Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/14/2021 has been entered.

Status of Claims
Claims 1, 3-6, 11 and 13-16 have been amended.  Claims 1-20 are pending and have being considered below.

Priority
16666092, filed 10/28/2019 is a continuation of 14927580, filed 10/30/2015 ,now U.S. Patent #10476893 and having 2 RCE-type filings therein.

Drawings
The drawings filed on 10/28/2019 are accepted.
Specification
The specification filed on 10/28/2019 is accepted.

Response to Arguments
Applicant’s arguments with respect to newly amended claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,476,893. Although the claims at issue are not identical, they are not patentably distinct from each other because the 10,476,893 patent contains all the limitations of the pending claims, albeit not identical but not patentably distinct and further limitations.
16,666,092
U.S. 10,476,893
1. A method comprising: 




establishing, by a device, a plurality of anomaly detection profiles, each of the plurality of anomaly detection profiles identifying an anomaly and one or more detection features for the anomaly; 
selecting, by the device, from a plurality of anomaly detection profiles, an anomaly detection profile  to apply to the network traffic of the application based at least on application characteristics of  the application identified using network traffic of the application traversing the device;







 
setting, by the device for the anomaly detection profile, one or more threshold values for each of the one or more detection features based at least on a range of values identified via the network traffic of the application that is non-anomalous; 


detecting, by the device, an anomaly in the network traffic of the application responsive to comparing values of one or more detection features identified in the network traffic of the application to the one or more threshold values set for the anomaly detection profiles; and
claim 2
 blocking, by the device responsive to detecting the anomaly, at least a portion of the network traffic of the application. 

7. The method of claim 1, further comprising identifying the application characteristics that correspond to the one or more detection features used to detect at least one of a denial of service attack, web scraping, a brute force attempt at determining login credentials associated with the application or anomalous packet payloads. 

11. A system comprising: 
a device comprising one or more processors, coupled to memory and configured to: 


establish a plurality of anomaly detection profiles, each of the plurality of anomaly detection profiles identifying an anomaly and one or more detection features for the anomaly;
identify application characteristics of an application using network traffic of the application traversing the device;
 select, from a plurality of anomaly detection profiles, an anomaly detection profile to apply to the network traffic of the application  based at least on application characteristics of an application identified using network traffic of the application traversing the device; 







set, for the anomaly detection profile, one or more threshold values for each of the one or more detection features based at least on a range of values identified via the network traffic of the application that is non-anomalous; 


detect an anomaly in the network traffic of the application responsive to comparing values of one or more detection features identified in the network traffic of the application to one or more threshold values; and 
claim 12
block, responsive to detecting the anomaly, at least a portion of the network traffic of the application. 

12. The system of claim 11, wherein the device is further configured to communicate, responsive to detecting the anomaly, an alert regarding the detected anomaly. 
17. The system of claim 11, wherein the device is further configured to identify the application characteristics that correspond to the one or more detection features used to detect at least one of a denial of service attack, web scraping, a brute force attempt at determining login credentials associated with the application or anomalous packet payloads. 



identifying, by the device, using the network traffic corresponding to the application, application characteristics of the application to select an anomaly detection profile; 

selecting, by the device, from a plurality of anomaly detection profiles, the anomaly detection profile corresponding to the application based on the identified application characteristics, the anomaly detection profile identifying an anomaly and including a set of a plurality of detection features for the anomaly, one or more predetermined threshold values of the plurality of detection features used to detect anomalous traffic and an explanation corresponding to the anomaly for exceeding the one or more predetermined threshold value of each detection feature of the plurality of detection features, the anomaly detection profile generated by receiving the network traffic from a log of network traffic previously received by the device; determining, for the anomaly detection profile, a range of values associated with non-anomalous network traffic; and
 setting the threshold values of the detection features of the anomaly detection profile based on the range of values associated with non-anomalous network traffic for the plurality of detection features;
 determining, by the device, via the network traffic, one or more feature values of the set 

detecting the anomaly in the network traffic responsive to comparing the feature values and the predetermined threshold values of the plurality of detection features; 
generating, by the device, an alert responsive to detecting the anomaly; and 
blocking, by the device, a connection to the server from a client that transmitted at least a portion of the network traffic, responsive to determining that the network traffic is anomalous. 
 3. The method of claim 1, wherein identifying the application characteristics of the application includes identifying application characteristics that correspond to detection features used to detect at least one of a) a denial of service attack; b) web scraping; c) a brute force attempt at determining correct login credentials associated with the application; or d) anomalous packet payloads. 
    9. A system for detecting anomalous network traffic, comprising: 
a device intermediary to a plurality of clients and a plurality of servers, the device configured to receive network traffic corresponding to an application executed by a server of the plurality of servers;
 identify, using the network traffic corresponding to the application, application characteristics of the application to select an anomaly detection profile;



select, from a plurality of anomaly detection profiles, the anomaly detection profile corresponding to the application based on the identified application characteristics, the anomaly detection profile identifying an anomaly and including a set of a plurality of detection features for the anomaly, one or more predetermined threshold values of the plurality of detection features used to detect anomalous traffic and a corresponding explanation for exceeding the one or more predetermined threshold value of each detection feature of the plurality of detection features, the anomaly detection profile generated by receiving the network traffic from a log of network traffic previously received by the device; 
determining, for the anomaly detection profile, a range of values associated with non-anomalous network traffic; and 
setting the threshold values of the detection features of the anomaly detection profile based on the range of values associated with non-anomalous network traffic for the plurality of detection features; 
determine, via the network traffic, one or more feature values of the set of the plurality of detection features of the selected anomaly detection profile;
 detect the anomaly in the network traffic responsive to comparing the feature values and the predetermined threshold values of the detection features,


 block a connection to the server from a client that transmitted at least a portion of the network traffic, responsive to determining that the network traffic is anomalous. 


    11. The system of claim 9, wherein the device is further configured to identify the application characteristics of the application by identifying application characteristics that correspond to detection features used to detect at least one of a) a denial of service attack; b) web scraping; c) a brute force attempt at determining correct login credentials associated with the application; or d) anomalous packet payloads. 



Claims 1-6, 8-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Overcash U.S. 2009/0100518 A1 in view of Shimoni et al U.S. 2010/0192201 A1.
Claims 1 and 11: Overcash teaches a method and a system comprising: 
a device comprising one or more processors, coupled to memory and configured to (par.238-239)
par.37-44,  behavior-based security model, a tailored application security profile is created that defines appropriate application behavior. Because a unique security profile is needed for every Web application. Instead, it would be beneficial to create security profiles automatically for each application, dynamically generate, and automatically maintain, application profiles tailored to each Web application);
identifying, by the device, application characteristics of an application using network traffic of the application traversing the device (par.57 , Fig.3a, a user will access a Web application with web traffic using SSL encryption. A SSL decryption module 306 can passively decrypt the traffic to allow visibility into any embedded threats in the web traffic. The web traffic then flows to a collaborative detection module 308 where the traffic is analyzed in the context of appropriate application behavior compared to the applications security profile);
 	selecting, by the device, from the plurality of anomaly detection profiles,  an anomaly detection profile to apply to the network traffic of the application based at least on the application characteristics of an application identified (par.57-60,  the web traffic then flows to a collaborative detection module 308 where the traffic is analyzed in the context of appropriate application behavior compared to the applications security profile, If an anomaly is discovered, it is passed to one or more of the multiple threat-detection engines included within the collaborative detection module 308. The results from the collaborative detection module 308 are communicated to an Advanced Correlation Engine (ACE) 310 where it is determined the threat context and to reduce false positives);
setting, by the device for the anomaly detection profile, one or more values for each of the one or more detection features based at least on a range of values identified via the network traffic of the application that is non-anomalous (par. 58-62,The correlation engine examines all of the reference events generated by the detection engines. This can be viewed as combining positive (behavior engine/adaption) and negative security models (signature database) with other specific aspects to web application taken into account (session, protocol). As an example consider a typical SQL Injection; at least one if not two behavioral violations will be detected (invalid characters and length range exceeded) and several signature hits will occur (SQL Injection (Single quote and equals) and SQL Injection (SELECT Statement). Any one of these events on their own will typically be a false positive, but when correlated together, they may provide a high likelihood of an actual attack);
Shimoni et al in a similar field of endeavor teaches 
par.54, 56, 132-133, Fig.4, The traffic is analyzed by a behavior analysis engine 370 in the context of appropriate application behavior compared to the applications' security profile. If an anomaly is discovered the traffic is passed to one or more of the multiple threat-detection engines included within the collaborative detection module 308. The multiple threat-detection engines work synergistically to deliver comprehensive Web application protection that spans a broad range of potentially vulnerable areas. By working together the multiple threat-detection engines are able to uncover threats by analyzing them in the context of the acceptable application behavior, known Web attack vectors and other targeted Web application reconnaissance); and 
blocking, by the device responsive to detecting the anomaly, at least a portion of the network traffic of the application (par.135, 138, the requests exceeding the threshold may be blocked and/or another responsive action may be performed. For example, a user can be logged out of the system, an alert can be generated for an administrator, subsequent requests from the user or from the user's IP address can be blocked, and/or other actions may be performed in response to the threshold being exceeded). 
Overcash with the additional features of Shimoni et al in order to provide the ability to protect Web applications from security breaches, as suggested Shimoni et al par.6.
Claims 2 and 12: the combination teaches 
 	communicating, by the device responsive to detecting the anomaly, an alert regarding the detected anomaly (Overcash, par. 55, 59, 61, 90). 
Claims 3 and 13: the combination teaches
 wherein each of the plurality of anomaly detection profiles identifies the one or more threshold values to use for comparing the values of the one or more detection features (Shimoni et al, par. 107, 118, 120, 132-135). 
The same motivation to modify Overcash in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 4 and 14: the combination teaches  
wherein the one or more threshold values are specific to the application (Shimoni et al, par. 107, 118, 120, 132-135). 
Overcash in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 5 and 15: the combination teaches 
establishing values for the one or more threshold values by using an anomaly detection model (Shimoni et al, par. 107, 118, 120, 132-135).
The same motivation to modify Overcash in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 6 and 16: the combination teaches
 monitoring, by the anomaly detection model, network traffic corresponding to the application to establish the values for the one or more threshold values (Shimoni et al, par. 107, 118, 120, 132-135).
The same motivation to modify Overcash in view of Shimoni et al applied to claims 5 and 15 above applies here.
Claims 8 and 18: the combination teaches  
identifying the application characteristics from a log of network traffic received by the device (Shimoni et al, par. 84, 88). 
The same motivation to modify Overcash in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 9 and 19: the combination teaches 
further comprising monitoring, by the device, network traffic of the application to identify the values of the one or more detection features (Shimoni et al, par. 91, 107-112).
The same motivation to modify Overcash in view of Shimoni et al applied to claims 1 and 11 above applies here.
Claims 10 and 20: the combination teaches
 wherein the device is intermediary to a plurality of clients and the application (Overcash, Figs.1 &3A). 
Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Overcash U.S. 2009/0100518 A1 in view of Shimoni et al U.S. 2010/0192201 A1 in further view of Roundy et al U.S. 9,275,226 B1. .
Claims 7 and 17: the combination teaches
further comprising identifying the application characteristics that correspond to the one or more detection features used to detect at least one of a denial of service attack, a brute force attempt at determining login credentials associated with the application or anomalous packet payloads (Overcash, par. 49, 95, 117, 121, Shimoni et al, par. 107, 11, 116, 130),
Roundy et al in the same field of endeavor teaches 
comprising identifying the application characteristics that correspond to the one or more detection features used to detect at least one of web scraping (col.4, lines 21-25)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Overcash with the additional features of Roundy et al in order to provide the ability to determine whether the identified website includes a malicious software attack designed to selectively attack visitors to the website, as suggested Roundy et al abstract.
The following prior art are cited to further show the state of the art at the time of Applicants’ invention with respect to anomalous applications profiles.
Jang et al U.S. 2009/0313699 A1 teaches an apparatus and method for preventing an anomaly of an application program are provided. More particularly, an apparatus and method for preventing an anomaly of an application program that detect and stop an anomaly on the basis of a behavior profile for an application program are provided.
Ovecash et al U.S. 2008/0034424 A1 teaches a system and method for protection of Web based applications are described. An agent is included in a web server such that traffic is routed through the agent. A security module is also in 
Gadde et al U.S. 2006/0037077 A1 teaches an intrusion detection system and method for a computer network includes a processor and one or more programs that run on the processor for application inspection of data packets traversing the computer network. The one or more programs also obtaining attribute information from the packets specific to a particular application and comparing the attribute information against a knowledge database that provides a baseline of normal network behavior. The processor raises an alarm whenever the attribute information exceeds a predetermined range of deviation from the baseline of normal network behavior. It is emphasized that this abstract is provided to comply with the rules requiring an abstract that will allow a searcher or other reader to quickly ascertain the subject matter of the technical disclosure. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on 6:30-3:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






Tuesday, September 28, 2021

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436