DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-8, 11-17 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Albero et al., (U.S. Patent Appl. Pub. # 2021/0110407).
Regarding claim 1, Albero disclose a method for detecting anomalous behavior of machines executing on a host computer, the method comprising: on the host computer: collecting and storing attributes relating to flows associated with a set of one or more machines executing on the host computer (Abstract, Fig. 1A-1B, Para 0021, 0022, 0029, a system for multi-source anomaly detection, one or more computing devices, a local user computing device, a remote user computing device); analyzing the stored attributes to detect an anomalous behavior with at least one particular flow associated with at least one machine executing on the host computer (Para 0032, include machine learning engine, and machine learning datasets may store instructions and/or data that cause or enable multi-source anomaly detection computing platform to receive attribute data, and analyze data, and analyze data to identify any anomalies in the data); storing an indication of the anomalous behavior, providing the stored attributes and anomalous-behavior 
Regarding claim 2, Albero disclose, wherein the stored attributes comprise contextual attributes different than layers 2, 3 and 4 flow header values, and the anomalous-behavior indication is provided as a contextual attribute of the particular flow (Para 0037).
Regarding claim 3, Albero disclose, wherein the contextual attributes comprise L7 flow header values (Para 0037).
Regarding claim 4, Albero disclose, wherein the contextual attributes comprise non-flow header value attributes (Para 0037).
Regarding claim 5, Albero disclose, wherein analyzing the stored attributes comprises analyzing collected contextual attributes to detect the anomalous behavior (Para 0032, 0033).
Regarding claim 6, Albero disclose, wherein collecting attributes comprises generating statistics regarding the flows, and analyzing the stored attributes further comprises analyzing the generated statistics to detect the anomalous behavior (Para 0032, 0033).
Regarding claim 7, Albero disclose, wherein the stored attributes further comprise statistics generated at the host computer regarding the flows, and analyzing the stored attributes comprises analyzing the generated statistics to detect the anomalous behavior (Para 0032, 0033). 
Regarding claim 8, Albero disclose, wherein detecting an anomalous behavior comprises determining that a value for a particular statistic attribute of the particular flow has deviated from a stored value for the statistic attribute (Para 0032, 0033, 0038, anomaly detection computing 
Regarding claim 11, Albero disclose, wherein analyzing the stored attributes comprises analyzing contextual attributes collected from a deep packet inspection agent to detect the anomalous behavior (Para 0038).
Regarding claim 12, Albero disclose, wherein detecting an anomalous behavior comprises detecting that a port associated with the particular flow does not match a port expected based on an application associated with the particular flow (Para 0038).
Regarding claim 13, Albero disclose, wherein storing the indication of the anomalous behavior comprises storing a contextual attribute associated with the particular flow that is a flag bit that indicates that an anomalous behavior has been detected (Para 0075, 0076).
Regarding claim 14, Albero disclose, wherein storing the indication of the anomalous behavior comprises storing a contextual attribute associated with the particular flow that is a value that indicates a particular type of anomalous behavior (Para 0076).
Regarding claim 15, Albero disclose, taking an action on the host computer based on the detected anomalous behavior (Para 0077).
Regarding claim 16, Albero disclose, making a recommendation based on the detected anomalous behavior (Para 0077, 0078).
Regarding claim 17, Albero disclose, wherein the recommendation is to generate a new firewall rule to block the flow in the future (Para 0081, 0082).
Allowable Subject Matter
Claims 9, 10, are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. U.S. Patent Appl. Pub. # 2020/0210260 to Prabhakar et al., relates to system, method, for identifying a data pattern change anomaly uses a distributing computing environment.
U.S. Patent Appl. Pub. # 2018/0183757 to Gunda et al., relates to identifying one or more multi-tier applications comprising a plurality of virtual machines, maintaining information about the one or more multi-tier application, the information indicates a security group for each virtual machine, also identify traffic flow between virtual machines.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NADEEM IQBAL whose telephone number is (571)272-3659. The examiner can normally be reached TW M-F 7:30AM-4:00 PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Matt Kim can be reached on 571-272-4182. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

/NADEEM IQBAL/Primary Examiner, Art Unit 2114