DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 03/10/2021. Claims 1, 5-8, 12-13 and 15-17 are amended, claim 4 is canceled and claims 18-21 are newly added.

Remarks
Claim Objections:
In response to corrective amendments, the respective objections to claims 5 and 8 are withdrawn.

35 U.S.C. 112(b):
In response to corrective amendments, the respective 112(b) rejections of claims 5-8 and 15 are withdrawn. The 112(b) rejection of canceled claim 4 is moot.

Response to Arguments
Applicant's arguments filed 03/10/2021, i.e., Remarks: pages 9-10, have been fully considered but they are not persuasive. 
Claim 1 has been amended as follows:
“A method for out-of-path detection of cyber-attacks, comprising:
receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources;

ingesting the plurality of received data feeds to generate the enriched Flow data sets, wherein each of the enriched Flow data sets includes a portion of traffic Flow data and a portion of supplementary enrichment data, wherein the supplementary enrichment data includes information other than determined threat-related information; 
analyzing the enriched Flow data sets to detect a potential cyber-attack; and 
upon detection of a potential cyber-attack, providing indication to each network entity of the network entities that is under attack”.

Regarding applicability of Harris, applicant argues:
First, “Paragraph 125 of Harris teaches the adding of threat feed data to each network flow event record. Thus, paragraphs 73 and 74 teach only adding determined threat-related information, which is the opposite of that which is now called for in the claim.” 

Second, “In addition, a careful reading of paragraph 125 of Harris indicates that it is not the received data feeds that are enriched, but rather individual network flow event records. Thus, the supplementation in Harris is something different what is called for by the claim because they relate to different things.”

Third, “Furthermore, the supplementation in Harris occurs after there are already event records, which is at a later time than the enrichment occurs in the claim. Thus, not only does Harris not enrich what is required to be enriched per the claim, Harris performs its supplementation at a different time.”

Then, applicant alleges:

“Thus, Harris does not teach this claim element” – Remarks: page 9.



Examiner respectfully disagrees.

First above, examiner notes that the newly amended negative limitation “…, wherein the supplementary enrichment data includes information other than determined threat-related information” requires an explicit support in the original disclosure because otherwise such exclusion from the scope for mere purpose of dismissing/overcoming a prior art reference would raise a “New Matter” issue. Regardless, Harris explicitly discloses “ESP application 508 defines how incoming event streams from the device(s) executing ingest application 506 are transformed into outgoing event streams output to ESP output adapter application 512 …when executed, ESP application 508 defines and starts ESPE 700 at the first group of computing devices 600.  ESPE 700 may analyze and process events in motion or "event streams." Instead of storing data and running queries against the stored data, ESPE 700 may store queries and stream data through them to allow continuous analysis of data as it is received…ESPE 700 may include one or more projects 702…Each project of the one or more projects 702 may include one or more continuous queries 704 that contain data flows, which are data transformations of incoming event streams including event block objects generated by an instantiation of ingest application 506  – Harris: par. 0102-0103, wherein Harris specifically discloses that “each network flow event record is supplemented with three additional types of information: 1) user information from the authentication event block objects, 2) network context information from the network context data, and 3) threat feed information from the threat feed data” – par. 0132 - at least 1) and 2) are not threat related information. 

Second and Third above, the arguments are not persuasive and amount to general allegation and conclusory statements because “Cybersecurity system 110 detects anomalies in enriched network flow record data, web proxy data, syslog data, and authentication data and issues alerts when suspicious activity is identified.  Cybersecurity system 110 provides a rapid detection of anomalies by distributing functionality across a plurality of integrated computing devices to seamlessly evaluate hundreds of thousands of network activity events per second.  Cybersecurity system 110 further allows a system user to investigate and track identified anomalous activity all within the same system.  The received data is contextualized with peer group, user, domain resolution, and other contextualization data as the data flows from ingest application 506 to data enrichment application 518 and index data application 516 so that the data presented by GUI 1800 is relevant to the user of cybersecurity system 110” – par. 0436.

Per the second argument: “the supplementation in Harris is something different what is called for by the claim because they relate to different things” and the third argument: “Harris performs its supplementation at a different time”, applicant’s arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections. Furthermore, applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without 

Finally, in response to applicant’s arguments labeled above under First, Second and Third, the fact that applicant has recognized other advantage(s) which would flow naturally from following the suggestion of the prior art cannot be the basis for patentability when the differences would otherwise be obvious. See Ex parte Obiaya, 227 USPQ 58, 60 (Bd. Pat. App. & Inter. 1985).

Regarding applicability of Muddu, Remarks: pages 9-10, applicant alleges that “motivation to combine” is irrelevant. In response, examiner notes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so, either in the references themselves or in the knowledge generally available to one of ordinary skill in the art. See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007). In this case, [1]. The improvement is relevant because by explicitly teaching “Ingest application 506, ESP application 508, and ESP output adapter application 512 may be installed and executed on a first group of computing devices 600 to support the high speed processing of the large quantity of data that may be included in events 502” – Harris: par. 0092, Harris suggests the need for faster and more efficient processing of large quantity of data. In turn, Muddu explicitly teaches a security platform which is "big data" driven and employs machine learning to perform security analytics and performs user/entity behavioral analytics 

Regarding the relied upon teachings of Harris in view of Muddu with respect to 103 rejections of claims 7, 12-13 and 16-17, applicant’s arguments, on each of the respective claim’s own merit – Remarks: pages 10-11, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Regarding the relied upon teachings of Harris and Muddu in further view of Lifshitz with respect to 103 rejections of claims 9-11, applicant’s arguments, on each of the respective claim’s own merits – Remarks: page 11, have been considered but amount to mere allegations and conclusory statements. The arguments directed to rejected features in the respective claims parent claims have been responded to above section labeled First, Second and Third.



Nonetheless, new grounds of rejection necessitated by amendments follow.

Claim Objections
Claim 2 is objected to because of the following informalities:  
claim 2 is missing the proper status indicator, i.e., “(Original)”.  
Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 6-8, 13, 16-18 and 21 are rejected under 35 U.S.C. 102 (a) (2) as being anticipated by Harris, US2018/0332064A1.


receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources (Network monitoring system 100 may include one or more network activity data capture systems.  Network monitoring system 100 may include any number and combination of types of network activity data capture systems.  For example, network activity data capture device(s) 104 may include one or more computing devices that are collector computing devices that receive network flow records from routers and switches related to communications with any of the plurality of monitored devices 102 – Harris: par. 0055); 
processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets (Harris: Fig. 1, 4 and 5 – Note: 104 and 110, wherein 110 includes subcomponents 412, 506, 508 and 512), wherein processing the plurality of received data feeds further comprises: 
ingesting the plurality of received data feeds to generate the enriched Flow data sets, wherein each of the enriched Flow data sets includes a portion of traffic Flow data and a portion of supplementary enrichment data (ESP application 508 defines how incoming event streams from the device(s) executing ingest application 506 are transformed into outgoing event streams output to ESP output adapter application 512 … when executed, ESP application 508 defines and starts ESPE 700 at the first group of computing devices 600.  ESPE 700 may analyze and process events in motion or "event streams." Instead of storing data and running queries against the stored data, ESPE 700 may store queries and stream data through them – Harris: par. 0102 and 0103), wherein the supplementary enrichment data includes information other than determined threat-related information (Note: specifically disclosed is “each network flow event record is supplemented with three additional types of information: 1) user information from the authentication event block objects, 2) network context information from the network context data, and 3) threat feed information from the threat feed data” – par. 0132, wherein at least 1) and 2) are not threat related information); 
analyzing the enriched Flow data sets to detect a potential cyber-attack (the received event block object is processed through the one or more continuous queries 704.  For example, authentication event data included in the event block object received from ingest application 506 is correlated with network flow record event data, web proxy event data, threat feed data, etc. using a continuous query - Harris: par. 0127- 0137 and Fig. 8, operations 816-826); and 
upon detection of a potential cyber-attack, providing indication to each network entity of the network entities that is under attack (Harris: Fig. 8, operation 826 describes providing/outputting summary of analysis. Figures 18-20 describe the details of configuration and presentation of the summary. “Selection of risk analysis tab 1804 provides the user of system user device 300 with detailed data, such as a composite risk score, an organizational context, a behavioral profile, correlations with existing security event logs, and network flow device interactions for investigating a single identified risk event…summary pane 1812 shows risk scores 1900 for IP address 248.229.227.132 and user ID 5dcf2f5fb565156b as a function of time for January 14 between 0500 UTC and 1600 UTC.  From 0500 UTC until 1600 UTC, cybersecurity system 110 detected that IP address 248.229.227.132 communicated with an IP address included as a threat destination IP address and as a result, set the threat feed risk alert indicator represented by threat feed indicator 2000 in operation 1190 and depicted using a red horizontal bar regardless of a risk score exceeding or not exceeding the alert threshold.  Threat feed indicator 2000 indicates the hours of activity in which threat feed interactions occurred for the current device (IP address 248.229.227.132 and user ID 5dcf2f5fb565156b) and the number of unique destination IP addresses to which the current device attempted to connect – par. 0405 and 0408).

Per claim 16, it recites a non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for out-of-path detection of cyber- attacks (cybersecurity system 110 may include a plurality of integrated computing devices though FIG. 4 shows a representation of cybersecurity system 110 in a single device. Cybersecurity system 110 may include a second input interface 402, a second output interface 404, a second communication interface 406, a second computer-readable medium 408, a second processor 410, a cybersecurity application 412, and cybersecurity data 414. Fewer, different, and additional components may be incorporated into cybersecurity system 110 – Harris: par. 0078 and Fig. 4 and 5), the process comprising the method steps as recited in claim 1.
 1 above. 

Per claim 17, it recites a system for out-of-path detection of cyber-attack, comprising: 
a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry (cybersecurity system 110 may include a plurality of integrated computing devices though FIG. 4 shows a representation of cybersecurity system 110 in a single device. Cybersecurity system 110 may include a second input interface 402, a second output interface 404, a second communication interface 406, a second computer-readable medium 408, a second processor 410, a cybersecurity application 412, and cybersecurity data 414. Fewer, different, and additional components may be incorporated into cybersecurity system 110 – Harris: par. 0078 and Fig. 4 and 5), configure the system to perform the method steps as recited in claim 1.
Therefore, claim 17 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 6, Harris discloses the method of claim 1, wherein each of the enriched Flow data sets includes at least a source entity identification and a destination entity identification of the source and destination of traffic as appeared at the Flow data portion (The source and destination IP address included in each network flow event record of the received network flow event block event block objects is also matched to an IP address included in the threat feed data, for example, in a ThreatFeedContext source window.  The threat category ID, risk  – Harris: par. 0132).

Per claim 7, Harris discloses the method of claim 1, wherein analyzing the enriched Flow data sets further comprises: 
clustering the enriched Flow data sets based on at least one feature of each respective pair of a source entity and a destination entity of the traffic Flow data (Peer groups gather internal network users and devices into small subgroups that exhibit similar behavior to better identify anomalous behavior that occurs on the internal network.  Peer group definitions are an important input to cybersecurity system 110.  Additionally, the peer group definitions are dynamic because they regularly change as the internal network composition changes.  This can include changes due to the addition of new employees, removal of employees who leave the entity, change in roles of employees, addition of new hardware, etc. Peer group definitions can be user defined by abstracting the network structure, algorithmically defined (e.g., clustering), or a combination of user and algorithmically defined…Peer groups may be assigned to each unique row in device summary data 614 (source IP address/user ID combination) irrespective of the peer group assigned during the execution of cybersecurity  – Harris: par. 0363 and 0367); and 
baselining the enriched Flow data sets in the same cluster according to the at least one feature (Peer group definition application 1612 further may define classifier data 1616 that can be used to define a peer group assignment dynamically as the internal network composition changes and/or to identify outlier data 1620 that can be used to define network devices and/or users that do not fit the peer group definitions.  Peer grouping may not be based strictly on behavior or the organization hierarchy.  Each informs the other and improves the quality and interpretability of the peer groups.  A peer group ID identifies a peer group to which a user is assigned.  Members of the peer group are identified based on an expected network activity behavior.  Users within a peer group are expected to have similar behavior such that a normal or characteristic behavior can be described for the peer group based on this expectation and to identify abnormal or uncharacteristic behavior based on deviations from the "normal" behavior – Harris: par. 0369 – Note: identifying outlier data anticipates “baselining”).

Per claim 8, Harris discloses the method of claim 7, wherein the at least one feature (Note: peer group definition) is any of: a bandwidth level, a type of application, a type of customer, a type of subscriber, a type of Internet of Things (loT) device, a reputation of the network entity, affinity, direction of the traffic Flow data, and traffic statistics (To begin the process, peer group elements available to assist in the peer group definitions are identified.  these include LDAP organization data, AD permissions, a network device inventory, etc. LDAP and AD are useful when segmenting peer groups for client users.  These users typically utilize devices in an office environment, such as laptops, desktops, phones, tablets, etc. LDAP and AD data may be used to collect information about a particular user's department, job function, and permissions needed to perform their job.  Users with similar department assignments, job functions, and permissions may be aggregated into peer groups – Harris: par. 0365).

Per claim 21, Harris discloses the method of claim 7, wherein the clustering is performed so that clusters are dynamically created based on at least one common behavior other than common traffic (Peer group definition application 1612 further may define classifier data 1616 that can be used to define a peer group assignment dynamically as the internal network composition changes and/or to identify outlier data 1620 that can be used to define network devices and/or users that do not fit the peer group definitions.  Peer grouping may not be based strictly on behavior or the organization hierarchy.  Each informs the other and improves the quality and interpretability of the peer groups.  A peer group ID identifies a peer group to which a user is assigned.  Members of the peer group are identified based on an expected network activity behavior.  Users within a peer group are expected to have similar behavior such that a normal or characteristic behavior can be described for the peer group based on this expectation and to identify abnormal or uncharacteristic behavior based on deviations from the "normal" behavior – Harris: par. 0369 – Note: Peer group definitions .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 2-3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, US2018/0332064A1 in view of Thomas, US2017/0063920A1.

Per claim 2, Harris discloses the method of claim 1. Harris is not relied on to explicitly disclose but in view of Thomas, it discloses further comprising: performing a mitigation action to protect each network entity under attack (Back-end aggregation and analysis of normal patterns of network behavior and ongoing analysis of current network behavior can be provided in the activation component 116.  Reverse-mediation capabilities may be used to coordinate and control the actions of network devices in direct response to threat identifications to cut off or otherwise mitigate the propagation of the DDOS attack.  These devices may include, but are not limited to the following: active or passive network probes; border gateway devices; and firewalls – Thomas: par. 0075-0079).

One of ordinary skill in the art would have been motivated because it would allow a distributed denial of service (DDoS) detection and reaction solution “to provide visibility into network behavior, alert analysts to anomalous events and provide mitigation options to attacks.  The solution provides a dynamic adaptive defense (DAD) capable of receiving an indication of cyber threat and executing defined actions in an automated manner (with or without human intervention) to address that threat” – Thomas: par. 0004.

Per claim 3, Harris discloses the method of claim 1. Harris is not relied on to explicitly disclose but in view of Thomas, it discloses further comprising: normalizing the plurality of received data feeds (The mediation component can also perform analysis by normalizing the inbound data so that data analysis can occur, allowing for routing to the proper remediation plans and techniques such as blocking the threat actor on various assets – Thomas: par. 0056).
The same motivation to modify Harris in view of Thomas applied to claim 2 above applies here.

Per claim 12, Harris discloses the method of claim 1, wherein the attack indication includes an attack signature (Event streams are published into the one or more source windows 706, and from there, the event streams are directed to the next set of connected  – Harris: par. 0109 – Note: pattern matching equates signature matching).
In the alternative, where one argues that “wherein the attack indication includes an attack signature” is not inherent in Harris, Harris in view of Thomas discloses the attack indication includes an attack signature (ingest security event information from multiple sources and formats and normalize to a single security event schema that can be acted upon at an abstract level; pull network information to further enrich and understand a security the event; retrieve threat indicators and signatures from detection solutions to further educate the analyst about the nature of the threat; retrieve analytic results from various network assets; open and manage trouble tickets; interact with policy management and control systems to enforce policy definitions; re-image network and endpoint equipment; enforce policy updates to perimeter defense assets to block threat actors from causing further damage – Thomas: par. 0004).
.

2.	Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Harris, US2018/0332064A1 in view of Thomas, US2018/0176237A1.

Per claim 5, Harris discloses the method of claim 1. Harris is not relied on to explicitly disclose but in view of Freedman, it discloses wherein the supplementary enrichment data includes relevant data gathered from at least one of: Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), Remote Authentication Dial-In User Services (RADIUS), Policy and Charging Rules Function (PCRF), active domain name service (DNS) queries, logs, GeolP (Freedman: par. 0069), Threat Intelligence and IP reputation feeds, and Layer 7 entities (Load Balancer (LB) and secure web gateway (SWG)) data (the system merges flow data (call records from network routers, switches, or instrumentation such as NetFlow, sFlow, and IPFIX) with Border Gateway Protocol (BGP) data, FITTP logs, SNMP counters, SMTP logs, and other network activity data – Freedman: par. 0028 – Note: support is provided in provisional 62/279573 at least par. 0030).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Harris in view of Freedman to include wherein the supplementary enrichment data includes relevant data gathered from at least one of: Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), Remote Authentication Dial-In User Services (RADIUS), Policy and Charging Rules Function (PCRF), active domain name service (DNS) queries, logs, GeolP (Freedman: par. 0069), Threat 
One of ordinary skill in the art would have been motivated because it would allow “correlating and enriching flow data with BGP and geographical IP information, users of the KDE can recognize how their traffic is flowing across not only their own network but also across the network to which they are connected and via which they reach customers and users across the Internet” – Freedman: par. 0095.

3.	Claims 9-11 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, US2018/0332064A1 in view of Lifshitz, US2019/0380037 A1 further in view of Muddu, US9516053 B1.

Per claim 9, Harris discloses the method of claim 7. Harris is not relied on to disclose but in view of Lifshitz and further in view of Muddu, it discloses wherein baselining the enriched Flow data further comprises: detecting anomaly behavior based on intra-cluster analysis (The present invention may operate by comparing a host (e.g., an IoT device) to other hosts (e.g., to other IoT devices) in its group or in its cluster of IoT devices (rather than merely comparing to a previous "baseline" profile of that device by itself) or having the same device-type.  Infection or compromise or attack are detected as a function of mass behavior of numerous IoT devices, and not merely based on the particular change in pattern behavior of a particular host (IoT device), but based on the aggregated change exhibited by a group of hosts (IoT devise) that increases over time as the attackers infect more and more IoT devices Lifshitz: par. 0052 – Note: support for the feature is provided in provisional 62/525202, page 7) and inter-cluster analysis (Assuming that user 6654 typically interacts with device 6645 from group N2, the access profile of user 6654 includes the group N2 of devices 6644, 6645 and 6646.  The interaction between the user 6654 and device 6642 from group N1 then triggers an out-of-group access anomaly, because the similarity score of device 6642 is significantly different from the similarity scores of devices 6644, 6645 and 6646 within the access profile of user 6654. The detected out-of-group anomaly is an indication of a suspicious lateral movement of a particular user in the network.  Based on the anomaly, the machine learning model 6300 can further decide whether the anomaly 6370 leads to a security threat 6380, as illustrated in FIG. 63 – Muddu: col. 98, lines 65-68 and col. 99, lines 1-18 – Note: similarity score of 6642 in group N1 is significantly different from similarity scores of devices 6644, 6645 and 6646 in group N2. Since user typically interacts with group N2 but does not typically interact with 6642 in group N1, the interaction/behavior between user and 6642 in group N1 triggers an out-of-group access anomaly).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Harris in view of Lifshitz to include wherein baselining the enriched Flow data further comprises: detecting anomaly behavior based on intra-cluster analysis.
One of ordinary skill in the art would have been motivated because it would allow “detecting infection as a function of mass behavior… in a group of hosts that increases over time as the attackers infect more and more systems or devices” – Lifshitz (62/525202): page 7.

One of ordinary skill in the art would have been motivated because it would allow “detecting similarities between users or devices and/or detecting deviations in an entity's activity from a behavioral baseline.  For example, identification of node clusters can facilitate detection of lateral movement by user (e.g., a user accessing a device that he does not normally access) or detection of an account takeover situation” – Muddu: col. 90, lines 58-61, which would further allow to “determine that the user's activity represents an anomaly, or perhaps even a threat” – Muddu: col. 91, lines 6-7.

Per claim 10, Harris-Lifshitz-Muddu discloses the method of claim 9, wherein the intra-cluster analysis further comprises: analyzing behavior of each network entity of a cluster against behavior of other network entities in the same cluster (The present invention may operate by comparing a host (e.g., an IoT device) to other hosts (e.g., to other IoT devices) in its group or in its cluster of IoT devices (rather than merely comparing to a previous "baseline" profile of that device by itself) or having the same device-type.  Infection or compromise or attack are detected as a function of mass behavior of numerous IoT devices, and not merely based on the particular change in pattern behavior of a particular host (IoT device), but based on the aggregated change exhibited by a group of hosts (IoT devise) that increases over time as Lifshitz: par. 0052 – Note: support for the feature is provided in provisional 62/525202 page 7); and determining anomaly based on the analysis (Infection or compromise or attack are detected as a function of mass behavior of numerous IoT devices – Lifshitz: par. 0052).
The same motivation to modify Harris in view of Lifshitz as applied to claim 9 above applies here.

Per claim 11, Harris-Lifshitz-Muddu discloses the method of claim 9, wherein the inter-cluster analysis further comprises: analyzing behavior of each network entity in a cluster against collective behavior of the respective other clusters in the network (Assuming that user 6654 typically interacts with device 6645 from group N2, the access profile of user 6654 includes the group N2 of devices 6644, 6645 and 6646.  The interaction between the user 6654 and device 6642 from group N1 then triggers an out-of-group access anomaly, because the similarity score of device 6642 is significantly different from the similarity scores of devices 6644, 6645 and 6646 within the access profile of user 6654 – Muddu: col. 98, lines 65-68 and col. 99, lines 1-18 – Note: the interaction/behavior between user and 6642 in group N1 triggers an out-of-group access anomaly); and determining anomaly based on the analysis (The detected out-of-group anomaly is an indication of a suspicious lateral movement of a particular user in the network.  Based on the anomaly, the machine learning model 6300 can further decide whether the anomaly 6370 leads to a security threat 6380, as illustrated in FIG. 63 – Muddu: col. 98, lines 65-68 and col. 99, lines 1-18).
.

4.	Claims 14 is rejected under 35 U.S.C. 103 as being unpatentable over Harris, US2018/0332064A1 in view of Wang, US2010/0034102A1.

Per claim 14, Harris discloses the method of claim 1. Harris is not relied on to explicitly disclose but in view of Wang, it discloses wherein the detector is deployed in a backbone network (As shown in FIG. 1, in one preferred embodiment, the system includes a classifier module 12 and a profile module 14.  The profile module 14 derives a network profile from one or more clusters of subnets identified by the classifier 12.  In one preferred embodiment, the profile module 14 derives the network profile in response to receiving subnet-level traffic measurement data from the routers in each cluster – Wang: par. 0032 and Fig. 1). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Harris in view of Wang to include wherein the detector is deployed in a backbone network.
One of ordinary skill in the art would have been motivated because it would allow “to enable Netflow monitoring for all ingress links to the backbone” – Wang: par. 0030.

5.	Claims 13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, US2018/0332064A1 in view of Muddu, US9516053B1.
(In operation 1192, a determination is made concerning whether or not a web proxy denial was identified for the source IP address and user combination.  If there was a web proxy denial, processing continues in an operation 1194…In operation 1194, a web proxy denial risk alert indicator is set indicating that the source IP address and user combination were denied access to a requested destination IP address by a web proxy server – Harris: par. 0328-0329) and Harris is not relied on to disclose but in view of Muddu, it discloses wherein analyzing to detect an attack is performed using a per entity continuous DDoS detection (CDD) algorithm for identified and continuous traffic in the enriched Flow data sets (the security platform includes anomaly models configured to detect a number of different kinds of anomalous activity, such as lateral movement, blacklisted entities, malware communications, rare events, and beacon activity.  Each of these anomaly models would include unique processing logic and parameters for applying the processing logic.  Similarly, each model instance (i.e. for a particular entity) may include unique processing logic and parameters for applying the processing logic.  In some embodiments, processing of event data 2302 is performed in real-time as the event data is received.  In such an embodiment, real-time processing may be performed by a processing engine optimized for high rate or real-time processing, such as Apache Storm or Apache Spark Streaming … FIG. 30 illustrates a use case for identifying threat indicators based on local and global rarity analysis.  As described elsewhere in this specification, in some embodiments, anomalies are detected based on a rarity analysis.  In other words, if an event satisfies a rarity analysis (i.e. is determined to be rare), it is detected as an anomaly – Muddu: col. 59, lines 11-25 and col. 63, lines 35-41).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Harris in view of Muddu to include wherein the potential cyber-attack is at least a distributed denial of service (DDoS) attacks and Harris is not relied on to disclose but in view of Muddu, it discloses wherein analyzing to detect an attack is performed using a per entity continuous DDoS detection (CDD) algorithm for identified and continuous traffic in the enriched Flow data sets.
One of ordinary skill in the art would have been motivated because it would allow to instantiate a plurality of anomaly models wherein “[e]ach model instance may be of a particular model type configured to detect a particular category of anomalies based on incoming event data” – Muddu: col. 59, lines 1-5.

6.	Claims 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Harris, US2018/0332064A1 in view of Westerfeld, US2011/0302290A1.

Per claim 19, Harris discloses the method of claim 1, wherein the potential cyber-attack is at least a distributed denial of service (DDoS) attacks (In operation 1192, a determination is made concerning whether or not a web proxy denial was identified for the source IP address and user combination.  If there was a web proxy denial, processing continues in an operation 1194…In operation 1194, a web proxy denial risk alert indicator is set indicating that the source IP address and user combination were denied access to a requested destination IP address – Harris: par. 0328-0329) and Harris is not relied on to disclose but in view of Westerfeld, it discloses wherein analyzing to detect an attack is performed using a per destination threshold-based sparse DDoS detection (THSDD) algorithm for anonymous and sparse traffic in the enriched Flow data sets (in response to the flow not correlating with any of the information modeled in the resource inventory, the flow likely represents sporadic activity from individuals working inside the datacenter with resources outside the datacenter.  Thus, the network flow may be similarly dropped in operation 260 in response to the flow not correlating with any of the information described in the resource inventory… in one implementation, an operation 280 may further include validating whether the listener that observed the dropped network flow previously collected a certain quantity of useful activity (e.g., in response to the listener having previously collected information resulting in a security violation).  As such, operation 280 may include validating whether the listener represents a useful input gateway from outside the datacenter to inside the datacenter, whereby the listener may continue to observe network flows that can be used to manage the datacenter in other ways – Westerfeld: par. 0039).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Harris in view of Westerfeld to include wherein the potential cyber-attack is at least a distributed denial of service (DDoS) attacks and wherein analyzing to detect an attack is performed using a per destination threshold-based sparse DDoS detection (THSDD) algorithm for anonymous and sparse traffic in the enriched Flow data sets.
 “isolate any resources associated with the new service activity, take action to disable the new service that initiated the unexpected activity, monitor subsequent activity associated with the new service or the isolated resources to derive knowledge relating to how malicious users may attempt to exploit the new service activity, identify other resources that the new service may impact due to dependencies with the isolated or monitored resources” – Westerfeld: par. 0047.

Per claim 20, Harris discloses the method of claim 1. Harris is not relied on to explicitly disclose but in view of Westerfeld, it discloses wherein the potential cyber-attack is at least a distributed denial of service (DDoS) attacks and wherein analyzing to detect an attack is performed using a per destination continuous DDoS detection algorithm for anonymous and continuous traffic in the enriched Flow data sets (operation 265 may include determining that the correlated network flow originates from a resource residing outside the datacenter in response to the flow originating from a resource having a network address that falls outside a sub-range for the datacenter or otherwise lacking description in the inventory.  Thus, in response to the correlated network flow originating from outside the datacenter, the network flow may be similarly dropped in operation 260.  However, in one implementation, an operation 280 may further include validating whether the listener that observed the dropped network flow previously collected a certain quantity of useful activity (e.g., in response to the listener having previously collected information resulting in a security violation).  As such, the listener may continue to observe network flows that can be used to manage the datacenter in other ways – Westerfeld: par. 0039).
The same motivation to modify Harris in view of Westerfeld applied to claim 19 above applies here.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Broda (US2018/0191768A1) discloses determining the cyber threat risk and vulnerability of an organization may be determined taking in to account the chain of service suppliers to the organization. a flow data capture functionality 508 ingests the flow data and flow enrichment functionality 510 processes the data to enrich the captured flow data, which may include various enrichments, including for example identifying a direction of the flow or whether a source is acting as a client or server, or adding additional information from enrichment data 512, such as an organization associated with an IP address, an type of industry the organization operates in, a vertical market the organization operates in, location information for the IP address, as well as other possible data that may be provided based on the data flow information.  

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/AREZOO SHERKAT/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434