DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The amendment filed 10/21/2021 has been placed of record in the file.
Claims 1, 3, 8, 10, and 15 have been amended.
Claims 1-20 are pending.
The applicant’s arguments with respect to claims 1-20 have been considered but are moot in view of the following new grounds of rejection.
The IDS filed 10/21/2021 has been considered.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/21/2021 has been entered.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

10.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Aziz (U.S. Patent Application Publication Number 2008/0005782) in view of Burns et al. (U.S. Patent Application Publication Number 2010/0281539), hereinafter referred to as Burns.
Aziz disclosed techniques for capturing and analyzing network data.  In an analogous art, Burns disclosed techniques for monitoring characteristics of network sessions.  Both systems deal directly with the capture and analysis of network data.
Regarding claim 1, Aziz discloses a method to facilitate network security analysis and attack response, the method comprising: in a passive analysis system: receiving a copy of network traffic (paragraph 141, copy of network data); performing deep analysis on the copy of network traffic to identify malicious patterns of behavior over time (paragraph 157, analyze effects of network data, and paragraph 44, network activity that does not match orchestration pattern), wherein the deep analysis includes analyzing connection behavior of a client when interacting with at least one server to identify the malicious patterns of behavior (paragraph 143, determines source and destination devices, and paragraph 45, monitors network communication accesses, and paragraph 44, identifies anomalous behavior), wherein analyzing the connection behavior of the client comprises determining an order and manner in which the client retrieves content from the at least one server (paragraph 52, sequence of packets, and paragraph 45, type of communication); generating security data points based on the connection behavior of the client, wherein the security data points comprise fingerprints of behavior that describe the 
Aziz does not explicitly state determining whether or not the client sends multiple requests in a same connection.  However, monitoring network connections was well known in the art as evidenced by Burns.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Aziz by adding the ability for determining whether or not the client sends multiple requests in a same connection as provided by Burns (see paragraph 53, monitors traffic for number of requests for each connection).  One of ordinary skill in the art would have recognized the benefit that monitoring network connections in such a way would assist in the detection of software agents that implement application-layer attacks (see Burns, paragraph 6).
Regarding claim 2, the combination of Aziz and Burns discloses wherein the active inline security device blocks packets upon detection of at least one security event (Aziz, paragraph 131, filtering and/or blocking).
Regarding claim 3, the combination of Aziz and Burns discloses wherein analyzing the connection behavior of the client comprises analyzing frequency of requests sent from the client (Aziz, paragraph 78, detects number of network communications).
Regarding claim 4, the combination of Aziz and Burns discloses wherein performing the deep analysis on the copy of network traffic comprises analyzing the copy of the network traffic for protocol violations (Aziz, paragraph 46, checks that appropriate network protocol is used).
Regarding claim 5, the combination of Aziz and Burns discloses wherein providing the security data points to the active inline security device comprises asynchronously feeding the security data points to the active inline security device (Aziz, paragraph 137, distributes computer worm identifiers when identifiers become known).
Regarding claim 6, the combination of Aziz and Burns discloses wherein the security data points comprise at least one internet protocol address (Aziz, paragraph 131, uses source and destination IPs).
Regarding claim 7, the combination of Aziz and Burns discloses wherein the security data points comprise a regular expression (Aziz, paragraph 42, regular expression).
Regarding claim 8, Aziz discloses one or more computer-readable storage media having program instructions stored thereon to facilitate network security analysis and attack response, wherein the program instructions, when executed by a passive analysis system, direct the passive analysis system to at least: receive a copy of network traffic (paragraph 141, copy of network data); perform deep analysis on the copy of network traffic to identify malicious patterns of behavior over time (paragraph 157, analyze effects of network data, and paragraph 44, network activity that does not match orchestration pattern), wherein the deep analysis includes analyzing connection behavior of a client when interacting with at least one server to identify malicious 
Aziz does not explicitly state determining whether or not the client sends multiple requests in a same connection.  However, monitoring network connections was well known in the art as evidenced by Burns.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Aziz by adding the ability for determining whether or not the client sends multiple requests in a same connection as provided by Burns (see paragraph 53, monitors traffic for number of requests for each connection).  One of ordinary skill in the art 
Regarding claim 9, the combination of Aziz and Burns discloses wherein the active inline security device blocks packets upon detection of at least one security event (Aziz, paragraph 131, filtering and/or blocking).
Regarding claim 10, the combination of Aziz and Burns discloses wherein analyzing the connection behavior of the client comprises analyzing frequency of requests sent from the client (Aziz, paragraph 78, detects number of network communications).
Regarding claim 11, the combination of Aziz and Burns discloses wherein the program instructions direct the passive analysis system to perform the deep analysis on the copy of network traffic by directing the passive analysis system to analyze the copy of the network traffic for protocol violations (Aziz, paragraph 46, checks that appropriate network protocol is used).
Regarding claim 12, the combination of Aziz and Burns discloses wherein the program instructions direct the passive analysis system to provide the security data points to the active inline security device by directing the passive analysis system to asynchronously feed the security data points to the active inline security device (Aziz, paragraph 137, distributes computer worm identifiers when identifiers become known).
Regarding claim 13, the combination of Aziz and Burns discloses wherein the security data points comprise at least one internet protocol address (Aziz, paragraph 131, uses source and destination IPs).
Regarding claim 14, the combination of Aziz and Burns discloses wherein the security data points comprise a regular expression (Aziz, paragraph 42, regular expression).
Regarding claim 15, Aziz discloses a network security system comprising: a passive analysis system having a first communication interface and a first processor; and an active inline security device having a second communication interface and a second processor, and wherein the active inline security device is logically positioned between at least one client device and at least one server to intercept network traffic; the passive analysis system configured to: receive, via the first communication interface, a copy of network traffic between the at least one client device and the at least one server (paragraph 141, copy of network data); perform, using the first processor, deep analysis on the copy of network traffic to identify malicious patterns of behavior over time (paragraph 157, analyze effects of network data, and paragraph 44, network activity that does not match orchestration pattern), wherein the deep analysis includes analyzing connection behavior of the at least one client device when interacting with the at least one server to identify the malicious patterns of behavior (paragraph 143, determines source and destination devices, and paragraph 45, monitors network communication accesses, and paragraph 44, identifies anomalous behavior), wherein analyzing the connection behavior of the at least one client device comprises determining an order and manner in which the at least one client device retrieves content from the at least one server (paragraph 52, sequence of packets, and paragraph 45, type of communication); generate security data points based on the connection behavior of the at least one client device, wherein the security data points comprise fingerprints of behavior that describe the malicious patterns of behavior identified by the deep analysis (paragraph 105, determines identifier including signature or vector based on anomalous behavior, and paragraph 43, vector characterizes anomalous behavior); and transmit, via the first communication interface, the security data points to an active inline security device (paragraph 131, receive computer worm identifier); and the active inline security device configured to: receive, via the 
Aziz does not explicitly state determining whether or not the at least one client device sends multiple requests in a same connection.  However, monitoring network connections was well known in the art as evidenced by Burns.  Since the inventions encompass the same field of endeavor, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Aziz by adding the ability for determining whether or not the at least one client device sends multiple requests in a same connection as provided by Burns (see paragraph 53, monitors traffic for number of requests for each connection).  One of ordinary skill in the art would have recognized the benefit that monitoring network connections in such a way would assist in the detection of software agents that implement application-layer attacks (see Burns, paragraph 6).
Regarding claim 16, the combination of Aziz and Burns discloses wherein the active inline security device is further configured to block packets upon detection of at least one security event (Aziz, paragraph 131, filtering and/or blocking).
Regarding claim 17, the combination of Aziz and Burns discloses wherein analyzing the connection behavior of the at least one client device comprises analyzing frequency of requests 
Regarding claim 18, the combination of Aziz and Burns discloses wherein the passive analysis system configured to perform the deep analysis on the copy of network traffic comprises the passive analysis system configured to analyze the copy of the network traffic for protocol violations (Aziz, paragraph 46, checks that appropriate network protocol is used).
Regarding claim 19, the combination of Aziz and Burns discloses wherein the passive analysis system configured to provide the security data points to the active inline security device comprises the passive analysis system configured to asynchronously feed the security data points to the active inline security device (Aziz, paragraph 137, distributes computer worm identifiers when identifiers become known).
Regarding claim 20, the combination of Aziz and Burns discloses wherein the security data points comprise at least one internet protocol address (Aziz, paragraph 131, uses source and destination IPs).

Conclusion
11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493