Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received 09/3/2021. 

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 06/28/2021 and 10/20/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Response to Amendment
Claims 1, 3, 19 and 20 have been amended. 
Claims 1-20 have been examined. 
Applicant’s arguments with respect to claim(s) 1, 19 and 20 regarding the new limitations: “wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information” have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-4, 6-9, 11-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20160072836 to Hadden et al (hereinafter Hadden) and US 20200028866 to Kurakami (hereinafter Kurakami).
As per claims 1, 19 and 20, Hadden teaches:
A method, comprising: 
receiving data from nodes of a private network at a service external to the private network (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1. [0054] According to step 408, the ACME IM 102-1 receives messages including information associated with the detected data security incident. [0030] FIG. 1 shows a cloud embodiment of one or more incident manager collaboration tool applications (IM) 102 within an incident management system 10. The IMs 102 are hosted within an application server 140. The application server 140 is included within a service network 132. [0031] IM(s) 102-1, 102-2, and 102-3 manage the incident response for enterprise networks 131 of exemplary organizations ACME Company, BigCorp, and CamCorp, respectively); 
analyzing the received data (Hadden: [0055]: the IM 102 automatically creates the incident object 121 in response to receiving the messages including the information associated with the detected data security incident. [0056] In step 412, the ACME IM 102 detects creation of the incident object 121 and optionally creation of IAs 120 associated with the incident, and parses their contents to identify any included data resources (e.g. IP addresses and the md5 hash for the downloaded file) within the incident object 121, and creates IAs 120 for the data resources identified within the incident object 121); 
detecting from analyzing the data a security event in the private network (Hadden: [0056]: Then, in step 414, the ACME IM 102-1 issues queries to first level TIS(s) 20 configured in the TIS configuration repository 128, to determine whether the IAs 120 (e.g. md5 hash for downloaded file and/or IP addresses of downloaded packets) for the incident object 121 are identified as known threats. [0057] According to step 416, if any known threats are identified, the method transitions to step 418. [0059] In step 420, the IM 102 executes a lookup of known threats (e.g. the IP addresses and/or hash for downloaded file data resources) against the Rules engine 178. If any rules 180 in the rules engine 178 have an IA type that matches the IA type of the known threats in step 422, the method transitions to step 424 and executes the matching rules); and 
automatically generating an output in response to detecting the security event that facilitates remediating the security event at least at one or more of the nodes of the private network, wherein a latency exists between the security event occurring on the private network and being remediated during which time an entity responsible for the security event has access to the private network before being blocked (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432. It is inherent that a latency exists between the security event occurring on the private network and reconfiguration (remediation) of the router to block the IP addresses).
Hadden teaches receiving incident objects from networking devices such as routers and firewalls that include IP addresses and md5 hash of the downloaded files but does not explicitly teach: wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information. However, Kurakami teaches:
wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information (Kurakami: [0022] In the IP network 1, traffic occurs when, for example, a terminal 41 in the user network 4 accesses the web server 3 through the router 2, and uses a service provided by the web server 3. Each of the routers 2 generates flow information including information about a transmission source IP address, a destination IP address, a protocol, a transmission-source port number, a destination port number, and the like, from a packet of the traffic received by an interface 20 to other devices (information defining communication sessions but not packet payload information). [0024] The respective routers 2 performs sampling of flow information of traffic received by the respective interfaces 20 provided therein at a predetermined sampling rate, to transmit to the monitoring device 10).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kurakami in the invention of Hadden to include the above limitations. The motivation to do so would be to detect a traffic abnormality speedily and accurately by using flow information (Kurakami: [0010]).

As per claim 2, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the data comprises a data stream (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file (data stream), and sends data associated with the incident in messages to the ACME IM 102-1).

As per claim 3, Hadden does not teach the limitations of claim 2. However, Kurakami teaches:
wherein data from different nodes comprises different sampling rates (Kurakami: [0034] The respective routers 2 performs sampling on traffic information received by the respective interfaces 20 at a predetermined sampling rate, and outputs to the monitoring device 10 as flow information. [0035] To the respective routers 2, a different sampling rate per interface 20 may be set).
The examiner provides the same rationale for combining prior arts Hadden and Kurakami as in claim 1 above.

As per claim 4, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the data comprises flow data (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file (flow data), and sends data associated with the incident in messages to the ACME IM 102-1).

As per claim 6, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the nodes of the private network comprise edge or border nodes of the private network (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1. [0032] The enterprise network 131 of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 and configuration servers 63, in examples).

As per claim 7, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the nodes of the private network comprise one or more of routers, switches, and cloud services (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1. [0032] The enterprise network 131 of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 and configuration servers 63, in examples).

As per claim 8, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the service provides security operations for the private network (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 9, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the service facilitates defending the private network from threats and attacks (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 11, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the service facilitates blocking only of Internet Protocol (IP) addresses associated with threats or attacks that are actually detected (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 12, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the output is generated by a rules engine of the service that is configured to map the detected security event to an action (Hadden: [002]: [0042] The rules engine 178 generates a list of tasks 192 for an IM 102 or IRT personnel 172 to execute in response to data security incidents. The tasks 192 include recommended actions that should be taken to provide an incident response to the data security incidents. Note that the rules engine 178 can also be programmed to automatically execute actions in response to incidents, such as instructing the firewall 36 to block access to certain IP addresses or suspicious protocol ports in response to a data security incident).

As per claim 13, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the output comprises a routing filter or block list (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 15, Hadden in view of Kurakami teaches:
The method of claim 1, wherein the output is communicated to the at least one or more nodes of the private network via an application programming interface (API) associated with the service (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 16, Hadden in view of Kurakami teaches:
The method of claim 1, further comprising tagging the data (Hadden: [0044]: If the IA 120 already exists, the IM 102 can "link" or associate the existing IA 120 with the newly created incident object 121. The IM 102 can then annotate the existing IA 120 with information obtained from the newly created incident object 121).

As per claim 17, Hadden in view of Kurakami teaches:
The method of claim 1, further comprising storing the data (Hadden: [0036]: The IM 102 also includes an incident database 122 that stores incident objects 121 and incident artifacts (IAs) 120).

As per claim 18, Hadden in view of Kurakami teaches:
The method of claim 1, further comprising providing a portal to the service that is accessible to an operator of the private network (Hadden: [0034] Personnel typically associated with an Incident Response Team ("IRT") 172 access the IM 102 via the browser 150. The browser 150, in one example, presents a graphical user interface (GUI) application for managing and interacting with the IM 102. [0035] The members of the IRT 172 can also communicate with the IM 102 using web browsers 150 or stand-alone applications running on user devices such as tablet devices, where the application server 140 additionally functions as a web server. [0051] IRT personnel 172 within ACME Company's enterprise network 131 access the ACME (IM) 102 via a browser 150 running on the application server 140).

Claims 5 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Hadden in view of Kurakami as applied to claim 1 above, and further in view of prior art of record US 10084811 to Dinning et al (hereinafter Dinning).
As per claim 5, Hadden does not teach: wherein the data comprises log data. However, Dinning teaches: 
wherein the data comprises log data (Dinning: column 3, lines 55-67: The hub server may be configured to receive files from an automated tool, such as, for example, a vulnerability scanner monitoring an enterprise network, a log repository that stores logged events related to actions or the status of a given server).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Dinning in the invention of Hadden to include the above limitations. The motivation to do so would be to allow for most or all identified risk issues to be efficiently reviewed, and manually or automatically correlated with additional contextual metrics for manual or automated analysis, reporting, and/or downstream decision-making (Dinning: column 2, lines 1-6).

As per claim 10, Hadden does not teach: wherein the service comprises a distributed intrusion detection and prevention system. However, Dinning teaches:
wherein the service comprises a distributed intrusion detection and prevention system (Dinning: A security appliance 105 may be any computing device comprising a processor configured to execute various network and device security functions. Non-limiting examples of security appliances may include a firewall, an intrusion detection/prevention system etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Dinning in the invention of Hadden to include the above limitations. The motivation to do so would be to allow for most or all identified risk issues to be efficiently reviewed, and manually or automatically correlated with additional contextual metrics for manual or automated analysis, reporting, and/or downstream decision-making (Dinning: column 2, lines 1-6).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden in view of Kurakami as applied to claim 1 above, and further in view of prior art of record US 7873993 to Joel W. King (hereinafter King).
As per claim 14, Hadden does not teach: wherein the output is communicated to the at least one or more nodes of the private network via Border Gateway Protocol (BGP) or FlowSpec. However, King teaches:
wherein the output is communicated to the at least one or more nodes of the private network via Border Gateway Protocol (BGP) or FlowSpec (King: column 3, lines 8-20: the iBGP protocol configures remote office routers to block the return path to malicious websites with the use of split tunneling while allowing paths to third party resource websites. The iBGP protocol runs on the remote router, advertises routes from the enterprise iBGP router to the remote router and enables the head-end to effectively set up a policy at each remote router. Enterprise policies for blocking access to "blackholed" rogue website addresses are centrally administered).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of King in the invention of Hadden to include the above limitations. The motivation to do so would be to efficiently distribute a central policy to distributed egress points from the enterprise network rather than moving agent packet traffic to the head-end before egress to the Internet (King: column 2, lines 40-44).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
US 6894972 to Phaal: A network monitoring system and method for analyzing network traffic is provided. This network monitoring system and method employ flow monitoring to analyze the traffic flow inside a switching device. All message packets entering the switching device are filtered and then sampled. After message packets are sampled, the switching device generates reporting packets containing network information related to the sampled packets. These reporting packets are then transmitted to a monitor server for analysis. Generally, the monitor server is coupled to a number of the switching devices so that the overall performance of the network can be gathered and presented to the users.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/           Primary Examiner, Art Unit 2438