DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent provisions.
This action is response to the application and the preliminary amendment filed on 06/26/2020. This application is a continuation (CON) of patents US 10,785,191, 9,800,548 and 8,839,417.
Claims 19-38 are currently pending in this application. Claims 1-18 were cancelled. Claims 19-38 are new.

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 07/16/2020 and 08/17/2020 were filed. The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Examiner’s Note
Applicant is suggested to include information from figs. 5-7 with related text of the disclosure to provide the application in a better condition for an allowance.

Specification
The abstract of the disclosure is objected to because the abstract states “… for serving he service …”.  
Correction is required.  See MPEP § 608.01(b).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

Claims 19-38 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claims 19, 26 and 33 recite:
“… the normal communication associated with a service that exists within a network associated with the traffic filter, the anomalous communication having an anomaly, however, it is not clear, whether a plurality of communications can be both the normal communication and the anomalous communication (being ambiguous) because a communication having an anomaly can associated with the service that exists within the network associated with the traffic filter;
“… receiving a plurality of network communications from a traffic filter … determining with network communication … is the anomalous communication … generating a rule … the rule to filter the anomalous communication from the normal communication …”, however, it is not clear (1) whether the traffic filter provides a plurality (all) of network communications instead filtered traffic; (2) whether the rule to filter is not used in the traffic file or not; (3) whether “the rule to filter the anomalous communication” is generated after the anomalous 
Claims 20-25, 27-32 and 34-38 depend from the claim 19, 26 or 33, and are analyzed and rejected accordingly.

Claims 20, 27 and 34 recite “… the anomalous communication is associated with a service that does not exist within the network associated with the traffic filter”, however, it is not clear (1) how the anomalous communication of the plurality of network communications received from the traffic filer (see the claim 19, for example) is not associated with the traffic filter; (2) whether any communication associated with the service is the anomalous communication or not.
Claims 21, 28 and 35 recite “… wherein the generating generate a rule using a specific trait of the anomalous communication, the specific trait not including a detected anomaly of the anomalous communication”, however, it is not clear (1) whether “a rule” is the same with “a rule” of the claim 19 (26, 33) or not; (2) whether “the specific trait” is not related to the anomaly or not.
Claims 23, 30 and 37 recite “… determining (the anomalous communication – see claim 19, for example) determines if any communication … includes a malicious payload … to generate a rule based on …”, however, it is not clear (1) whether any communication including the malicious payload and also associated with the traffic filter is determined as the anomalous communication or not; (2) whether “a rule” is the same 
Claims 24, 31 and 38 recite “… an impact of the generated rule … adjusting the generated rule impact to form an adjusted rule … the determined impact”, however, it is not clear (1) whether “the generated rule” is the same with “a rule” of the claim 19 (26, 33) or not (note: suggested to use “the rule” if it is the same, but to use “a second/generated rule” if they are different); (2) whether adjusting the impact (e.g., the generated rule impact) forms the rule (e.g., the adjusted rule) or not; (3) whether “the determined impact” is the same with “an impact” included before or not (note: suggested to use the same term if they are the same).
Claims 25 and 32 recite “… routing the anomalous communication to a predetermined component within the network associated with the traffic filter … to be handled by a service that does not exist within the network associated with the traffic filter”, however, it is not clear (1) whether “a service” is the same as “a service” of the claim 19 (or 26) or not (suggested to use “a second service” if it is not the same); (2) whether the limitations followed by “to be” is actually limited or not (e.g., intended use).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed in the United States before the invention by the applicant for patent or (2) a patent granted on an application for patent by another filed in the United States before the invention by the applicant for patent, except that an international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this subsection of an 


Claims 19-38 are rejected under pre-AIA  35 U.S.C. 102(e) as being anticipated by Porras et al. (US 7,594,260 B2).
As per claim 19, Porras teaches a non-transitory processor-readable medium comprising code representing instructions to cause a processor to perform a method [fig. 6; col. 2, lines 35-45 of Porras] comprising:
receiving a plurality of network communications from a traffic filter, the plurality of network communications including a normal communication and an anomalous communication, the normal communication associated with a service that exists within a network associated with the traffic filter, the anomalous communication having an anomaly
determining which network communication from the plurality of network communications is the anomalous communication [fig. 2; col. 2, lines 52-63; col. 5, lines 41-56 of Porras teach determining which network communication from the plurality of network communications (e.g., event streams/records communications) is the anomalous communication (e.g., accessing anomaly of events)]; and
generating a rule associated with the plurality of network communications, the rule to filter the anomalous communication from the normal communication, the rule at least partially based on an analysis of the plurality of network communications [fig. 2; col. 5, lines 41-67; col. 6; col. 7, lines 1-5 of Porras teach generating a rule (e.g., exceeding the threshold, measure of traffic volume, intensity measures, etc.) associated with the plurality of network communications (e.g., event streams/records communications), the rule to filter the anomalous communication from the normal communication, the rule at least partially based on an analysis (e.g., analysis of the profile engine or signature engine) of the plurality of network communications].

As per claim 20, Porras teaches the processor-readable medium of claim 19. 
Porras further teaches wherein the anomalous communication is associated with a service that does not exist within the network associated with the traffic filter [figs. 2, 3; col. 5, lines 1-10, 41-56; col. 7, lines 36-39 of Porras teach the anomalous communication is associated with a service that does not exist within the network associated with the traffic filter (e.g., the service of the engine that does not 

As per claim 21, Porras teaches the processor-readable medium of claim 19. 
Porras further teaches wherein the generating generates a rule using a specific trait of the anomalous communication, the specific trait not including a detected anomaly of the anomalous communication [col. 7, lines 6-16; col. 8, lines 53-63 of Porras teach the generating generates a rule (e.g., increase or decrease the scope of the analysis, enable or disable additional signature rules, etc.) using a specific trait of the anomalous communication, the specific trait not including a detected anomaly (e.g., not requiring knowledge of the data being analyzed) of the anomalous communication (e.g., the communication of short-term profile detected abnormal behavior) – see also rejections to the claim 19].

As per claim 22, Porras teaches the processor-readable medium of claim 19. 
Porras further teaches comparing the normal communication with the anomalous communication [col. 2, lines 35-63; col. 6, lines 54-64 of Porras teach comparing the normal communication (e.g., communication of the long-term profile) with the anomalous communication (e.g., the communication of short-term profile detected abnormal behavior)].

As per claim 23
Porras further teaches wherein the determining determines if any communication from the plurality of network communications includes a malicious payload, the generating to generate a rule based on an anomaly associated with the malicious payload [col. 6, lines 24-28; col. 7, lines 55-66; col. 8, lines 38-44; col. 13, lines 48-61 of Porras teach the determining determines if any communication from the plurality of network communications includes a malicious payload, the generating to generate a rule (e.g., defining indication of the malicious data) based on an anomaly associated with the malicious payload – see also rejections to the claim 19].

As per claim 24, Porras teaches the processor-readable medium of claim 19. 
Porras further teaches:
determining an impact of the generated rule on the network associated with the traffic filter [col. 7, lines 6-16; col. 8, lines 38-53 of Porras teach determining an impact of the generated rule (e.g., anomalous activity reports produced by the analysis engines of monitors) on the network associated with the traffic filter (e.g., from other monitor or third party module)]; and
adjusting the generated rule impact to form an adjusted rule at least partially based on the determined impact [fig. 5; col. 8, lines 53-61 of Porras teach adjusting the generated rule impact to form an adjusted rule (e.g., the increase or decrease the scope of analyses, enable or disable additional signature rules) at least partially based on the determined impact].

As per claim 25, Porras teaches the processor-readable medium of claim 19. 
Porras further teaches routing the anomalous communication to a predetermined component within the network associated with the traffic filter, responsive to a determination that the anomalous communication is to be handled by a service that does not exist within the network associated with the traffic filter [figs. 1, 3; col. 4, lines 8-24; col. 5, lines 1-9; col. 8, lines 29-63 of Porras teach routing (or disseminating) the anomalous communication to a predetermined component (e.g., a component of the other monitor or a domain monitor) within the network associated with the traffic filter, responsive to a determination that the anomalous communication is to be handled by a service (e.g., the analysis by the local/service monitor) that does not exist within the network associated with the traffic filter (e.g., the other monitor or third party module)].

Claims 26-32 are method claims that correspond to the medium claims 19-25, and are analyzed and rejected accordingly.
Claims 33-38 are apparatus claims that correspond to the medium claims 19-24, and are analyzed and rejected accordingly. See fig. 6 of Porras for the components of the apparatus.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAUNG T LWIN/Primary Examiner, Art Unit 2495