DETAILED ACTION
This non-final action is in response to RCE filed on 07/13/2021.
Claims 1-20 are pending and presented for examination.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/13/2021 has been entered.
 
Response to Arguments
Applicant’s arguments filed on 07/13/2021 with respect to claims 1-20 have been considered but they are not persuasive. During patent examination, the pending claims must be “given their broadest reasonable interpretation consistent with the specification.” The Federal Circuit’s en banc decision in Phillips v. AWH Corp., 415 F.3d 1303, 75 USPQ2d 1321 (Fed. Cir. 2005) expressly recognized that the USPTO employs the “broadest reasonable interpretation” standard.

Regarding 103, applicant argues that the references does not teach that the script interpreter is arranged to receive network events of the stream of networks events directly from the event engine and separately receive the generated host events from the event parser, see pages 10-12 of Remarks.

In response, examiner respectfully disagrees because Paxson explicitly discloses that the script interpreter receives the interpreted events from the event engine, as illustrated at figure 1 on page 4, the script interpreter receives the events from directly from the event engine. 

Thererfore, the combination of references does in fact teach that the script interpreter is arranged to receive network events of the stream of networks events directly from the event engine and separately receive the generated host events from the event parser.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
 (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f), because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  
Such claim limitations are: “an event parser configured to classify, apply, extract, generate, and expose” as in claim 1.
Such claim limitations are: “a transport module configured to collect and a script configured to establish, receive, extract, assign, construct, and provide” in as claim 7.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
The original specification at ¶0063 discloses that 
“In one embodiment, the transport module(s) 211 may include a lightweight component (e.g., Winlogbeat) located on the hosts 201, and remaining component(s) located on the network traffic analysis hosts and/or the intermediary devices (for scaling)”. 

The original specification at ¶0057 discloses that 


The original specification at ¶0103-¶0105 discloses that 
“The disclosed examples are often described herein with reference to an implementation in which an on-demand database service environment is implemented in a database system having an application server providing a front end for an on-demand database service capable of supporting multiple tenants. 

It should also be understood that some of the disclosed implementations can be embodied in the form of various types of hardware, software, firmware, or combinations thereof, including in the form of control logic, and using such hardware or software in a modular or integrated manner. Other ways or methods are possible using hardware and a combination of hardware and software. Additionally, any of the software components or functions described in this application can be implemented as software code to be executed by one or more processors using any suitable computer language such as, for example, Java, C++ or Perl using, for example, existing or object-oriented techniques. The software code can be stored as a computer- or processor-executable instructions or commands on a physical non-transitory computer-readable medium. Examples of suitable media include random access memory (RAM), read only memory (ROM), magnetic media such as a hard-drive or a floppy disk, or an optical medium such as a compact disk (CD) or DVD (digital versatile disk), flash memory, and the like, or any combination of such storage or transmission devices. 

Computer-readable media encoded with the software/program code may be packaged with a compatible device or provided separately from other devices (for example, via Internet download). Any such computer-readable medium may reside on or within a single computing device or an entire computer system, and may be among other computer-readable media within a system or network. A computer system, or other computing device, may include a monitor, printer, or other suitable display for providing any of the results mentioned herein to a user.”

Although the original specification discloses that the embodiments may include hardware, software, firmware, or a combination thereof, claim 7 reciting a system comprising one or more processors, a module, and a script may all be considered as just software. Thus, examiner recommends adding more hardware structure such a memory coupled to the processors used for storing instructions to be executed by the processors.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f), (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2 are rejected under 35 U.S.C. 103 as being unpatentable over Levi et al. (20160164893) in view of “Bro: a system for detecting network intruders in real-time” by Paxson in view of Lui et al. (20070083813). 

Regarding claim 1, Levi teaches a network traffic analysis system including a network based logging host, the system comprising: 
a processing system; and a memory device coupled to the processing system and including instructions stored thereon that, in response to execution by the processing system, are operable to perform operations including [Levi ¶0047-¶0048: a processing system coupled to a memory device including instructions stored thereon for execution by the processing system]: 
collecting, using a log transport module, one or more messages including one or more host event logs from the one or more remote hosts, respectively [Levi ¶0013, ¶0033, and ¶0037: the event management system collects messages (event data) including event logs from event data sources]; and 
inputting the collected messages into an event parser, the event parser to generate normalized host events consumable by the network logging host from the collected messages [Levi ¶0013-¶0014, ¶0018, and ¶0033: the collected messages are received at the event manager of the event management system and are generated into events stored at the event logs], 

apply a rule of a plurality of predetermined rules to each event of the host event logs based on the classified event types to select content from the message [Levi ¶0009, ¶0024-¶0026, and ¶0030: rules are applied to events to determine (select) certain functions to perform]; and 
extract the selected content and generate an event based on the extracted content and the corresponding rule [Levi ¶0010, ¶0012, ¶0019, and ¶0021: the event management system may determine (extract) context for the event and generate (correlate) events with similar event data]; and 
exposing the generated host events [Levi ¶0018-¶0019, ¶0023, ¶0032, and ¶0045: the context is appended to the events and the events are transmitted to the user, e.g., the user is notified of the contexts].
However, Levi does not explicitly teach wherein the network based logging platform is layered into: an event engine to reduce network traffic into a stream of network events; and a script interpreter to interpret the stream of network events; and exposing the one or more generated host events to the script interpreter, wherein the script interpreter is arranged to: receive network events of the stream of network events directly from the event engine; and separately receive the generated host events from the event parser.
Paxson teaches wherein the network based logging platform is layered into: an event engine to reduce network traffic into a stream of network events; and a script interpreter to interpret the stream of network events [Paxson page 1 abstract, page 3 section 2, and pages 5-6 sections 2.2-2.3: the system (platform) is divided (layered) into an event engine for reducing traffic into events and a script interpreter for interpreting the events]; and 
wherein the script interpreter is arranged to: receive network events of the stream of network events directly from the event engine [Paxson page 1 abstract, page 3 section 2, pages 6 sections 2.3, and figure 1: the script interpreter receives the interpreted events from the event engine, as illustrated at figure 1 on page 4, the script interpreter receives the events from directly from the event engine]. 

A person of ordinary skilled in the art would have been motivated to make such modification because it provides a structure that reflects the need to conserve processing as much as possible in order to meet the goals of monitoring high-speed, large volume traffic flows without dropping packets as explained at page 2 section 2: Structure of the system of Paxson.
However, Levi-Paxson does not explicitly teach exposing the one or more generated host events to the script interpreter and wherein the script interpreter is arranged to separately receive the generated host events from the event parser.
Lui teaches exposing the one or more generated host events to the script interpreter [Lui ¶0099, ¶0120, ¶0142, and ¶0199: the generated/constructed events are exposed (provided, outputted, or transmitted) to the script interpreter for further processing or analysis], 
wherein the script interpreter is arranged to separately receive the generated host events from the event parser [Lui ¶0113, ¶0117, ¶0161, and ¶0285-¶0286: the generated/constructed events are separated from other events].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Levi-Paxson with the teachings of Lui in order to incorporate exposing the one or more generated host events to the script interpreter, wherein the script interpreter is arranged to separately receive the generated host events from the event parser.
A person of ordinary skilled in the art would have been motivated to make such modification because it provides a technique that analyzes a structured operator expression that will detect all similar structures at present and into the future wherein collected data can be integrated with the system’s other sources to provide multi-dimensional views of the user’s interaction with the host application thereby 

Regarding claim 2, Levi-Paxson-Lui teaches the network traffic analysis system of claim 1. 
Levi further teaches wherein a consumer module is configured to extend at least one of the generated host events with one or more additional values to attribute a network process identified using network traffic analysis to a host process indicated by the generated host event [Levi ¶0010, ¶0021, and ¶0045: the context is appended to the events and the events are transmitted to the user, e.g., the user is notified of the contexts wherein the context is appended to the event including an identification of the meaning, topic, or subtopic of the event].
Lui further teaches wherein a consumer module associated with the script interpreter is configured to extend at least one of the generated events [Lui ¶0109-¶0110, ¶0120, ¶0134, and ¶0142: the generated/constructed event may be extended by the script interpreter]. The same rationale applies as in claim 1.

Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over Levi in view of Paxson in view of Lui in view of “HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting” by Husak et al.

Regarding claim 3, Levi-Paxson-Lui teaches the network traffic analysis system of claim 2. 
However, Levi-Paxson-Lui does not explicitly teach wherein at least one of the one or more additional values comprises an SSL (secure socket layer) client fingerprint. 
Husak teaches wherein at least one of the one or more additional values comprises an SSL (secure socket layer) client fingerprint [Husak page 5-6 sections 4.2-4.3: the values comprise SSL client fingerprint].



A person of ordinary skilled in the art would have been motivated to make such modification because it provides a techniques that includes ssl client fingerprinting as explained in page 5-6 sections 4.2-4.3 of Husak.

Regarding claim 4, Levi-Paxson-Lui-Husak teaches the network traffic analysis system of claim 3. 
Husak further teaches wherein the SSL client fingerprint is generated by a client fingerprinting system comprising a database and a client fingerprinting module [Husak page 5-6 sections 4.2-4.3: client fingerprinting system with a database and module].

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Levi in view of Paxson in view of Lui in view of Zhang et al. (20140379946).

Regarding claim 5, Levi-Paxson-Lui teaches the network traffic analysis system of claim 1. 
However, Levi-Paxson-Lui does not explicitly teach wherein an operating system of the network based logging host is different than one or more operating systems of the one or more remote hosts, respectively.
Zhang teaches wherein an operating system of the network based logging host is different than one or more operating systems of the one or more remote hosts, respectively [Zhang ¶0027, ¶0034, and ¶0048: the input device and client device have different OSs].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Levi-Paxson-Lui with the teachings of Zhang in order to incorporate wherein an operating system of the network based logging host is different than one or more operating systems of the one or more remote hosts, respectively.
.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Levi in view of Paxson in view of Lui in view of Bhattacharya et al. (20070043703).

Regarding claim 6, Levi-Paxson-Lui teaches the network traffic analysis system of claim 1. 
Levi further teaches wherein a consumer module is configured to: identify a network event based on network traffic analysis [Levi ¶0013, ¶0033, and ¶0037: the event management system collects messages (event data) including event logs from event data sources].
Lui further teaches wherein a consumer module associated with the script interpreter is configured to: identify a network event based on network traffic analysis [Lui ¶0097, ¶0099, and ¶0288: the script interpreter is able to identify events based on traffic analysis]. The same rationale applies as in claim 1.
However, Levi-Paxson-Lui does not explicitly teach use a process identified (PID) of the identified network event to lookup a network connection from a network connection table; use the network connection to lookup a hash indicative of a host process associated with one of the one or more remote hosts from a hash table; and log out a file including information about the identified network event and the hash.
Bhattacharya teaches use a process identified (PID) of the identified network event to lookup a network connection from a network connection table [Bhattacharya ¶0050: a session ID is used for looking up information (connection data) regarding the event]; 
use the network connection to lookup a hash indicative of a host process associated with one of the one or more remote hosts from a hash table [Bhattacharya ¶0051 and ¶0058: a hash map is determined to include the events]; and 
log out a file including information about the identified network event and the hash [Bhattacharya ¶0023, ¶0034, and ¶0038: the network event is saved in the event log file with any related information].

A person of ordinary skilled in the art would have been motivated to make such modification because it provides intrusion detection sensors to detect security-related events as explained in ¶0003 of Bhattacharya.

Claims 7, 10, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al. (20140379946) in view of “Bro: a system for detecting network intruders in real-time” by Paxson in view of Lui et al. (20070083813). 

Regarding claim 7, Zhang teaches a network traffic analysis system including a network based logging platform comprising one or more processors [Zhang ¶0062, ¶0064, and ¶0067: the system includes one or more processors], the network traffic analysis system comprising: 
a transport module configured to collect one or more messages over a network, the one or more messages including one or more host event logs from the one or more remote hosts, respectively [Zhang ¶0027, ¶0053, and ¶0056: the system receives messages wherein the messages includes events from remote devices]; and
the network traffic analysis system further comprises: a script configured to establish a communication link with the one or more processors [Zhang ¶0027, ¶0037, and ¶0053: communication is provided via a communication link]; 
the script configured to receive data from the transport module in a predetermined format, the data based on the one or more host event logs [Zhang ¶0027, ¶0030, ¶0037, ¶0039, and ¶0042: the collected data is received in a first format wherein the collected data is based on the events and the first format may be Linux based format]; 

the script configured to construct one or more events using the variables and expose the one or more constructed events by transmitting the one or more constructed events over the communication link [Zhang ¶0027, ¶0030, ¶0032, ¶0045, and ¶0059: events are generated in a different and/or a second format using the related variables/terms and are provided (exposed/outputted/transmitted) over the communication link to the client for further processing].
However, Zhang does not explicitly teach wherein the network based logging platform is layered into: an event engine to reduce network traffic into a stream of network events; and a script interpreter to interpret the stream of network events; and expose the one or more constructed host events to the script interpreter, wherein the script interpreter is arranged to: receive network events of the stream of network events directly from the event engine; and separately receive the generated host events from the event parser.
Paxson teaches wherein the network based logging platform is layered into: an event engine to reduce network traffic into a stream of network events; and a script interpreter to interpret the stream of network events [Paxson page 1 abstract, page 3 section 2, and pages 5-6 sections 2.2-2.3: the system (platform) is divided (layered) into an event engine for reducing traffic into events and a script interpreter for interpreting the events]; and
wherein the script interpreter is arranged to: receive network events of the stream of network events directly from the event engine [Paxson page 1 abstract, page 3 section 2, pages 6 sections 2.3, and figure 1: the script interpreter receives the interpreted events from the event engine, as illustrated at figure 1 on page 4, the script interpreter receives the events from directly from the event engine]. 


A person of ordinary skilled in the art would have been motivated to make such modification because it provides a structure that reflects the need to conserve processing as much as possible in order to meet the goals of monitoring high-speed, large volume traffic flows without dropping packets as explained at page 2 section 2: Structure of the system of Paxson.
However, Zhang-Paxson does not explicitly teach expose the one or more constructed host events to the script interpreter, wherein the script interpreter is arranged to separately receive the generated host events from the event parser.
Lui teaches expose the one or more constructed host events to the script interpreter [Lui ¶0099, ¶0120, ¶0142, and ¶0199: the generated/constructed events are exposed (provided, outputted, or transmitted) to the script interpreter for further processing or analysis], 
wherein the script interpreter is arranged to separately receive the generated host events from the event parser [Lui ¶0113, ¶0117, ¶0161, and ¶0285-¶0286: the generated/constructed events are separated from other events].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson with the teachings of Lui in order to incorporate expose the one or more constructed host events to the script interpreter, wherein the script interpreter is arranged to separately receive the generated host events from the event parser.
A person of ordinary skilled in the art would have been motivated to make such modification because it provides a technique that analyzes a structured operator expression that will detect all similar structures at present and into the future wherein collected data can be integrated with the system’s other sources to provide multi-dimensional views of the user’s interaction with the host application thereby 

Regarding claim 16, this claim does not teach or further define over the limitations in claim 7. Therefore, claim 16 is rejected for the same reasons as set forth in claim 7. 

Regarding claim 10, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7. 
Zhang further teaches wherein the host event logs originate from a first operating system of the one or more remote hosts, and wherein a second operating system of the network based logging platform is different than the first operating system [Zhang ¶0027, ¶0034, and ¶0048: events originate from a first OS of a device and the second OS is different from the first OS].

Regarding claim 20, Zhang-Paxson-Lui teaches the method of claim 16. 
Zhang further teaches wherein an operation system of the network based logging host is different than one or more operating systems of the one or more remote hosts, respectively [Zhang ¶0027, ¶0034, and ¶0048: the input device and client device have different OS].

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Paxson in view of Lui in view of Gao et al. (20150156077).

Regarding claim 8, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7. 
However, Zhang-Paxson-Lui does not explicitly teach wherein the script comprises Python code.
Gao teaches wherein the script comprises Python code [Gao ¶0047and ¶0060: the script is Python code].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Gao in order to incorporate wherein the script comprises Python code.
.

Claims 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Paxson in view of Lui in view of Kieviet et al. (20170063653).

Regarding claim 9, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7. 
However, Zhang-Paxson-Lui does not explicitly teach wherein the predetermined format comprises JSON (JavaScript Object Notation).
Kieviet teaches wherein the predetermined format comprises JSON (JavaScript Object Notation) [Kieviet ¶0047and ¶0060: the format is JSON].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Kieviet in order to incorporate wherein the predetermined format comprises JSON (JavaScript Object Notation).
A person of ordinary skilled in the art would have been motivated to make such modification because it allows for a JSON object in which can be formed from two data structures as explained in ¶0047 of Kieviet.

Regarding claim 17, this claim does not teach or further define over the limitations in claim 9. Therefore, claim 17 is rejected for the same reasons as set forth in claim 9. 

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Paxson in view of Lui in view of Christensen et al. (8688823).



Regarding claim 11, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7. 
However, Zhang-Paxson-Lui does not explicitly teach wherein the network based logging platform comprises a Linux host and the one or more remote hosts comprise one or more Windows hosts.
Christensen teaches wherein the network based logging platform comprises a Linux host and the one or more remote hosts comprise one or more Windows hosts [Christensen column 2 line 65-column 3 lines 28: the platform may be Linux host and the remote host may be Windows hosts].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Christensen in order to incorporate wherein the network based logging platform comprises a Linux host and the one or more remote hosts comprise one or more Windows hosts.
A person of ordinary skilled in the art would have been motivated to make such modification because it allows components and processes to be implemented on either Linux or Windows host as explained in column 2 line 65-column 3 lines 28 of Christensen.

Claims 12-13 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Paxson in view of Lui in view of Bhattacharya et al. (20070043703).

Regarding claim 12, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7. 
However, Zhang-Paxson-Lui does not explicitly teach wherein the network traffic analysis system further comprises one or more additional scripts to correlate network based logging metadata originating from the network based logging platform with host based logging metadata.
Bhattacharya teach wherein the network traffic analysis system further comprises one or more additional scripts to correlate network based logging metadata originating from the network based logging platform with host based logging metadata [Bhattacharya ¶0027-¶0034: network events and associated data are correlated with similar network events based on event attributes].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Bhattacharya in order to incorporate wherein the network traffic analysis system further 
A person of ordinary skilled in the art would have been motivated to make such modification because it provides intrusion detection sensors to detect security-related events as explained in ¶0003 of Bhattacharya.

Regarding claim 13, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 12.
However, Zhang-Paxson-Lui does not explicitly teach wherein the one or more processors are configured to generate a first table to track process create events associated with the one or more host event logs, to generate a second table to track network connection events associated with the one or more host event logs; wherein an additional script of the one or more additional scripts is configured to, in response to identification of a network connection event based on inspecting network traffic of a link: lookup a PID (process identifier) for the network connection event by using the second table; lookup a hash value for the PID using the first table; and create a log file indicative of network based logging and host based logging using the hash value and information of a corresponding host event of the one or more constructed host events.
Bhattacharya teaches wherein the one or more processors are configured to generate a first table to track process create events associated with the one or more host event logs [Bhattacharya ¶0018, ¶0021, ¶0027, and ¶0040: a table is generated in which monitors events];
to generate a second table to track network connection events associated with the one or more host event logs [Bhattacharya ¶0018, ¶0021, ¶0027, and ¶0040: a table is generated for monitoring event connections and/or communications];
wherein an additional script of the one or more additional scripts is configured to, in response to identification of a network connection event based on inspecting network traffic of a link: lookup a PID (process identifier) for the network connection event by using the second table [Bhattacharya ¶0050: a session ID is used for looking up information (connection data) regarding the event]; 
lookup a hash value for the PID using the first table [Bhattacharya ¶0051 and ¶0058: a hash map is determined to include the events]; and 

Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Bhattacharya in order to incorporate wherein the one or more processors are configured to generate a first table to track process create events associated with the one or more host event logs, to generate a second table to track network connection events associated with the one or more host event logs; wherein an additional script of the one or more additional scripts is configured to, in response to identification of a network connection event based on inspecting network traffic of a link: lookup a PID (process identifier) for the network connection event by using the second table; lookup a hash value for the PID using the first table; and create a log file indicative of network based logging and host based logging using the hash value and information of a corresponding host event of the one or more constructed host events.
A person of ordinary skilled in the art would have been motivated to make such modification because it provides intrusion detection sensors to detect security-related events as explained in ¶0003 of Bhattacharya.

Regarding claim 18, Zhang-Paxson-Lui teaches the method of claim 16.
However, Zhang-Paxson-Lui does not explicitly teach further comprising logging out the one or more constructed host events to a file using the first network logging host following receipt over the communication link.
Bhattacharya teach further comprising logging out the one or more constructed events to a file using the first network logging host following receipt over the communication link [Bhattacharya ¶0023, ¶0034, and ¶0038: the network event is saved in the event log file with any related information].



A person of ordinary skilled in the art would have been motivated to make such modification because it provides intrusion detection sensors to detect security-related events as explained in ¶0003 of Bhattacharya.

Regarding claim 19, Zhang-Paxson-Lui teaches the method of claim 16.
However, Zhang-Paxson-Lui does not explicitly teach further comprising: attempting to correlate a network event identified based on network traffic analysis of a link coupled to a database system with the one or more constructed host events; in response to a correlation of the network event with a host event of the one or more constructed host events, logging out information of the network event and information of the host event of the one or more constructed host events to a file using the first network logging host.
Bhattacharya teach attempting to correlate a network event identified based on network traffic analysis of a link coupled to a database system with the one or more constructed events [Bhattacharya ¶0027-¶0034: network events and associated data are correlated with similar network events based on event attributes];
in response to a correlation of the network event with an event of the one or more constructed events, logging out information of the network event and information of the event of the one or more constructed events to a file using the first network logging host [Bhattacharya ¶0023, ¶0034, and ¶0038: the network event is saved in the event log file with any related information].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Bhattacharya in order to incorporate attempting to correlate a network event identified based on network traffic analysis of a link coupled to a database system with the one or more constructed events; in response to a correlation of the network event with an event of the one or more constructed 
A person of ordinary skilled in the art would have been motivated to make such modification because it provides intrusion detection sensors to detect security-related events as explained in ¶0003 of Bhattacharya.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Paxson in view of Lui in view of Wiegand et al. (20070055752).

Regarding claim 14, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7.
However, Zhang-Paxson-Lui does not explicitly teach wherein the additional script is further to insert a JA3 or an X.509 certificate into the file.
Wiegand teaches wherein the additional script is further to insert a JA3 or an X.509 certificate into the file [Wiegand ¶0042: inserting x.509 certificates].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Wiegand in order to incorporate wherein the additional script is further to insert a JA3 or an X.509 certificate into the file.
A person of ordinary skilled in the art would have been motivated to make such modification because it allows for inserting x.509 certificates as explained in ¶0042 of Wiegand.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Paxson in view of Lui in view of “HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting” by Husak et al.

Regarding claim 15, Zhang-Paxson-Lui teaches the network traffic analysis system of claim 7.

Husak teaches further comprising an SSL (secure socket layer) client fingerprint system including a fingerprinting database to store SSL client fingerprints generated inspecting network traffic on a link coupled to a database system [Husak page 5-6 sections 4.2-4.3: storing fingerprints from network traffic].
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention was made to modify the teachings of Zhang-Paxson-Lui with the teachings of Husak in order to incorporate further comprising an SSL (secure socket layer) client fingerprint system including a fingerprinting database to store SSL client fingerprints generated inspecting network traffic on a link coupled to a database system.
A person of ordinary skilled in the art would have been motivated to make such modification because it provides a techniques that includes ssl client fingerprinting as explained in page 5-6 sections 4.2-4.3 of Husak.

Additional References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Dade; US 20170005886 A1: MONITORING WIRELESS ACCESS POINT EVENTS

Jain; US 20140136690 A1: Evaluating Electronic Network Devices In View of Cost and Service Level Considerations.

Hurst; US 20160105814 A1: Methods, Apparatuses, and Systems for Network Analysis.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLIFTON HOUSTON whose telephone number is (571)270-0616.  The examiner can normally be reached on Monday through Friday from 8:00 am until 5:00 pm eastern time.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal Divecha can be reached on (571)272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. 
Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/CLIFTON HOUSTON/             Examiner, Art Unit 2453        


/KAMAL B DIVECHA/             Supervisory Patent Examiner, Art Unit 2453