DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 05/11/2021. Claims 1, 2, 4, 9, 10, 11, 16 and 17 are amended, claims 8, 15 and 20 are canceled and claims 21-23 have been newly added. Claims 1-7, 9-14, 16-19 and 21-23 are pending.

EXAMINER’S AMENDMENT
An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s Amendment was given in a telephone interview with Mr. Lawrence A. Baratta (59,553) on 09/08/2021. 

Amendments to the Claims:
This listing of claims will replace all prior versions and listing of the claims in the application.
Listing of Claims:


 (Currently Amended)	A non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor, in a node of a cloud-based security system, to perform steps of:
obtaining a plurality of rules each defined via a rule syntax that includes a rule header and rule options, wherein each rule header is used to for a rule database lookup, and each rule options is used to specify details about [[the]] an associated rule;
monitoring data associated with a user of the cloud-based security system, wherein the node does not buffer the data during the monitoring, and wherein the monitoring includes maintaining a stream state across packet boundaries of the data;
analyzing the data with the plurality of rules; [[and]]
performing one or more security functions on the data based on triggering of a rule of the plurality of rules unless the rule is an experimental rule, wherein the cloud-based security system utilizes the plurality of rules to implement one or more of a firewall and an intrusion prevention system; and
monitoring the data associated with triggering any of experimental rules and processing the data associated with the triggering any of the experimental rules to develop new rules.

(Canceled)

(Currently Amended)	The non-transitory computer-readable storage medium of claim [[2]] 1, wherein the experimental rules are written in a manner that includes false positives, and the processing is to reduce the false positives.

(Previously Presented)	The non-transitory computer-readable storage medium of claim 1, wherein the plurality of rules include a match of a pattern, signature, syntax, or expression.

(Canceled)

(Original)	The non-transitory computer-readable storage medium of claim 1, wherein the steps further include
subsequent to a first match of the rule of the plurality of rules, stopping the analyzing and performing the one or more security functions.

(Original)	The non-transitory computer-readable storage medium of claim 1, wherein one or more rules of the plurality of rules include a fast pattern.

(Canceled)
	
(Currently Amended)	A node in a cloud-based security system, comprising:
a processor and memory storing instructions that, when executed, cause the processor to
obtain a plurality of rules each defined via a rule syntax that includes a rule header and rule options, wherein each rule header is used to for a rule database lookup, and each rule options is used to specify details about [[the]] an associated rule;
monitor data associated with a user of the cloud-based security system, wherein the node does not buffer the data during the monitoring, and wherein the instructions that, when executed, further cause the processor to maintain a stream state across packet boundaries of the data;
analyze the data with the plurality of rules; [[and]]
perform one or more security functions on the data based on triggering of a rule of the plurality of rules unless the rule is an experimental rule, wherein the cloud-based security system utilizes the plurality of rules to implement one or more of a firewall and an intrusion prevention system; and
monitor the data associated with triggering any of  experimental rules and process the data associated with the triggering any of the experimental rules to develop new rules.

(Canceled)

(Previously Presented)	The node of claim 9, wherein the plurality of rules include a match of a pattern, signature, syntax, or expression.

(Canceled)

(Original)	The node of claim 9, wherein the instructions that, when executed, further cause the processor to
subsequent to a first match of the rule of the plurality of rules, stopping the analyzing and performing the one or more security functions.

(Original)	The node of claim 9, wherein one or more rules of the plurality of rules include a fast pattern.

(Canceled)
	
(Currently Amended)	A method implemented in a node in a cloud-based security system, the method comprising:
obtaining a plurality of rules each defined via a rule syntax that includes a rule header and rule options, wherein each rule header is used to for a rule database lookup, and each rule options is used to specify details about [[the]] an associated rule;
monitoring data associated with a user of the cloud-based security system, wherein the node does not buffer the data during the monitoring, and the monitoring includes maintaining a stream state across packet boundaries of the data;
analyzing the data with the plurality of rules; [[and]]
performing one or more security functions on the data based on triggering of a rule of the plurality of rules unless the rule is an experimental rule, wherein the cloud-based security system utilizes the plurality of rules to implement one or more of a firewall and an intrusion prevention system; and
monitoring the data associated with triggering any of experimental rules and processing the data associated with the triggering any of the experimental rules to develop new rules.

(Canceled)

(Canceled)

(Original)	The method of claim 16, further comprising
subsequent to a first match of the rule of the plurality of rules, stopping the analyzing and performing the one or more security functions.

(Canceled)

(Currently Amended)	The non-transitory computer-readable storage medium of claim [[2]] 1, wherein a new rule is converted from an experimental rule to [[a]] the new rule based on monitoring a number of false positives over time.

(Previously Presented)	The non-transitory computer-readable storage medium of claim 1, wherein the plurality of rules are compliant to a Snort format.

(Previously Presented)	The non-transitory computer-readable storage medium of claim 1, wherein the data is not buffered during the monitoring and the analyzing utilizes a graph to determine rule matching across different packets.

Remarks
After all amendments, claims 1, 3-4, 6-7, 9, 11, 13-14, 16, 19 and 21-23 remain pending, the claim objections of canceled claims 2, 10 and 17 are nonetheless moot, and in response to the filed corrective amendments, the 112(b) rejections of claims 4 and 11 are withdrawn.


Allowable Subject Matter
The following is Examiner's statement of reasons for allowance: 
Per the 103 rejections of record, applicant’s arguments, see Remarks: page 9, filed 05/11/2021, with respect to the independent claims 1, 9 and 16 have been fully considered and after all amendments including amendments entered above, the respective 103 rejections are withdrawn. 
Similarly, the 101 (Abstract Idea) rejections of record, after all amendments including amendments entered above, are withdrawn.

Closest prior arts reviewed are as follow:
Saavedra (US2019/0182213A1) discloses a firewall system that creates a stateful Deep Packet Inspection (DPI) engine for tracking sessions and flows, and packet tags to integrate with the existing stateful firewall of the system. Firewall system is configured to extend the depth of the inspection from one packet to multiple packets in a stream and can be modified to match even more packet depth within a stream if needed.
Nellen (US2019/0141015A1) discloses policy engine updating the known false positives to include a threat associated with an alert, inputs the plurality of attributes associated with the alert and an input indicating the alert is not associated with a threat into the one or more machine learning algorithm.  By doing so, the one or more machine learning algorithm continuously trained to increase accuracy the more alerts that are processed. The policy engine can update the global policy to include a rule indicating that the one or more attributes (in the alert) does not indicate a true threat.
Pereira (US10924503B1) discloses automatically analyzing network traffic, identifying false positives, determining patterns of malicious and/or non-malicious network traffic, and automatically implementing one or more remedial actions to address identified false positives, wherein as a result of improved functionality, alert fatigue may be reduced, signal to noise ratios of alerts may be improved, and malicious network traffic may be more accurately determined.  Embodiments of the disclosure may improve computing efficiency and bandwidth by identifying false positives, thereby reducing a number of false alerts generated by threat or intrusion detection systems.

The closest prior arts reviewed and made of record, alone or in combination, fail to disclose the claimed invention as a whole recited in claim 1 and similarly stated in claims 9 and 16. Therefore, claims 1, 3-4, 6-7, 9, 11, 13-14, 16, 19 and 21-23 are allowed.

Conclusion
Any comments considered necessary by Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/AREZOO SHERKAT/Examiner, Art Unit 2434