Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on October 20, 2021 has been entered.
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 4, 6-7, 10-15, 17 and 19-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hadden et al. – hereinafter Hadden (US 2016/0072836) in view of Scherman et al. – hereinafter Scherman (US 10,581,915)

As per claim 1, Hadden discloses a method, comprising: 
receiving data from nodes of a private network at an external service that is external to the private network; ([0032]; The network cloud 26 can be a private network; [0053]; In step 406, 
analyzing the received data at the external service: and ([0056] In step 412, the ACME IM 102 detects creation of the incident object 121 and optionally creation of IAs 120 associated with the incident, and parses their contents to identify any included data resources (e.g. IP addresses and the md5 hash for the downloaded file) within the incident object 121, and creates IAs 120 for the data resources identified within the incident object 121… Then, in step 414, the ACME IM 102-1 issues queries to first level TIS(s) 20 configured in the TIS configuration repository 128, to determine whether the IAs 120 (e.g. md5 hash for downloaded file and/or IP addresses of downloaded packets) for the incident object 121 are identified as known threats. Fig. 4: items 412, 414)
automatically generating an output from the external service in response to analyzing the data that is communicated to at least one or more nodes of the private network and that facilitates modifying routing by the at least one or more nodes of the private network. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131; The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432. Fig. 5; items 430, 432)
Hadden fails to disclose wherein the received data includes information defining communication session but not packet payload information. Scherman discloses wherein data includes information defining communication session but not packet payload information. (Col 2 lines 27-39;  Data related to IP flows are collected from one or more logs from active servers 

It would have been obvious for the teachings of Hadden to be modified before the effective filing date so that the incident data that is sent to the ACME only contains the IP flow session data and not the data in the payload which relate to the device or log data as taught by Scherman.  It would have been beneficial to transmit only the IP flow data to the ACME to improve the security of the network while preserving the privacy of its legitimate users. (Col 2 lines 40-49)

As per claim 4, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the data comprises flow data. ([0053];ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1.)
As per claim 6, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the nodes of the private network comprise edge or border nodes of the private network. ([0032]; The enterprise network 131 of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 and configuration servers 63, in examples)

As per claim 7, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the nodes of the private network comprise one or more of routers, switches, and cloud 

As per claim 10, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the external service facilitates defending the private network from threats and attacks.  ([0055], [0061]-[0062]; Fig. 4: items 414, 416; Fig. 5: items 428, 430, 432, 434)

As per claim 11, Hadden / Scherman disclose the method of claim 1.  Hadden discloses further comprising tagging the data at the external service. ([0045]; The IM 102 parses the incident object 121, identifies IP address 1.1.1.1 as a data resource, and creates an IA 120 for the identified IP address data resource (e.g. 1.1.1.1) and saves the IA 120 to the incident database 122.)

As per claim 12, Hadden / Scherman disclose the method of claim 1.  Hadden discloses further comprising storing the data at the external service. ([0045]; The IM 102 parses the incident object 121, identifies IP address 1.1.1.1 as a data resource, and creates an IA 120 for the identified IP address data resource (e.g. 1.1.1.1) and saves the IA 120 to the incident database 122.)

As per claim 13, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein analyzing the received data at the external service comprises detecting a network performance or security event. ([0056]; Fig. 4: item 414)

As per claim 14, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the output is generated by a rules engine of the external service that is configured to 

As per claim 15, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the output comprises a routing filter or block list. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131.)

As per claim 17, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the output is communicated to the at least one or more nodes of the private network via an application programming interface (API) associated with the external service. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131.)

As per cams 19-20, please see the discussion under claim 1 as similar logic applies.

Claims 2 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) / Scherman  (US 10,581,915) further in view of Doron et al. – hereinafter Doron (US 2019/0182291) – provisional 62/597215.


It would have been obvious for the teachings of Hadden / Scherman to be modified before the effective filing date of the invention so that the IP flow session data that is sent to the ACME is sent a data stream as taught by Doron.  The motivation would have been to allow for uniform processing of comparable data from different sources. (Doron, provisional 62/597215; [0039])

As per claim 5, Hadden / Scherman discloses the method of claim 1.  The combined teaching of Hadden / Scherman fail to disclose wherein the data comprises log data. Doron discloses wherein the data comprises log data. (provisional 62/597215; [0056] Batch processing includes processing high volumes of data including groups of data each collected over a period of time.)
It would have been obvious for the teachings of Hadden / Scherman to be modified before the effective filing date of the invention so that the IP flow session data that is sent to the ACME is sent as a batched data which is logged or collected over a period of time as taught by Doron.  The motivation would have been to allow for uniform processing of comparable data from different sources. (Doron, provisional 62/597215; [0039])

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) / Scherman (US 10,581,915)  further in view of Stub et al. – hereinafter Strub (US 9,794,272).


	It would have been obvious for the teachings of Hadden / Scherman to be modified before the effective filing date of the invention so that the IP flow session data that is sent to the ACME as sampled data because this would have allowed the ACME system to make sure that the data traffic is not indicative of a malicious threat and reduce the internal memory and processing cycles at the router to monitor, collect and export the required amount of data at the ISP router to make that determination of the threat. (Strub, Col 2 lines 16-28)

Claims 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) / Scherman (US 10,581,915)  further in view of Nat Smith, An overview of Fortinet’s Integrated NOC_SOC Solutions, April 16, 2018, Business and Technology, Pages 1-8. – hereinafter Smith.

As per claim 8, Hadden / Scherman disclose the method of claim 1.  Hadden discloses wherein the external service provides security operations for the private network. ([0061]; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the 
Smith discloses providing network operation. (Page 3: Fortinet’s new NOC-SOC solution combines the latest capabilities of FortiManager, FortiAnalyzer, and FortiSIEM solutions, coalescing the operational context of the NOC – such as appliance status, network performance, and application availability – with the security insights of the SOC - which identifies and remediates such things as breaches, data exfiltration, and compromised hosts.) 
	It would have been obvious before the effective filing date of the invention for the teachings of Hadden / Scherman to be modified so that the security network operation center is integrated in a combined NOC/ SOC as taught by Smith to provide the network operation for the private network.  The motivation would have been to shorten the time necessary to understand and scope the problem and prioritize the right response, mitigate resource constraints, adapt to network changes and automatically respond to events at digital speeds. (Smith, Page 4)

As per claim 9, Hadden / Scherman discloses the method of claim 1.  Smith wherein the external service facilitates managing and optimizing the private network. ([0061; According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131.)

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) / Scherman (US 10,581,915) further in view of Marck et al. – hereinafter Marck (US 2018/0054458)

As per claim 16, Hadden / Scherman disclose the method of claim 1.   The combined teachings of Hadden / Scherman fail to disclose wherein the output is communicated to the at least one or more nodes of the private network via Border Gateway Protocol (BGP) or FlowSpec.  Marck discloses wherein the output is communicated to the at least one or more nodes of the private network via Border Gateway Protocol (BGP).  ([0045]; BGP speaker 460 provides network response 356 to routing network 305 to modify the routing operations of the routing network to minimize or eliminate the threat posed by the identified DDoS attack.)
It would have been obvious before the effective filing date of the invention for the teachings of Hadden / Scherman to be modified so that the output of the incident management data is communicated via a Border gateway protocol as taught by Marck.  The combination of teachings would have result in the benefits of protecting the private network from malicious traffic.  

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden (US 2016/0072836) / Scherman (US 10,581,915) in view of Phillips (US 2018/0026944).

As per claim 18, Hadden discloses the method of claim 1.  The combined teachings of Hadden / Scherman fail to disclose further comprising Phillips discloses providing a portal to the external service that is accessible to an operator of the private network. ([0037]; The virtualization layer 210 provides an abstraction layer from which the virtual entities may be provided, including but not limited to: virtual servers 211, virtual storage 212, virtual networks 213 (e.g., including virtual private networks), virtual machines 214, and virtual clients 215.The user portal 223 can provide users and administrators access to the cloud service provider network 102 via an application program interface (API), website, dashboard, etc., provided by the service provider network 102.)
.

Response to Arguments
Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent toapplicant's disclosure.  See PTO-892 form.
Any inquiry concerning this communication or earlier communications from theexaminer should be directed to Chirag R Patel whose telephone number is (571)272-7966. The examiner can normally be reached on Monday to Friday from 8:00AM to 4:30PM. If attempts to reach the examiner by telephone are unsuccessful, theexaminer's supervisor, Glenton Burgess, can be reached on 571-272-3949. The fax phone number for the organization where this application or proceedingis assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status informationfor published applications may be obtained from either Private PAIR or PublicPAIR. Status information for unpublished applications is available throughPrivate PAIR only. For more information about the PAIR system, see

/Chirag R Patel/
Primary Examiner, Art Unit 2454