DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/21/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

                                                         Response to Arguments
Applicant’s arguments filed on August 24, 2021 have been considered and are persuasive.   

















Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (Pub. No. US 2015/0033336), hereinafter Wang, in view of Dods (Pub. No. US 2019/0007436).

		Claim 1. 	Wang discloses a method for a computer system to perform dynamic event processing for network diagnosis, wherein the method comprises: 
		monitoring a runtime flow of multiple packets that originate from, or destined for, a virtualized computing instance supported by the computer system to detect a set of multiple events associated with the runtime flow (Parag. [0006], Parag. [0009-0011], Parag. [0031], and Fig. 1; (The art teaches methods and systems for improved attack context data logging. In one embodiment, additional context is provided for an attack by logging either a predetermined or configurable number or predetermined or configurable timeframe of packets ; 
		performing a first stage of event processing by matching the set of multiple events to a set of multiple signatures that includes: (a) a first signature associated with a first mapping rule that is fully satisfied by the set of multiple events; and (b) a second signature associated with a second mapping rule (Parag. [0043], Parag. [0054], and Fig. 5; (The art teaches that traffic packets containing one or more legitimate and attack packets are received, wherein the packets are either sent or received by an internal network. The received packets are scanned by applying one or more attack detection algorithms. In one embodiment, the attack detection algorithms include one or more of (i) a set of intrusion detection signatures (i.e., first signature), (ii) a set of malware detection signatures (i.e., second signature) and (iii) a set of network security policy rules. The art teaches that the intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules (i.e., to be satisfied) defined in the intrusion prevention module)); 
		performing a second stage of event processing by comparing predefined characteristic information specified the first signature against runtime characteristic information associated with the runtime flow, wherein the second signature is disregarded during the second stage of event processing (Parag. [0009], Parag. [0015], Parag. [0033], Parag. [0043], Parag. [0054]; (The art teaches that Other major functions performed by IDS (intrusion detection system) can include monitoring and analyzing user and system activities, assessing the integrity of critical system or data files, recognizing activity patterns reflecting known attacks, responding automatically to detected activity, and reporting results of the detection process in which a log can be created relating to perceived attack packets to facilitate analysis and prevention of future intrusions, attacks and/or false positives. The intrusion prevention module can also be configured to place packets into one or more buffers of buffering module based on session, timestamp, initial characteristic information of the packets, wherein, for instance, the intrusion prevention module can be configured to send packets to buffering module only for sessions of interest or for sessions in which potential attacks are anticipated. The art teaches that intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules defined in the intrusion prevention module. Based on the scanning a packet may be determined to be an attack packet. i.e., only intrusion signature under the intrusion detection system is used to analyze the characteristics, and not the malware signature)); and 
		in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions (Parag. [0015]; (The art teaches that the intrusion prevention module can also be configured to correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, clean up unwanted transport and network layer options, among other such functionalities)).
		Wang doesn’t explicitly disclose that the second signature (i.e., malware detection signatures) associated with a second mapping rule that is partially satisfied by the set of multiple events.
		However, Dods discloses that the second signature (i.e., malware detection signatures) associated with a second mapping rule that is partially satisfied by the set of multiple events (Parag. [0059]; (The art teaches that a security platform may analyze signature sequences in the data of the secondary file and compare the signature sequence in the secondary file to signature sequences of malware in a signature database or other malware database. In such implementations, security platform may detect malware in the secondary file when the signature .
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Wang to incorporate the teaching of Dods. This would be convenient for detecting malware in order to secure the network).

Claim 2. 	Wang in view of Dods discloses the method of claim 1,   
Wang further discloses wherein performing the first stage of event processing comprises: matching the set of multiple events to the first mapping rule to determine whether a first compound event has occurred, wherein the first mapping rule specifies the first compound event as a logical combination of at least two events (Parag. [0011], Parag. [0043], Parag. [0054], and Fig. 5; (The art teaches that traffic packets containing one or more legitimate and attack packets are received, wherein the packets are either sent or received by an internal network. The received packets are scanned by applying one or more attack detection algorithms. In one embodiment, the attack detection algorithms include one or more of (i) a set of intrusion detection signatures (i.e., first signature), (ii) a set of malware detection signatures (i.e., second signature) and (iii) a set of network security policy rules. The art teaches that the intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules (i.e., to be satisfied) defined in the intrusion prevention module. Signatures can also be configured to use stateful protocol analysis based detection techniques, which look for deviations of protocol states by comparing observed events with "predetermined profiles of generally accepted definitions of benign activity")).  

Claim 3. 	Wang in view of Dods discloses the method of claim 2,  
Wang further discloses wherein performing the first stage of event processing comprises: in response to determination that the first compound event has occurred, determining that the first mapping rule is fully satisfied by the set of the multiple events (Parag. [0011], Parag. [0043], Parag. [0054], and Fig. 5; (The art teaches that traffic packets containing one or more legitimate and attack packets are received, wherein the packets are either sent or received by an internal network. The received packets are scanned by applying one or .  

Claim 4. 	Wang in view of Dods discloses the method of claim 3,    
Wang further discloses wherein performing the second stage of event processing comprises: comparing the predefined characteristic information associated with the first compound event against the characteristic information associated with the runtime flow (Parag. [0009], Parag. [0015], Parag. [0033], Parag. [0043], Parag. [0054]; (The art teaches that Other major functions performed by IDS (intrusion detection system) can include monitoring and analyzing user and system activities, assessing the integrity of critical system or data files, recognizing activity patterns reflecting known attacks, responding automatically to detected activity, and reporting results of the detection process in which a log can be created relating to perceived attack packets to facilitate analysis and prevention of future intrusions, attacks and/or false positives. The intrusion prevention module can also be configured to place packets into one or more buffers of buffering module based on session, timestamp, initial characteristic information of the packets, wherein, for instance, the intrusion prevention module can be configured to send packets to buffering module only for sessions of interest or for sessions in which potential attacks are anticipated. The art teaches that intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules defined in the intrusion prevention module. Based on the scanning a packet may be determined to be an attack packet. i.e., only intrusion signature under the intrusion detection system is used to analyze the characteristics, and not the malware signature))



Claim 5. 	Wang in view of Dods discloses the method of claim 3,  
		
		Wang further discloses wherein performing the first stage of event processing comprises: identifying the predefined characteristic information that is specified by the first signature and includes at least one of the following: medium access control (MAC) information, network layer information, transport layer information and application layer information (Parag. [0015] and Parag. [0036]; (The art teaches that an attack packet, can include a packet that has a spoofed address, indicates malicious activity, contains information about malicious activity, or has any other undesired characteristic as defined by network security policy, for example. It should be appreciated that terms such as blocking packets and suspending packets are to be interpreted widely as the enforcement of a defensive rule that is defined by the system based on the feedback it receives from IDS. Such feedback can include, for example, discarding, logging, or rate limiting traffic from a particular source address or set of source addresses (i.e. MAC address); discarding, logging, or rate limiting traffic to a particular destination address or set of destination addresses; discarding, logging, or rate limiting UDP traffic from the Internet 110 to a particular subnet or set of subnets; discarding, logging, or rate limiting UDP traffic from the Internet 110 to a subnet with a particular UDP destination port or set of UDP destination ports; and so forth)).  
		 
Claim 6. 	Wang in view of Dods discloses the method of claim 1,  
Wang doesn’t explicitly disclose wherein performing the first stage of event processing comprises: matching the set of multiple events to the second mapping rule to determine whether a second compound event has occurred, wherein the second mapping rule specifies the second compound event as a logical combination of at least two events. 
		However, Dods discloses matching the set of multiple events to the second mapping rule to determine whether a second compound event has occurred, wherein the second mapping rule specifies the second compound event as a logical combination of at least two events (Parag. [0059]; (The art teaches that a security platform may analyze signature sequences in the data of the secondary file and compare the signature sequence in the secondary file to signature sequences of malware in a signature database or other malware database. In such implementations, security platform may detect malware in the secondary file when the signature sequences match or satisfy a match threshold (e.g., based on a percentage of values of the .
		It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Wang to incorporate the teaching of Dods. This would be convenient for detecting malware in order to secure the network). 

Claim 7. 	Wang in view of Dods discloses the method of claim 6, 
Wang doesn’t explicitly disclose wherein the method further comprises: in response to determination that the second compound event has not occurred or partially occurred, determining that the second mapping rule is not fully satisfied.   
		However, Dods discloses in response to determination that the second compound event has not occurred or partially occurred, determining that the second mapping rule is not fully satisfied (Parag. [0059]; (The art teaches that a security platform may analyze signature sequences in the data of the secondary file and compare the signature sequence in the secondary file to signature sequences of malware in a signature database or other malware database. In such implementations, security platform may detect malware in the secondary file when the signature sequences match or satisfy a match threshold (e.g., based on a percentage of values of the signatures that match or do not match). i.e., a malware is detected using signature to satisfy a match threshold (i.e. partial satisfaction rule))).
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Wang to incorporate the teaching of Dods. This would be convenient for detecting malware in order to secure the network).

Claim 8. 	Wang discloses a non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a computer system, cause the processor to perform dynamic event processing for network diagnosis (Parag. [0060-0062]), wherein the method comprises: 
monitoring a runtime flow of multiple packets that originate from, or destined for, a virtualized computing instance supported by the computer system to detect a set of multiple events associated with the runtime flow (Parag. [0006], Parag. [0009-0011], Parag. [0031], and Fig. 1; (The art teaches methods and systems for improved attack context data ; 
performing a first stage of event processing by matching the set of multiple events to a set of multiple signatures that includes:(a) a first signature associated with a first mapping rule that is fully satisfied by the set of multiple events; and (b) a second signature associated with a second mapping rule (Parag. [0043], Parag. [0054], and Fig. 5; (The art teaches that traffic packets containing one or more legitimate and attack packets are received, wherein the packets are either sent or received by an internal network. The received packets are scanned by applying one or more attack detection algorithms. In one embodiment, the attack detection algorithms include one or more of (i) a set of intrusion detection signatures (i.e., first signature), (ii) a set of malware detection signatures (i.e., second signature) and (iii) a set of network security policy rules. The art teaches that the intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules (i.e., to be satisfied) defined in the intrusion prevention module)); 
F953-3-performing a second stage of event processing by comparing predefined characteristic information specified the first signature against runtime characteristic information associated with the runtime flow, wherein the second signature is disregarded during the second stage of event processing (Parag. [0009], Parag. [0015], Parag. [0033], Parag. [0043], Parag. [0054]; (The art teaches that Other major functions performed by IDS (intrusion detection system) can include monitoring and analyzing user and system activities, assessing the integrity of critical system or data files, recognizing activity patterns reflecting known attacks, responding automatically to detected activity, and reporting results of the detection process in which a log can be created relating to perceived attack packets to facilitate analysis and prevention of future intrusions, attacks and/or false positives. The intrusion prevention module can also be configured to place packets into one or more buffers of buffering module based on session, timestamp, initial characteristic information of the packets, wherein, for instance, the intrusion prevention module can be configured to send packets to buffering module only for sessions of interest or for sessions in which potential attacks are anticipated. The art teaches that intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules defined in the intrusion prevention module. Based on the scanning a packet may be determined to be an attack packet. i.e., only intrusion signature under the intrusion detection system is used to analyze the characteristics, and not the malware signature)); and 
		in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, performing one or more remediation actions (Parag. [0015]; (The art teaches that the intrusion prevention module can also be configured to correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, clean up unwanted transport and network layer options, among other such functionalities)).
		Wang doesn’t explicitly disclose that the second signature (i.e., malware detection signatures) associated with a second mapping rule that is partially satisfied by the set of multiple events.
		However, Dods discloses that the second signature (i.e., malware detection signatures) associated with a second mapping rule that is partially satisfied by the set of multiple events (Parag. [0059]; (The art teaches that a security platform may analyze signature sequences in the .
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Wang to incorporate the teaching of Dods. This would be convenient for detecting malware in order to secure the network).

Claim 9 is taught by Wang in view of Dods as described for claim 2.

Claim 10 is taught by Wang in view of Dods as described for claim 3.  

Claim 11 is taught by Wang in view of Dods as described for claim 4.  

Claim 12 is taught by Wang in view of Dods as described for claim 5.  

Claim 13 is taught by Wang in view of Dods as described for claim 6.  

Claim 14 is taught by Wang in view of Dods as described for claim 7.   

Claim 15. 	Wang discloses a computer system, comprising: a processor; and a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor (Parag. [0060-0062]), cause the processor to perform the following: 
monitor a runtime flow of multiple packets that originate from, or destined for, a virtualized computing instance supported by the computer system to detect a set of multiple events associated with the runtime flow (Parag. [0006], Parag. [0009-0011], Parag. [0031], and Fig. 1; (The art teaches methods and systems for improved attack context data logging. In one embodiment, additional context is provided for an attack by logging either a ;  
perform a first stage of event processing by matching the set of multiple events to a set of multiple signatures that includes:(a) a first signature associated with a first mapping rule that is fully satisfied by the set of multiple events; and (b) a second signature associated with a second mapping rule (Parag. [0043], Parag. [0054], and Fig. 5; (The art teaches that traffic packets containing one or more legitimate and attack packets are received, wherein the packets are either sent or received by an internal network. The received packets are scanned by applying one or more attack detection algorithms. In one embodiment, the attack detection algorithms include one or more of (i) a set of intrusion detection signatures (i.e., first signature), (ii) a set of malware detection signatures (i.e., second signature) and (iii) a set of network security policy rules. The art teaches that the intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules (i.e., to be satisfied) defined in the intrusion prevention module)); 
perform a second stage of event processing by comparing predefined characteristic information specified the first signature against runtime characteristic information associated with the runtime flow, wherein the second signature is disregarded during the second stage of event processing (Parag. [0009], Parag. [0015], Parag. [0033], Parag. [0043], Parag. [0054]; (The art teaches that Other major functions performed by IDS (intrusion detection system) can include monitoring and analyzing user and system activities, assessing the integrity of critical system or data files, recognizing activity patterns reflecting known attacks, responding automatically to detected activity, and reporting results of the detection process in which a log can be created relating to perceived attack packets to facilitate analysis and prevention of future intrusions, attacks and/or false positives. The intrusion prevention module can also be configured to place packets into one or more buffers of buffering module based on session, timestamp, initial characteristic information of the packets, wherein, for instance, the intrusion prevention module can be configured to send packets to buffering module only for sessions of interest or for sessions in which potential attacks are anticipated. The art teaches that intrusion prevention module can be configured to scan one or more traffic packets based on characteristics of such packets and rules defined in the intrusion prevention module. Based on the scanning a packet may be determined to be an attack packet. i.e., only intrusion signature under the intrusion detection system is used to analyze the characteristics, and not the malware signature)); and 
in response to diagnosing an issue associated with the runtime flow based on the second stage of event processing, perform one or more remediation actions (Parag. [0015]; (The art teaches that the intrusion prevention module can also be configured to correct Cyclic Redundancy Check (CRC) errors, unfragment packet streams, prevent TCP sequencing issues, clean up unwanted transport and network layer options, among other such functionalities)). 
		Wang doesn’t explicitly disclose that the second signature (i.e., malware detection signatures) associated with a second mapping rule that is partially satisfied by the set of multiple events. 
		However, Dods discloses that the second signature (i.e., malware detection signatures) associated with a second mapping rule that is partially satisfied by the set of multiple events (Parag. [0059]; (The art teaches that a security platform may analyze signature sequences in the data of the secondary file and compare the signature sequence in the secondary file to signature sequences of malware in a signature database or other malware database. In such implementations, security platform may detect malware in the secondary file when the signature sequences match or satisfy a match threshold (e.g., based on a percentage of values of the .
It would be obvious to one of ordinary skill in the art at the time before the effective filling date of the claimed invention to modify Wang to incorporate the teaching of Dods. This would be convenient for detecting malware in order to secure the network).

Claim 16 is taught by Wang in view of Dods as described for claim 2.
  
Claim 17 is taught by Wang in view of Dods as described for claim 3.
  
Claim 18 is taught by Wang in view of Dods as described for claim 4.   

Claim 19 is taught by Wang in view of Dods as described for claim 5.   

Claim 20 is taught by Wang in view of Dods as described for claim 6.   

Claim 21 is taught by Wang in view of Dods as described for claim 7. 

Conclusion
		The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Revivo et al. (US 2021/0312037) – Related art in the area of detecting whether a software container is malicious, (Abstract, An example method for a software container includes instantiating the following in a sandbox of a computing device: an operating system, a Berkeley Packet Filter (BPF) virtual machine within a kernel of the operating system, and a software container. The kernel monitors runtime behavior events of the software container, with the monitoring at least partially performed by the BPF virtual machine. Based on the monitoring, a respective risk score is assigned to each of the runtime behavior events that is potentially malicious, with each risk score indicating a likelihood that a corresponding behavior event is malicious). 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDELBASST TALIOUA whose telephone number is (571)272-4061.  The examiner can normally be reached on Monday-Thursday 7:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on 571-272-7872.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.T./Examiner, Art Unit 2442                                                                                                                                                                                                        
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442