DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Introduction
This office action is in response to Applicant’s communication filed on 4/30/2021. Claims 1-20 have been examined. Claims 1, 5-7, 9, 13-14, and 16-19 have been amended.

Response to Arguments
Applicant’s argument on 35 U.S.C. 103:
Applicant’s arguments, see pages 9-12, filed on 4/30/2021, with respect to the rejection(s) of claims 1-20 have been fully considered.
Applicant Argument #1:
Applicant argues that Belakhdar does not appear to disclose generating, on a per-application network connection basis, a unique connection identifier as claimed. Specifically, Applicant cannot find a teaching in Belakhdar related to generated different unique connection identifiers for each connection that a network computer device makes using a network application (page 11) 
Examiner Response to Argument #1:
Lampert et al. Publication No, US 2017/0289263 A1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Guo et al. Publication No. US 2005/0015496 A1 (Guo hereinafter) in view of Lampert et al. Publication No, US 2017/0289263 A1 (Lampert hereinafter) and Belakhdar et al. Publication No, US 2007/0240207 A1 (Belakhdar hereinafter).

Regarding claim 1,
Guo teaches a method for use in identifying network peer connections comprising:
identifying by a network computer device (Fig. 8 – peer B), connection details of a new network connection (Para 0060 and Fig. 8 – peer B identifies a new connection with peer A because the peer B has moved to a new place in the network) comprising network identifiers of end points of the new network connection (Para 0060 and Fig. 8 – IP addresses and ports of both peers A and B, end points, of the new connection are determined).
at the network computer device, ordering the connection details according to a predetermined ordering (Para 0057 - the connection information is ordering 
at the network computer device, generating […] a unique connection identifier from the ordered connection details (Para 0047 - Each entry in the local connection translation table 604 associates an original connection specification with a current connection specification. A connection specification includes one or more connection parameters and may uniquely identify a connection between peers; and Para 0061 - Peer B updates its local LCT table. For example, after moving to new IP address IP3, peer B creates a new connection specification in its table that may uniquely identify a connection between peers A and B such as “current connection specification: IP3, port3, IP1, port1, TCP”).
transmitting from the network computer device, the unique connection identifier and host-specific connection information associated with the new network connection to a server for peer connection monitoring (Para 0065 - Peer B sends a Connection Update message 812 to a virtual connectivity subscribe-notify service (VC SNS) 814, wherein the server 814 performs a role for connecting monitoring between peers in the network as disclosed at para 0075 and Fig. 10; and para 0009 - The Connection Update message includes a connection identifier as well as an identifier for the network attachment point to which the peer has moved).
Guo does not explicitly disclose

generating, on a per-application network connection basis, a unique connection identifier.

wherein at least one of user information and application information is incorporated in the unique connection identifier, and wherein different unique connection identifiers are generated for each connection that the network computer device makes using a network application.

monitoring and detection of abnormal behavior for at least one of users and network applications, wherein abnormal behavior of a user is detected based on the user information incorporated in the unique connection identifier, and wherein abnormal behavior of a network application is detected based on the application information incorporated in the unique connection identifier.

Lampert teaches:

generating, on a per-application network connection basis, a unique connection identifier (Para 0029 and Fig. 1 – Web connections 115 may be  

wherein at least one of user information and application information is incorporated in the unique connection identifier (Para 0038 – information regarding the web connection may be the web application being connected to and the credentials that are tied to the web connection), and wherein different unique connection identifiers are generated for each connection that the network computer device makes using a network application (Para 0029 and Fig. 1 – Fig. 1 states that the system 100 include a plurality of web connection 115(s), wherein each web connection 115 is a unique connection established by a user to a web application 120.  Web connections 115 may be facilitated by any application that has the capabilities of connecting to the web application 120 using the network).

Guo and Lampert are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Guo to include the teachings of Lampert. The motivation for doing so is to facilitate cross-web connection communication between web connections and a web application (Lampert, Para 0004).

Belakhdar teaches:

monitoring and detection of abnormal behavior for at least one of users and network applications, wherein abnormal behavior of a user is detected based on the user information incorporated in the unique connection identifier, and wherein abnormal behavior of the network application is detected based on the application information incorporated in the unique connection identifier (Para 0021 - The authentication packets may comprise fields identifying the connection and the user, as well as a field identifying the application. The identification of both the user and the application is particularly useful for modelling the behavior of the individual users in a network and detecting anomalies in individual behavior. The authentication packets may further comprise a process identification field and an application binary checksum field to verify binary integrity of the packet in order to detect abnormal behavior of a network application).

Guo and Belakhdar are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed 

Regarding claim 2, the method of claim 1 above,
Guo teaches

wherein the new network connection is a new inbound connection or a new outbound connection (Para 0051 - connectivity module 602 may intercept each outgoing network protocol unit in an outbound data stream and each incoming network protocol unit in an inbound data stream for determining the connection information).


Regarding claim 3, the method of claim 1 above,
Guo teaches
wherein the connection details comprise a source Internet Protocol (IP) address and port number and a destination IP address and port number (Para 0049 and 0057 - the connection information is ordering as including the IP address and port number of the local peer, the IP address and port number of the remote peer).

Regarding claim 4, the method of claim 3 above,
Guo teaches
wherein the predetermined ordering orders the connection details numerically (Para 0049 - the IP address and port number of connected peers are numerically as IPv4 or IPv6 address numbers; and ports are 16 bit port numbers).

Regarding claim 5, the method of claim 1 above,
Guo teaches
wherein the host-specific connection information comprises one or more of: a host identifier; a user identifier; login information;  applications currently running on the network computer device; an application associated with the new network connection;  a process associated with the new network connection; and Internet Protocol Flow Information Export (IPFIX) data (para 0009 - The Connection Update message includes a connection identifier as well as an identifier for the network attachment point to which the peer has moved; and para 0061 - connection specification information that peer B sending in current 

Regarding claim 6, the method of claim 1 above,
Guo teaches
receiving at the server for peer connection monitoring from the network computer device the unique connection identifier and host-specific connection information (Fig. 11 – The VC SNS receives a connection update message CU 812 from peer B when the peer B having a new connection with peer A. The CU message includes connection identifier information and other information for identifying a connection between two peer A-B as stated at claim 1 above).
receiving at the server for peer connection the unique connection identifier and second host-specific connection information monitoring from a second network computer device (Fig. 11 – The VC SNS also receives a connection update message CU 1104 from peer A when the peer A having a new connection with peer B. The CU message includes connection identifier information and other information for identifying a connection between two peer A-B as stated at claim 1 above).
storing the received host-specific connection information and the second host - specific connection information in association with the unique connection identifier (Para 0075 and Fig. 10 – the VC SNS stores received information from both peers A and B at Subscription Database 1008 for monitoring the connection between the peers).

Regarding claim 7, the method of claim 6 above,
Guo teaches
Receiving, at the server, additional host-specific connection information associated with respective additional unique connection identifiers for each end point of a plurality of additional network connections (Para 0050 - a local peer may participate in multiple communication connections. Each communication connection may be associated with a port number. So, the VC SNS may receive additional connection information from end point of a plurality of additional network connections).

Regarding claim 8, the method of claim 7 above,
Guo teaches
processing the stored host-specific connection information stored in association with connection information for the plurality of additional network connections to identify normal network connection peer behavior (Para 0074 and Fig. 11 - publish module 1010 receives and parses publish messages 1012 from peers and submits parsed network attachment change events 1014 to a match module 1016. The match module 1016 searches the subscription database 1008 for subscriptions matching each network attachment point change event 1014 and submits the compared results for determining whether a particular connection is identified as an unchanged connection, i.e. a normal connection, when the compassion results are “matching”).

Regarding claim 9,
Guo teaches a network computer device (Fig. 8 – peer B) comprising: a processing unit capable of executing instructions; and a memory storing instructions, which when executed by the processing unit configure the network computer device to:
identify connection details of a new network connection (Para 0060 and Fig. 8 – peer B identifies a new connection with peer A because the peer B has moved to a new place in the network) comprising network identifiers of end points of the new network connection (Para 0060 and Fig. 8 – IP addresses and ports of both peers A and B, end points, of the new connection are determined).
arrange the connection details according to a predetermined ordering (Para 0057 - the connection information is ordering as a 5-tuple including the IP address and port number of the local peer, the IP address and port number of the remote peer, and the upper layer protocol type; and Para 0061 - Peer B updates its local LCT table. For example, after moving to new IP address, peer B updates its table 604 with ordering new connection details: IP3, port3, IP1, port1, TCP).
generate […] a unique connection identifier from the ordered connection details (Para 0047 - Each entry in the local connection translation table 604 associates an original connection specification with a current connection specification. A connection specification includes one or more connection parameters and may uniquely identify a connection between peers; and Para 0061 - Peer B updates its local LCT table. For example, after moving to new IP address IP3, peer B creates a new connection specification in its table that may uniquely identify a connection between peers A and B such as “current connection specification: IP3, port3, IP1, port1, TCP”).
transmit from the network computer device, the unique connection identifier and host-specific connection information associated with the new network connection to a server for peer connection monitoring (Para 0065 - Peer B sends a Connection Update message 812 to a virtual connectivity subscribe-notify service (VC SNS) 814, wherein the server 814 performs a role for connecting monitoring between peers in the network as disclosed at para 0075 and Fig. 10; 
Guo does not explicitly disclose

generating, on a per-application network connection basis, a unique connection identifier.

wherein at least one of user information and application information is incorporated in the unique connection identifier, and wherein different unique connection identifiers are generated for each connection that the network computer device makes using a network application.

monitoring and detection of abnormal behavior for at least one of users and network applications, wherein abnormal behavior of a user is detected based on the user information incorporated in the unique connection identifier, and wherein abnormal behavior of the network application is detected based on the application information incorporated in the unique connection identifier.

Lampert teaches:

generating, on a per-application network connection basis, a unique connection identifier (Para 0029 and Fig. 1 – Web connections 115 may be facilitated by any application that has the capabilities of connecting to the web application 120 using the network; and Fig. 1 states that the system 100 include a plurality of web connection 115(s), wherein each web connection 115 is a unique connection established by a user to a web application 120) 

wherein at least one of user information and application information is incorporated in the unique connection identifier (Para 0038 – information regarding the web connection may be the web application being connected to and the credentials that are tied to the web connection), and wherein different unique connection identifiers are generated for each connection that the network computer device makes using a network application (Para 0029 and Fig. 1 – Fig. 1 states that the system 100 include a plurality of web connection 115(s), wherein each web connection 115 is a unique connection established by a user to a web application 120.  Web connections 115 may be facilitated by any application that has the capabilities of connecting to the web application 120 using the network).

Guo and Lampert are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Guo to include the teachings of Lampert. The 

Belakhdar teaches:

monitoring and detection of abnormal behavior for at least one of users and network applications, wherein abnormal behavior of a user is detected based on the user information incorporated in the unique connection identifier, and wherein abnormal behavior of the network application is detected based on the application information incorporated in the unique connection identifier (Para 0021 - The authentication packets may comprise fields identifying the connection and the user, as well as a field identifying the application. The identification of both the user and the application is particularly useful for modelling the behavior of the individual users in a network and detecting anomalies in individual behavior. The authentication packets may further comprise a process identification field and an application binary checksum field to verify binary integrity of the packet in order to detect abnormal behavior of a network application).

Guo and Belakhdar are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Guo to include the teachings of Belakhdar. The motivation for doing so is to detect anomalous behavior in a computer network.


Regarding claim 10, 

Claim 10 is analyzed and interpreted as a network computer device of claim 2.

Regarding claim 11, 

Claim 11 is analyzed and interpreted as a network computer device of claim 3.

Regarding claim 12, 

Claim 12 is analyzed and interpreted as a network computer device of claim 4.

Regarding claim 13, 

Claim 13 is analyzed and interpreted as a network computer device of claim 5.


Regarding claim 14,
Guo teaches a system for use in identifying network peer connections comprising: 

a plurality of network computer devices coupled to a communication network (Fig. 8 – peer B), each network computer device comprising: a processing unit capable of executing instructions; and a memory storing instructions, which when executed by the processing unit of the network computer device, configure the network computer device to:
identify connection details of a new network connection (Para 0060 and Fig. 8 – peer B identifies a new connection with peer A because the peer B has moved to a new place in the network) comprising network identifiers of end points of the new network connection (Para 0060 and Fig. 8 – IP addresses and ports of both peers A and B, end points, of the new connection are determined).
arrange the connection details according to a predetermined ordering (Para 0057 - the connection information is ordering as a 5-tuple including the IP address and port number of the local peer, the IP address and port number of the remote peer, and the upper layer protocol type; and Para 0061 - Peer B updates its local LCT table. For example, after moving to new IP address, peer B updates its table 604 with ordering new connection details: IP3, port3, IP1, port1, TCP).
generate […] a unique connection identifier from the ordered connection details (Para 0047 - Each entry in the local connection translation table 604 associates an original connection specification with a current connection specification. A connection specification includes one or more connection parameters and may uniquely identify a connection between peers; and Para 0061 - Peer B updates its local LCT table. For example, after moving to new IP address IP3, peer B creates a new connection specification in its table that may uniquely identify a connection between peers A and B such as “current connection specification: IP3, port3, IP1, port1, TCP”).
transmit from the network computer device, the unique connection identifier and host-specific connection information associated with the new network connection to a server for peer connection monitoring and (Para 0065 - Peer B sends a Connection Update message 812 to a virtual connectivity subscribe-notify service (VC SNS) 814, wherein the server 814 performs a role for connecting monitoring between peers in the network as disclosed at para 0075 and Fig. 10; and para 0009 - The Connection Update message includes a connection identifier as well as an identifier for the network attachment point to which the peer has moved).
the server for peer connection monitoring (Fig. 11 - a virtual connectivity subscribe-notify service (VC SNS) 814) comprising: a processing unit capable of executing instructions; and a memory storing instructions, which when executed by the processing unit of the server, configure the server to:
receive respective connection identifiers and associated host-specific connection information from the plurality of network computer devices (Fig. 11 – The VC SNS receives a connection update messages CUs 812 and 1104 from peers B and A. The CU message includes connection identifier information and other information for identifying a connection between two peer A-B as stated at claim 1 above; and para 0009 - The Connection Update message includes a connection identifier as well as an identifier for the network attachment point to which the peer has moved).
store the received connection identifiers and associated host-specific connection information (Para 0075 and Fig. 10 – the VC SNS stores received information from both peers A and B at Subscription Database 1008 for monitoring the connection between the peers).
Guo does not explicitly disclose

generating, on a per-application network connection basis, a unique connection identifier.

wherein at least one of user information and application information is incorporated in the unique connection identifier, and wherein different unique connection identifiers are generated for each connection that the network computer device makes using a network application.

monitoring and detection of abnormal behavior for at least one of users and network applications, wherein abnormal behavior of a user is detected based on the user information incorporated in the unique connection identifier, and wherein abnormal behavior of the network application is detected based on the application information incorporated in the unique connection identifier.

Lampert teaches:

generating, on a per-application network connection basis, a unique connection identifier (Para 0029 and Fig. 1 – Web connections 115 may be facilitated by any application that has the capabilities of connecting to the web application 120 using the network; and Fig. 1 states that the system 100 include a plurality of web connection 115(s), wherein each web connection 115 is a unique connection established by a user to a web application 120) 

wherein at least one of user information and application information is incorporated in the unique connection identifier (Para 0038 – information regarding the web connection may be the web application being connected to and the credentials that are tied to the web connection), and wherein different unique connection identifiers are generated for each connection that the network computer device makes using a network application (Para 0029 and Fig. 1 – Fig. 1 states that the system 100 include a plurality of web connection 115(s), 

Guo and Lampert are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Guo to include the teachings of Lampert. The motivation for doing so is to facilitate cross-web connection communication between web connections and a web application (Lampert, Para 0004).

Belakhdar teaches:

monitoring and detection of abnormal behavior for at least one of users and network applications, wherein abnormal behavior of a user is detected based on the user information incorporated in the unique connection identifier, and wherein abnormal behavior of the network application is detected based on the application information incorporated in the unique connection identifier (Para 0021 - The authentication packets may comprise fields identifying the connection and the user, as well as a field identifying the application. The identification of both the user and the application is particularly useful for modelling the behavior of the individual users in a network and detecting anomalies in individual behavior. The authentication packets may further comprise a process identification field and an application binary checksum field to verify binary integrity of the packet in order to detect abnormal behavior of a network application).

Guo and Belakhdar are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Guo to include the teachings of Belakhdar. The motivation for doing so is to detect anomalous behavior in a computer network.

Regarding claim 15, 

Claim 15 is analyzed and interpreted as a system of claim 7.

Regarding claim 16, 

Claim 16 is analyzed and interpreted as a system of claim 8.

Regarding claim 17, 

Claim 17 is analyzed and interpreted as a system of claim 5.

Regarding claim 18, the system of claim 14 above,
Guo teaches

generate a hash with the host-specific connection information and provide the hash to the server, wherein the hash is generated from the ordered connection details such that the hash matches another hash generated at an opposite end of the new network connection (Para 0061 and Fig. 8 - the Connection Update message 808 includes information referencing the original connection, wherein may be a cryptographic hash of the original connection specification; and Para 0065 - Peer B 806 also sends a Connection Update message 812 to a server 814; and Para 0075 - The match module 1016 compares the received information (for example, the hash of original connection specification) with hash information that previous received for determining whether a particular connection is identified as an unchanged connection).


Regarding claim 19, the system of claim 18 above,
Guo teaches

configure the server to compare the hash with a plurality of other hashes for purposes of matching the hash with the another hash generated at the opposite end of the new network connection (Para 0075 and Fig. 11 - publish module 1010 receives and parses the Connection Update message from peers and submits parsed network attachment change events 1014 to a match module 1016. The match module 1016 compares the received information (for example, the hash of original connection specification) with hash information that previous received for determining whether a particular connection is identified as an unchanged connection)


Regarding claim 20, the method of claim 1 above,
Guo does not explicitly disclose

wherein host-specific connection information comprises an ordered listing of at least two of the following: an event category, an event code, an IP address, a timestamp, a process instance ID, a user ID, a user type, an application name, and an application path.

Lampert teaches
wherein host-specific connection information comprises an ordered listing of at least two of the following: an event category, an event code, an IP address, a timestamp, a process instance ID, a user ID, a user type, an application name, and an application path (Fig. 4 – Fig. 4 states that the user information “Credentials” and application information “Web App” are included in each wed connection identifier to generate information of a network connection).- 29 -DOCS 123144-014UT1/2670836.1

Guo and Lampert are analogous art because they are from a similar field of endeavor in the connection monitoring techniques. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Guo to include the teachings of Belakhdar. The motivation for doing so is to facilitate cross-web connection communication between web connections and a web application.
















Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DA T. TON whose telephone number is (571)272-9956.  The examiner can normally be reached on Mon-Fri (9am-5pm).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A. Louie can be reached on 571-270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/DA T TON/Acting Patent Examiner of Art Unit 2445                                                                                                                                                                                                        
/YOUNES NAJI/Primary Examiner, Art Unit 2445