DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/29/2021 has been entered.

Claims 1-7, 10-16, and 19-20 are pending.

Response to Arguments
The arguments/remarks filed by the applicant on 10/27/2021 have been fully considered and are responded in the following.

Applicant's arguments regarding the 35 USC § 103 rejection of amended independent claim 1, 10, and 19 have been fully considered but they are not persuasive. Applicant submits that ‘the cited references do not teach or suggest the claim elements "adding or deleting one or more alert modules to or from a set of alert modules according to a predetermined schedule or as decided by a machine learning system, wherein each of the alert modules in the set is configured to analyze a different subset of the attribute data about the connection for an anomaly," as recited in amended claim 1’ (p. 6, ¶3). Applicant states that ‘these modules are not used to analyze "different subsets of [] attribute data" about a single connection. For example, email traffic and VPN communication traffic will occur over different connections, so that the "email" module and the "VPN" module are never analyzing attributes about the same connection. More sophisticated modules such as "DHCP" modules and "IDS" monitors are typically monitoring network activity that is not limited to a single connection. Finally, although Demopoulos describes using "firewalls" for "connection monitoring," it does not state that firewall implements different alert modules to "analyze [] different subset[s] of the attribute data about [al connection," as recited’ (p. 7, ¶1). In response to applicant's arguments, the examiner respectfully disagrees. As shown in Fig. 4 of Demopoulos, packets from "a single connection" can be analyzed by "IDS analysis", "firewall analysis", and "VPN analysis or web content analysis or e-mail analysis", each monitor module may independently perform one or more different monitoring and security functions. Fig. 5-9 illustrate the detail flows for the packet from the connection going through these analysis modules. Similar rationale applies for claims 10 and 19 (Argument p.7-8).

Applicant’s arguments, ‘the above claim language is amended to remove the "satisfaction of one or more criteria" for adding or removing the alert modules. The Schepis reference does not teach or suggest adding or removing "alert modules" according to "a predetermined schedule or as decided by a machine learning system," as recited.’, see p. 7, ¶2, filed 10/27/2021, with respect to the amended claims overcoming the cited prior art references of the rejection of claims 1, 10 and 19 under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of newly cited prior art Seigel. Please refer to "Claim Rejections - 35 USC § 103" section below for detail analysis.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-4, 6, 10-13, 15, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Demopoulos (US 20050193429 A1) in view of Seigel (US 20170031741 A1).

Regarding claim 1, Demopoulos teaches a method of analyzing and reporting anomalous internet traffic data, comprising: 
performing, by a processor ([0056] processor) configured to implement a virtual security appliance ([0056] networked appliances): Here Demopoulos summaries in [Abstract] that “The monitoring system includes a security appliance and one or more security and monitoring technologies. The security appliance and the security and monitoring technologies may be implemented as separate and distinct modules or combined into a single security appliance.”
accepting a request for a connection to the virtual security appliance; ([0044] analyzing a data packet received from a communication network by the monitoring module.) Here the connection request is disclosed by “packet received”.
collecting attribute data about the connection, wherein the attribute data includes date of the connection, a number of bytes associated with the connection, source IP address, or content of data sent through the connection; ([0044] The data packet includes information identifying the packet's source (e.g., a source IP address) and the packet's destination.)
wherein each of the alert modules in the set is configured to analyze a different subset of the attribute data about the connection for an anomaly; ([0043, 0065] The integrated security system includes a plurality of monitoring modules for screening a plurality of different types of communications, such as e-mail messages, VPN communications, and web page traffic. The integrated monitoring system 200 includes a plurality of monitor modules 202, 204, 206, 208, 210. Each monitor module 202 may independently perform one or more different monitoring and security functions.) Here Demopoulos shows in Fig. 4 that packets from "a single connection" can be analyzed by "IDS analysis", "firewall analysis", and "VPN analysis or web content analysis or e-mail analysis", each monitor module may independently perform one or more different monitoring and security functions. Fig. 5-9 illustrate the detail flows for the packet from the connection going through these analysis modules.
applying the set of alert modules to at least some of the attribute data about the connection to identify an incident for reporting; and ([0043] The integrated security system includes a plurality of monitoring modules for screening a plurality of different types of communications, such as e-mail messages, VPN communications, and web page traffic. Based on event data generated by the monitoring modules upon determination of a potential threat, new rules are automatically developed by the integrated security system and implemented using one or more of the monitoring modules.)
automatically generating an alert concerning the identified incident. ([0071] The IDP may include an internal set of rules for use in evaluating and blocking messages in real time. Upon detection of a threat, the IDP system may report an alert, a threat ID and description, a timestamp, and the source and destination IP addresses of the message. Additional event data may also be reported depending on 
Demopoulos teaches new rule being added to the set of rules used by the monitoring module (¶44), but does not explicitly teach adding or deleting one or more alert modules to or from a set of alert modules according to a predetermined schedule or as decided by a machine learning system. This aspect of the claim is identified as a difference.
However, Seigel in an analogous art explicitly teaches adding or deleting one or more alert modules to or from a set of alert modules according to a predetermined schedule or as decided by a machine learning system. ([0004, 0015] Systems and techniques for managing alert profiles, including creating the alert profiles and deactivating the alert profiles, are described. Alert profiles may be temporary because after an alert profile has been created, the systems and techniques described herein may monitor event logs to determine whether the alert profile is relevant, and the alert profile may be deactivated (or deleted) when the alert profile is no longer relevant. The alert profile may be created by a human or created by a classifier (e.g., trained using machine learning) performing an analysis of gathered event logs in an enterprise or other large computing system. An alert profile may thus be temporary and may expire after a predetermined amount of time, or a classifier (e.g., trained using machine learning) may be used to determine when the alert profile is no longer relevant. For example, alert profiles may be automatically created based on anomalous event logs and set to expire after a predetermined period of time that is determined based on an analysis of previous incidents or based on a set of predefined options.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “integrated data traffic monitoring system” concept of Demopoulos, and the “creating/deactivating alert profiles” approach of Seigel. One of ordinary skill in the art would have been motivated to perform such a modification to improve security as well as use less computing resources and network bandwidth by periodically determining that active alerts are (Seigel [0017, 0060]).

Regarding claim 2, Demopoulos in view of Seigel teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein identifying the incident for reporting comprises identifying at least one anomalous connection attribute in the attribute data. ([Demopoulos 0044, 0070] analyzing a data packet received from a communication network by the monitoring module using a predetermined set of rules. The data packet includes information identifying the packet's source (e.g., a source IP address) and the packet's destination. For example, a stateful firewall monitor module that remembers the context of connections and continuously updates this state information in dynamic connection tables, may use one or more IP tables to identify known sources of threats and automatically block traffic from those IP addresses in the IP tables.)

Regarding claim 3, Demopoulos in view of Seigel teaches all the features with respect to claim 1, as outlined above. The combination further teaches supplying the alert to a user using a user interface. ([Demopoulos 0064] an alerting module 218 that transmits security alerts (such as to system administrators and users).) It would be obvious that these security alerts are transmitted using a user interface.

Regarding claim 4, Demopoulos in view of Seigel teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the alert concerning the identified incident includes the time at which the incident occurred. ([Demopoulos 0071] Upon detection of a threat, the IDP system may report an alert, a threat ID and description, a timestamp, and the source and 

Regarding claim 6, Demopoulos in view of Seigel teaches all the features with respect to claim 1, as outlined above. The combination further teaches formatting, using the processor, the attribute data into at least one of a plot, a table, or a chart. ([Demopoulos 0070] a stateful firewall monitor module that remembers the context of connections and continuously updates this state information in dynamic connection tables, may use one or more IP tables to identify known sources of threats and automatically block traffic from those IP addresses in the IP tables.) Here IP address is the “attribute data” claim limitation.

Regarding claim 10 and 19, the scope of the claim is similar to that of claim 1. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 11, the scope of the claim is similar to that of claim 2. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 12 and 20, the scope of the claim is similar to that of claim 3. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 13, the scope of the claim is similar to that of claim 4. Accordingly, the claim is rejected using a similar rationale.

Regarding claim 15, the scope of the claim is similar to that of claim 6. Accordingly, the claim is rejected using a similar rationale.

Claim 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Demopoulos (US 20050193429 A1) in view of Seigel (US 20170031741 A1) and Baradaran (US 20170126709 A1).

Regarding claim 5, Demopoulos in view of Seigel teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the alert module is automatically applied at fixed time intervals. This aspect of the claim is identified as a difference.
However, Baradaran in an analogous art explicitly teaches wherein the alert module is automatically applied at fixed time intervals. ([0080] In some embodiments, the monitoring agent 197 monitors, measures and collects data on a predetermined frequency.) The “predetermined frequency” implies claim limitation “automatically applied at fixed time intervals”.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “integrated data traffic monitoring system” concept of Demopoulos, and the “anomaly detection” approach of Baradaran. One of ordinary skill in the art would have been motivated to perform such a modification to provide effective and flexible techniques for detecting anomalous traffic.

Regarding claim 14, the scope of the claim is similar to that of claim 5. Accordingly, the claim is rejected using a similar rationale.

Claim 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Demopoulos (US 20050193429 A1) in view of Seigel (US 20170031741 A1) and Martin (US 20180004948 A1).

Regarding claim 7, Demopoulos in view of Seigel teaches all the features with respect to claim 1, as outlined above. But the combination does not teach filtering the collected attribute data and discarding standard attribute data using the processor. This aspect of the claim is identified as a difference.
However, Martin in an analogous art explicitly teaches filtering the collected attribute data and discarding standard attribute data using the processor. ([0038] The system can also discard various signals from the set in order to find a best-match with a particular cyber attack pattern in the attack database, thereby confirming a relationship between a subset of these signals and a possible cyber attack and refuting a relationship between this subset of signals and other signals in the set.) Here Martin discloses discarding irrelevant signals and keeping pertinent signals to find a particular cyber-attack pattern, which is analogous to claim limitation “filtering collected attribute data and discarding standard attribute data”.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “integrated data traffic monitoring system” concept of Demopoulos, and the “predicting and characterizing cyber-attacks” approach of Martin. One of ordinary skill in the art would have been motivated to perform such a modification because discarding irrelevant signals and keeping pertinent signals can reduce the noise from unnecessary data to facilitate the identification of a particular cyber-attack pattern (Martin [0038]).

Regarding claim 16, the scope of the claim is similar to that of claim 7. Accordingly, the claim is rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20170223046 A1, "Multiphase threat analysis and correlation engine", by Singh, teaches that network device may include analytic engines that run in a predetermined order. An analytic engine can analyze incident data of a certain data type, and can produce a result indicating whether a piece of data is associated with the attack. The network device may produce a report of the attack, which may include correlating the results from the analytic engines. The network device can further modify the predetermined order, add a new analytic engine to the predetermined order, or remove an analytic engine from the predetermined order. Modifying, removing, or adding can be based on updated threat intelligence. Generally, each analysis engine 1940 may apply one or more of heuristic algorithms, probabilistic algorithms, machine learning algorithms, and/or pattern matching algorithms, in addition to emulators, to detect whether data (e.g., files, email, network packets, etc.) from the analysis database 1930 is malicious. Each analysis engine 1940 may further include sub-modules and plugins, which are also able to apply heuristic, probabilistic, machine learning, and/or pattern matching algorithms, as well as emulators, to determine whether some data is malicious.
US 20180004940 A1, "Method and apparatus for generating dynamic security module", by Ha, teaches generating a dynamic security module which is allocated to a user terminal so that code configured to be executed on the user terminal for security varies with execution .

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-

/HAN YANG/Examiner, Art Unit 2493