Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1. This is in response to the arguments filed on 06/02/2021.
2. Claims 1-20 are pending in the application and 8-15 are withdrawn.
3. Claims 1-7 and 16-20 have been rejected.
Response to Arguments
6.	Applicant's arguments with respect to claims 1-7 and 16-20 have been considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

4.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
5.	Claims 1-7, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chow et al hereafter Chow (US pat. App. Pub. 20110197278) and in view of Keir et al hereafter keir (US pat. App. Pub. 20040078384) and in further view of Schrader et al hereinafter Schrader (US pat. App. Pub. 20160149933).  
6.	As per claims 1, Chow discloses a system, comprising: one or more processors; and one or more memory devices that store instructions configured to be executed by the one or more processors to perform actions that: monitor network traffic flow through one or more ports of one or more entities in a network; detect a newly port on a first entity (paragraphs: 32-34, wherein it emphasizes that a device monitor that PDU data traffic on the port and detect the port at the first entity); determine whether the newly-opened port on the first entity is likely to be used for malicious activity based on a collaborative filtering model, the collaborative filtering model based on implicit datasets, the implicit datasets including usage patterns of the one or more ports of the one or more entities for non-malicious activity; and issue an alert when the newly-opened port 
Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated keir and Schrader’s teachings of monitor network traffic flow through a plurality of open ports of a plurality of entities in a network with the teachings of Chow, for the purpose of effectively protecting the datasets from unauthorized intruders. 
7.	As per claim 2, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: structure data from the network traffic flow into an entity-port model that reflects the usage of the plurality of open ports by the plurality of entities for non-malicious activity; perform single value decomposition with alternative least squares to decompose the entity-port model into a first matrix of entity factors and a second matrix 
8.	As per claim 3, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: obtain the plurality of usage patterns from synchronize (SYN) and acknowledgement (ACK) settings in transmission control protocol (TCP) packets (paragraphs: 31, 48, 78)
9.	As per claim 4, Chow discloses the system, wherein the plurality of usage patterns are derived from Internet Protocol Flow Information Export (IPFIX) data (paragraphs:  34, 40). 
10.	As per claim 5, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: update the entity-port model with additional data from the network traffic flow at periodic intervals (paragraphs: 27, 77). 
11.	As per claim 6, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: raise an alert when the recommendation score is below a threshold (paragraphs: 89, 91). 
12.	As per claim 7, Chow discloses the system, wherein the one or more memory devices store instructions that when executed by the one or more processors performs actions that: prior to perform single value decomposition, transform an entity-port pair of the entity-port model into a preference and confidence pair (paragraphs: 47, 50). 

Accordingly, it would been obvious to one of ordinary skill in the network security art before the effective filing date of the claimed invention to have incorporated keir and Schrader’s teachings of monitor network traffic flow through a plurality of open ports of a plurality of entities of a network with the teachings of Chow, for the purpose of effectively protecting the datasets from unauthorized intruders. 
14.	As per claim 17, Chow discloses the device, wherein the at least one processor is further configured to: construct the collaborative filtering model using implicit datasets, 
15.	As per claim 18, Chow discloses the device, wherein the at least one processor is further configured to: generate an entity-port model having a value identifying a usage frequency of an open port for an entity; and apply singular value decomposition with alternating least squares to estimate a missing value for a port of an entity and generating a first matrix representing entity factors and a second matrix representing port factors (paragraphs: 31, 30, 45). 
16.	As per claim 19, Chow discloses the device, wherein the at least one processor is further configured to: generate a recommendation score for the first entity and the newly-opened port based on the first matrix and the second matrix (paragraphs: 40, 46, 90). 
17.	As per claim 20, Chow discloses the device, wherein the at least one processor is further configured to: when the recommendation score is below a threshold, raise the alert (paragraphs: 42, 71). 
Citation of References
18. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action: 
McClintock et al (US pat. 9350748): discusses improving computer system security by detecting and responding to attacks on computer systems are described herein. A computer system monitors communications requests from external systems and, as a result of detecting one or more attacks on the computer system, the computer system 
Mcclura et al (US pat. App. Pub. 20070011319): elaborates that a comprehensive network vulnerability testing and reporting method and system. Specifically, the testing system features include a selected combination of: (1) a non-destructive identification of target computer operating system; (2) a multiple-tier port scanning method for determination of what network addresses are active and what ports are active at those addresses; (3) a comparison of collected information about the target network with a database of known vulnerabilities; (4) a vulnerability assessment of some vulnerabilities on identified ports of identified target computers; (5) an active assessment of vulnerabilities reusing data discovered from previously discovered target computers; (6) an application of a quantitative score to objectively and comparatively rank the security of the target network; and, (7) reduction of detailed results of the information collected into hierarchical, dynamic and graphical representations of the target network, target computers, and vulnerabilities found therein.  
Conclusion

19.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Mohammad W. Reza whose telephone number is 571-272-6590.  The examiner can normally be reached on M-F (9:00-5:00).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).