]. FIG. 4C illustrates... subscribers (i.e., designated by unique source addresses {i.e. the host}), which are contributing traffic to... a particular server (e.g., server "mail1" {i.e. sending data traffic to a network device})... [¶ 81]. FIG. 5 plots the ratio of offered load to channel capacity for the Top N subscriber IDs {i.e. here, each subscriber ID is a host of the plurality of hosts; note the horizontal axis identifies each host by its subscriber ID}. [¶ 90].); 
based on the analysis, determine that the one or more of the plurality of parameters are outside a predetermined tolerance zone (Rhodes discloses abnormal network activity may be detected from the analysis results if the amount of network activity {i.e. one or more of the plurality of parameter} sent to (or from) an observation point exceeds a predefined threshold value {i.e. are outside a predetermined tolerance}. [¶ 77].); and
a storage node in communication with the at least one traffic learning appliance and the security controller, the storage node being configured to store at least the data lists (Rhodes discloses data storage system 140. [¶ 38]. The computer software program, including capture module(s) 135, may also be stored in data storage system 140... data storage system 140 may be included within data analysis system 130 {i.e. FIG. 1A illustrates the storage system in communication with capture modules 135, which are the claimed learning appliance and security controller}... [¶ 44].).
Rhodes does not explicitly teach the following feature limitation that Jaafar teaches:
receive a data packet from the host, [[the data packet being associated with a plurality of parameters, the data packet being sent by the host to the network device]] (Jaafar discloses to: receive current network traffic information associated with a remote access server {i.e. receiving data packet(s) from the host }... [¶ 32-33]... network traffic information is based on at least one of the following network parameters associated with the remote access server: network traffic usage `in` per port, network traffic usage `out` per port, point to point protocol (PPP) sessions per port, utilisation ratio of total traffic `in` per slot group, utilisation ratio of total traffic `out` per slot group, and utilisation ratio of total traffic PPP sessions per slot {i.e. data packet being associated with a plurality of parameters}. [¶ 54]. The methods… are implemented… using a computing device, such as a personal or networked computer, that is in communication with the B-RAS {i.e. the host}… to receive network information from the B-RAS including network traffic usage {i.e. receiving data packet(s) from the host}. [¶ 86].).
Rhodes and Jaafar are from a similar field of technology. It is noted that Jaafar teaches the following feature limitations that are also disclosed in Rhodes (as discussed above):
at least one traffic learning appliance comprising at least one hardware processor (Jaafar discloses one or more dedicated hardware modules. [¶ 87].), the at least one traffic learning appliance being configured to:
compile statistical data (Jaafar discloses current network traffic information associated with the B-RAS {i.e. host} is obtained... current network traffic information relates to network traffic usage associated with the current day. A similarity value between the current network traffic information and the historical network traffic information is determined... [FIG. 1; ¶ 66].); and
based on the statistical data, generate data lists (Jaafar discloses reference network traffic information is generated based on the determined similarity value {i.e. based on the statistical data, distance-based analysis method ¶ 66}. If the similarity value is greater than or equal to a predefined threshold... of 95%, then the current network traffic information is used to generate the reference network traffic information {i.e. generate data lists}... stored as reference network traffic information in a normal usage table {i.e. data list}. [¶ 67].);
a security controller (Jaafar discloses one or more dedicated hardware modules. [¶ 87].), the security controller being configured to:
analyze one or more of the plurality of parameters of the data packet using the data list, the data list being associated with the host (Jaafar discloses reference network traffic information {i.e. data lists} is analysed to determine the first quartile (Q1), third quartile (Q3) and the inter-quartile range (IQR) for use in calculating lower and upper boundaries... The current network traffic {i.e. data packet} information is analysed for values {i.e. parameters} that fall within the lower and upper boundaries... [¶ 79].);
current network traffic information is analysed and values {i.e. parameters} that are below the lower boundary {i.e. outside a predetermined boundary} or that are above the upper boundary {i.e. outside a predetermined boundary} are identified as outliers... [FIG. 2; ¶ 81].); and
based on the determination, selectively initiate a mitigation action associated with the host (Jaafar discloses values are stored in the outlier data table and an alert is generated and communicated to the network administrator associated with the B-RAS {i.e. associated with the host, broadband remote access server ¶ 1}... the network administrator can then investigate the anomalous data that was identified as an outlier as appropriate. [¶ 82].); and
a storage node, the storage node being configured to store at least the data lists (Jaafar discloses current network traffic information {i.e. data lists} is stored as reference network traffic information in a normal usage table 404 of a normal behaviour profile database 406 {i.e. storage node}. [¶ 88]. The anomaly detection system 402 performs the statistical analysis of the current network traffic information and outliers that are identified in steps 110, 208 are stored in the outlier data table 408, which is part of the normal usage profile database 406. [¶ 91].).
Rhodes and Jaafar are from a similar field of technology. Prior to the instant application’s effective filing date, there was a need for the detection of anomalous behaviour in network traffic. [Jaafar; ¶ 1].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the system for analysing network traffic of Jaafar with the method for monitoring network activity of Rhodes, thereby enabling the relevant party to investigate the anomaly.
The combination Rhodes and Jaafar does not explicitly teach the following feature limitations that Kopp teaches:
any network traffic with a detection statistic exceeding the threshold {i.e. outside the predetermined tolerance zone} will be classified as malicious {i.e. intrusion traffic}. [¶ 25].); and
based on the classification, selectively initiate a mitigation action associated with the host (Kopp discloses any network traffic with a detection statistic exceeding the threshold will be classified as malicious.. thus, incoming traffic can be quickly evaluated by the targeted detector. When malicious traffic is identified, appropriate action may be taken at step 506 {i.e. based on the classification, selectively initiate a mitigation action}. For example, the traffic may be blocked, associated IP information (e.g., a host or originating IP address {i.e. associated with the host}) may be added to a black list, or any other such action that may prevent the malicious traffic from impacting an inner network, such as an enterprise network. [¶ 25].).
Rhodes, Jaafar and Kopp are from a similar field of technology. Prior to the instant application’s effective filing date, it was useful to track, identify, and/or safeguard against new malware, as well as mutating or shifting network threats. [Kopp; ¶ 12].
Therefore, prior to the instant application’s effective filing date, it would have been obvious to use the rapid, targeted network threat detection of Kopp in the method for monitoring network activity of Rhodes for rapidly detecting network threats with targeted detectors.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
US 20060140369 (Altmann; Jorn et al.) - network usage analysis system includes a data collector that is coupled to a network comprising a plurality of links. The data collector collects usage data corresponding to an identification of subscribers.
US 20060141983 (Jagannathan; Srinivasan et al.) - network usage analysis system includes a data collector that is coupled to a network. The network has a first and a second network 
US 20050223089 (Rhodes, Lee) - system and method is provided herein for detecting congested locations within a network. The method includes receiving a stream of UDRs from one or more observation points within the network. The method further comprises computing an amount of bandwidth utilized by each UDR as each UDR is received from the observation point, generating a statistical distribution of the UDRs based on the amount of bandwidth utilized by each UDR, and analyzing the statistical to detect a congested location associated with the observation point.
US 20030033403 A1 (Rhodes, N. Lee) - network usage analysis system and method having a dynamic statistical data distribution system and method is disclosed herein. In one embodiment, the present invention provides a method for substantially real-time analyzing of a stream of data. The method includes receiving the stream of data. A data distribution is determined representative of the stream of data, including creating data bins having exponentially increasing sizes, and allocating a statistical representation of the data in the data bins. The data distribution is used to analyze the stream of data.
US 9258217 (Duffield; Nicholas et al.) - system to detect anomalies in internet protocol (IP) flows uses a set of machine-learning (ML) rules that can be applied in real time at the IP flow level. A communication network has a large number of routers that can be equipped with flow monitoring capability. A flow collector collects flow data from the routers throughout the communication network and provides them to a flow classifier. At the same time, a limited number of locations in the network monitor data packets and generate alerts based on packet data properties. The packet alerts and the flow data are provided to a machine learning system that detects correlations between the packet-based alerts and the flow data to thereby generate a series of flow-level alerts. These rules are provided to the flow time classifier.
US 20140143868 (Shiva; SM Prakash et al.) - method of monitoring for anomalies in a computing environment comprises, with a processor building an anomaly detection system based on topology guided statistical analysis, and creating a number of correlation rules based on a number of detected anomalies and information provided by a security alerts database.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD W CRUZ-FRANQUI whose telephone number is (313)446-6571.  The examiner can normally be reached on M-F 5:30-2:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571)272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD W CRUZ-FRANQUI/Examiner, Art Unit 2498        

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498