DETAILED ACTION
Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed 03/01/2021, for application 16/202,217 has been entered.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 03/01/2021. In the instant amendment: Claims 1, 9 and 17 have been amended and claims 1, 9 and 17 are independent claims. Claims 2 and 10 have been cancelled. Claims 1, 3-9, 11-17 have been examined and are pending. 
Response to Arguments
Rejection under 35 U.S.C. 101 have been withdrawn in light of the claim amendment. 
Applicants’ arguments with respect to amended claims 1, 9 and 17 have been considered but are moot in view of the new ground(s) of rejection. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.


Claims Objections 
Claims 9 is objected to because of the following informalities:
Claim 9 recites “the system comprising… a processor executing instructions stored on a memory…”  To positively recite the memory is a part of the claimed system and for better clarity it’s suggested that the claim be further amended to 
“the system comprising: 
a memory for storing computer executable instructions; and 
a process for executing the computer executable instructions …” 

Correction is required. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically discloses as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-6, 9, 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (“Kashyap,” US 7860006, patented Dec. 28, 2010) in view of Titonis et al. (“Titonis,” US 20130097706, published April 18, 2013). 
Regarding claim 1, Kashyap discloses a method for detecting anomalous activity on a network, the method comprising: 
receiving data regarding a number of bytes sent from a host device; receiving data regarding a number of bytes sent to the host device (Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-2. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. [Note that the switch can be a network device with computing capabilities. See col. 4: 34-38, col. 21: 9-15].); 
calculating, using a processor executing instructions stored on a memory, a ratio between the number of bytes sent from the host device and the number of bytes received by the host device to generate a directionality magnitude (Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-2; col. 21: 9-15. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. The rule structure allows one or more rules embodying any of the methods illustrated in FIGS. 1-3 to be formulated and then realized on a particular switch by downloading them to the switch, and then arranging to have one or more processors at the switch compile the rules into executable form (if not already in that form) and execute the rules on an ongoing basis as packets are received at the switch); 
detecting, using the processor, that an anomaly exists on the network based upon the generated z-score exceeding a z-score threshold or the generated directionality magnitude deviating from a baseline directionality magnitude; performing, using the processor, at least one mitigation procedure to mitigate the anomaly upon detecting the anomaly exists (Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-11; col. 21: 9-15. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. The method compares the statistic with a threshold to determine if a packet flooding or excessive traffic condition is present. If so, the method performed one or more actions to mitigate the anomaly, such as, for example, by blocking packets of the particular type or having a particular source address from the network switch, disabling the particular switch port at which such packets are received or from which they are transmitted, or logging a message to a server accessible by a network administrator to alert him of the situation.).

However, in an analogous art, Titonis discloses a method, comprising: 
generating, using the processor, a z-score related to the network metadata (Titonis FIG. 15, [0205], [0223], [0338]. An exemplary list of these tables comprises the following but is not limited to:  a Metadata table listing any App Store provided metadata for application binaries and used to (1) expand analysis reports with said relevant metadata for said application binary [e.g., together with malicious sites, IPS, and intrusion rules]. In the present invention, anomaly detection relies on a comparison of current z-scores for both the profile against z-scores for members of the selected set of profiles from the database. In the present system, similarity detection relies on (but is not limited to) fuzzy clustering via Euclidean distance vectors of current Z-scores for both the profile against Z-scores for members of the selected set of profiles from the database. FIG. 15 illustrates an exemplary time view conceptualization of the process of online clustering of a stream of new feature vectors (1501, 1502, 1503, 1504, 1505, 1506) against a set of predefined clusters (1420, 1430, 1440) and their corresponding assignments (1420, 1430, 1420, 1440, 1430) and otherwise, anomaly detection (1506). The anomalous feature vector (1506) exhibits a distance to the centroids (1520, 1530, 1540) of the corresponding predefined clusters (1420, 1430, 1440) that does not exhibit statistical significance for membership on those. The resulting feature vector is updated as an anomaly in the Database (130) (as described in FIG. 17 and FIG. 18), again indexed by the corresponding Request Identifier (250).). 
See Titonis [0338]). 
Regarding claim 3, Kashyap and Titonis disclose the method of claim 1. Kashyap further discloses wherein the network metadata includes at least one feature 20selected from the group consisting of time of a connection, type of connection, connection duration, and byte count (Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-2. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. [Note that the switch can be a network device with computing capabilities. See col. 4: 34-38, col. 21: 9-15].). 
Regarding claim 4, Kashyap and Titonis disclose the method of claim 3. Titonis further discloses: comprising detecting the anomaly upon determining a plurality of the features deviate from a feature baseline (Titonis FIGs. 13, 15, [0298]-[0308], [0338]-[0339]. FIG. 13 illustrates exemplary constituting sections of the feature vector (1200) produced for the purposes of machine learning analysis. The feature vector is indexed by the Request Identifier (1205, 250). The constituent sections are such as but not limited to: network summary features (1210), geoip features (1215), network (intrusion) alert features (1220), low-level (i.e., Guest OS) behavioral features (1230), high-level (i.e., emulation of device) behavioral features (1240), file system changes/integrity features (1250), performance (e.g., CPU, Memory, Number of Threads) features (1255), static analysis features (1260), App metadata features (1222), and/or the Validity metric (1270, 1167) computed (1167) for the corresponding LogFiles associated with said Request Identifier (1205). FIG. 15 illustrates an exemplary time view conceptualization of the process of online clustering of a stream of new feature vectors (1501, 1502, 1503, 1504, 1505, 1506) against a set of predefined clusters (1420, 1430, 1440) and their corresponding assignments (1420, 1430, 1420, 1440, 1430) and otherwise, anomaly detection (1506). The anomalous feature vector (1506) exhibits a distance to the centroids (1520, 1530, 1540) of the corresponding predefined clusters (1420, 1430, 1440) that does not exhibit statistical significance for membership on those. The resulting feature vector is updated as an anomaly in the Database (130) (as described in FIG. 17 and FIG. 18), again indexed by the corresponding Request Identifier (250).). 
The motivation is the same as that of claim 3 above. 
Regarding claim 5, Kashyap and Titonis disclose the method of claim 4. Titonis further discloses comprising detecting the anomaly upon determining a number of features deviating from feature baselines exceed a feature threshold (Titonis FIGs. 15-16, [0338]-[0339]. FIG. 15 illustrates an exemplary time view conceptualization of the process of online clustering of a stream of new feature vectors (1501, 1502, 1503, 1504, 1505, 1506) against a set of predefined clusters (1420, 1430, 1440) and their corresponding assignments (1420, 1430, 1420, 1440, 1430) and otherwise, anomaly detection (1506). The anomalous feature vector (1506) exhibits a distance to the centroids (1520, 1530, 1540) of the corresponding predefined clusters (1420, 1430, 1440) that does not exhibit statistical significance for membership on those. The resulting feature vector is updated as an anomaly in the Database (130) (as described in FIG. 17 and FIG. 18), again indexed by the corresponding Request Identifier (250). FIG. 16 illustrates an exemplary small cluster of feature vectors in a two-dimensional space (via K-Means clustering). FIG.16 shows five feature vectors f1, f2., f3, f4 f5 (1601, 1602, 1603, 1604, 1605, respectively) and how four of them can be visualized as a cluster (1610) whose centroid (1600) can be visualized as the center of the cluster's ellipse (1610). It shows that the feature vector f5 (1605) does not lie close-by enough to the ellipse to confidently claim it to be part of the cluster (1610).)
The motivation is the same as that of claim 4 above. 
Regarding claim 6, Kashyap and Titonis disclose the method of claim 3. Titonis further discloses: 
suppressing an alert upon determining a number of features deviating from feature baselines is below a feature threshold (Titonis [0338], [0393]. FIG. 15 illustrates an exemplary time view conceptualization of the process of online clustering of a stream of new feature vectors (1501, 1502, 1503, 1504, 1505, 1506) against a set of predefined clusters (1420, 1430, 1440) and their corresponding assignments (1420, 1430, 1420, 1440, 1430) and otherwise, anomaly detection (1506). The anomalous feature vector (1506) exhibits a distance to the centroids (1520, 1530, 1540) of the corresponding predefined clusters (1420, 1430, 1440) that does not exhibit statistical significance for membership on those. The resulting feature vector is updated as an anomaly in the Database (130) (as described in FIG. 17 and FIG. 18), again indexed by the corresponding Request Identifier (250). FIG. 16 illustrates an exemplary small cluster of feature vectors in a two-dimensional space (via K-Means clustering). [A report including a] network intrusion detection section (3330) providing summary and detail for intrusion alerts itemizing for each such assessment data Such as but not limited to at least one of alert priority, alert classification, alert description, count, internet address(es) associated with alert.). 
The motivation is the same as that of claim 3 above. 
Regarding claim 9, claim 9 is directed to a system corresponding to the method of claim 1. Claim 9 is similar in scope to claim 1 and is therefore rejected under similar rationale. 
Regarding claim 11, claim 11 is directed to a system corresponding to the method of claim 3. Claim 11 is similar in scope to claim 3 and is therefore rejected under similar rationale. 
Regarding claim 12, claim 12 is directed to a system corresponding to the method of claim 4. Claim 12 is similar in scope to claim 4 and is therefore rejected under similar rationale. 
Regarding claim 13, claim 13 is directed to a system corresponding to the method of claim 5. Claim 13 is similar in scope to claim 5 and is therefore rejected under similar rationale. 
Regarding claim 14, claim 14 is directed to a system corresponding to the method of claim 6. Claim 14 is similar in scope to claim 6 and is therefore rejected under similar rationale. 

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap et al. (“Kashyap,” US 7860006, patented Dec. 28, 2010) in view of Titonis et al. (“Titonis,” US 20130097706, published April 18, 2013) and Krasser et al. (“Krasser,” US 20190026466, filed July 24, 2017).  
Regarding claim 7, Kashyap and Titonis disclose the method of claim 1.  Kashyap and Titonis do not explicitly disclose: wherein the z-score is a directionality magnitude z-score. 
However, in an analogous art, Krasser discloses a method comprising the steps of:
wherein the z-score is a directionality magnitude z-score (Krasser [0052], [0182], [0185]. A data stream 118 or 120, e.g. , an executable file 124 , can be associated with malware if [ ] the data stream is an input file relied on by malware ( e . g . , a large sequence of data designed to trigger a buffer overflow that will permit remote code execution , or shellcode embedded in a document file ). FIG.11 is a dataflow diagram that illustrates an example technique 1100 for determining computational model ( s ) [ ] that can determine whether a trial data stream 120 is associated with malware, and related dataflow. Additionally or alternatively , z - scores or other normalized values can be used in place of the quantile set 1104 in the operations described below [ i.e., may use z-score statistics to determine if the suspecting file or data stream resembles buffer-overflow attack]. ). 
See Krasser [0052]). 
Regarding claim 15, claim 15 is directed to a system corresponding to the method of claim 7. Claim 15 is similar in scope to claim 7 and is therefore rejected under similar rationale. 

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unptentable over Kashyap et al. (“Kashyap,” US 7860006, patented Dec. 28, 2010) in view of Titonis et al. (“Titonis,” US 20130097706, published April 18, 2013) and Aiello et al. (“Aiello,” US 20060190998, published Aug. 24, 2006). 
Regarding claim 8, Kashyap and Titonis disclose the method of claim 1.  Kashyap and Titonis do not explicitly disclose: wherein generating the z-score includes performing a logarithmic 5transformation on the network metadata. 
However, in an analogous art, Aiello discloses a method comprising the steps of:
wherein generating the z-score includes performing a logarithmic 5transformation on the network metadata (Aiello FIG. 3, [0021]. In one example, in step 302, an initial set of rules corresponding to communication originating from a host may be generated based on an analysis of the network communication between a plurality of hosts in the network during a learning period. Moreover, one skilled in the art will appreciate that log transformation (i.e., transforming the data value for each variable to a logarithmic scale to reduce the effect of outliers at the high end of the value range) and scale standardization (e.g., Z-score normalization where variables are normalized on a common scale to avoid one variable from dominating the other in the cluster) may be used in addition to k-means techniques.). 
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the teachings of Kashyap with the teachings of Aziz and Titonis to include the steps of: wherein generating the z-score includes performing a logarithmic 5transformation on the network metadata, to provide users with a means for using z-score statistics to construct a model for internal communication management and fire-wall policy. (See Aiello [0017]). 
Regarding claim 16, claim 16 is directed to a system corresponding to the method of claim 8. Claim 16 is similar in scope to claim 8 and is therefore rejected under similar rationale. 

Claim 17 is rejected under 35 U.S.C. 103 as being unptentable over Kashyap et al. (“Kashyap,” US 7860006, patented Dec. 28, 2010). 
Regarding claim 17, Kashyap discloses a method for detecting anomalous activity on a network, the method comprising: 
receiving, using an interface, network metadata regarding activity on the network (Kashyap FIG. 3, col. 6, 45-47. Step 302 comprises receiving one or more packets at the network switch or transmitting one or more packets from the network switch.), the 15network metadata including: 
Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-2. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. [Note that the switch can be a network device with computing capabilities. See col. 4: 34-38, col. 21: 9-15].); 
calculating, using a processor executing instructions stored on a memory, a ratio between the number of bytes sent from the host device and the number of bytes received by the host device to generate a directionality magnitude (Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-2; col. 21: 9-15. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. The rule structure allows one or more rules embodying any of the methods illustrated in FIGS. 1-3 to be formulated and then realized on a particular switch by downloading them to the switch, and then arranging to have one or more processors at the switch compile the rules into executable form (if not already in that form) and execute the rules on an ongoing basis as packets are received at the switch); 
determining that the generated directionality magnitude deviates from a baseline directionality magnitude; performing at least one mitigation procedure upon determining the generated directionality magnitude deviates from the baseline directionality magnitude value (Kashyap FIG. 2, col. 5: 59-67, col. 6: 1-11; col. 21: 9-15. In one example, the network anomaly is characterized by packet flooding or excessive traffic of a particular kind of packet, and the method maintains and monitors one or more usage-derived packet statistics relating to this particular kind of packet, such as a cumulative count of the number of packets of this particular type that are received at or transmitted from the network switch, a cumulative count of the number of bytes of packets of this particular type that are received at or transmitted from the switch, the rate at which such packets or packets bytes are received at or transmitted from the switch, or a ratio of such rates. The method compares the statistic with a threshold to determine if a packet flooding or excessive traffic condition is present. If so, the method performed one or more actions to mitigate the anomaly, such as, for example, by blocking packets of the particular type or having a particular source address from the network switch, disabling the particular switch port at which such packets are received or from which they are transmitted, or logging a message to a server accessible by a network administrator to alert him of the situation.).

However, in another embodiment, Kashyap discloses 
retrieving a baseline directionality magnitude value from a database (Kashyap col.26: 41-54. FIG. 6 illustrates an embodiment 600 of a system comprising one or more non-gateway switches 602a, 602b, 602c, 602d, 602e that are interconnected to form a subnet 604 that is coupled to one or more other subnets 608, 610 through one or more gateway switches or servers 606a, 606b. One or more of the internal, non-gateway switches 602a, 602b, 602C, 602d, 602e within the subnet 604 include a means (such as the one or more processor readable media 400 of FIG. 4 and one or more processors for accessing and executing the rules stored thereon, or logic embodying the rules and other logic for executing the rules) for performing any of the previously described methods, including the methods illustrated in FIGS 1-3.[including rules regarding appropriate thresholds, see col. 9: 1-10.].)
Therefore, it would have been obvious to one of ordinary skill in the art on or before the effective filing date of the claimed invention to combine the embodiments of Kashyap include the steps of: retrieving a baseline directionality magnitude value from a database, to provide users with a means for retrieving and updating rules for blocking network traffic across a network system. (See Kashyap col.26: 41-54.). 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD LONG whose telephone number is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on 571 270 5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/EDWARD  LONG/
Examiner, Art Unit 2439

/LUU T PHAM/           Supervisory Patent Examiner, Art Unit 2439