Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is an expanded discussion/commentary attached to the instant PTOL-413FP Pre-Interview Communication form.
Claim Objections
Claims 2, 9 and 15 are objected to because of the following informalities:
Claims 2, 9 and 15 recite “a relationship between the metadata the instructions”. It appears that this should be “a relationship between the metadata and the instructions”.
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 14-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
The following rejection finds basis in the most recently issued guidance published in the Federal Register on 7 January 2019 entitled “2019 Revised Patent Subject Matter Eligibility Guidance”, available at <https://www.federalregister.gov/documents/2019/01/07/2018-28282/2019-revised-patent-subject-matter-eligibility-guidance>. The 2019 Revised Patent Subject Matter Eligibility Guidance applies the subject matter eligibility test as described within recently revised MPEP § 2106, revision 08.2017, namely, the “Alice/Mayo test” or “Mayo test” as laid out by the Supreme Court as a framework for determining claimed subject matter eligibility. See Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. _, 134 S. Ct. at 2355, 110 supersedes all versions of the USPTO's “Eligibility Quick Reference Sheet Identifying Abstract Ideas” (first issued in July 2015 and updated most recently in July 2018). The following rejection also finds basis in recently revised MPEP § 2106, revision 08.2017 and applies the subject matter eligibility test as described within, namely, the “Alice/Mayo test” or “Mayo test” as laid out by the Supreme Court as a framework for determining claimed subject matter eligibility. See Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. _, 134 S. Ct. at 2355, 110 USPQ2d at 1981 (citing Mayo, 566 U.S. 66, 101 USPQ2d 1961). 
MPEP § 2106.03 states:
“As described in MPEP § 2106, subsection III, Step 1 of the eligibility analysis asks: Is the claim to a process, machine, manufacture or composition of matter? Like the other steps in the eligibility analysis, evaluation of this step should be made after determining what applicant has invented by reviewing the entire application disclosure and construing the claims in accordance with their broadest reasonable interpretation (BRI)…A claim whose BRI covers both statutory and non-statutory embodiments embraces subject matter that is not eligible for patent protection and therefore is directed to non-statutory subject matter. Such claims fail the first step (Step 1: NO) and should be rejected under 35 U.S.C. 101, for at least this reason… For example, the BRI of machine readable media can encompass non-statutory transitory forms of signal transmission, such as a propagating electrical or electromagnetic signal per se. See In re Nuijten, 500 F.3d 1346, 84 USPQ2d 1495 (Fed. Cir. 2007). When the BRI encompasses transitory forms of signal transmission, a rejection under 35 U.S.C. 101 as failing to claim statutory subject matter would be appropriate. Thus, a claim to a computer readable medium that can be a 
Claims 14-20 recite “A non-volatile computer-readable device”.
However, the specification is silent with respect to what “non-volatile” is or is defined to be. Absent such a definition within the disclosure, the “non-volatile computer-readable device” may be broadly interpreted in terms of its plain meaning to be any type of computer readable medium. See MPEP § 2111.01. Consistent therewith, the “non-volatile computer-readable device” may encompass non-statutory transitory forms of computer readable media.
Since MPEP § 2106.03 expressly instructs that “a claim to a computer readable medium that can be a compact disc or a carrier wave covers a non-statutory embodiment and therefore should be rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter”, claims 14-20 is/are rejected under 35 U.S.C. § 101 as being directed to non-statutory subject matter. (STEP 1: NO)
MPEP § 2106.03 also instructs that “it is a best practice for the examiner to point out the BRI and recommend an amendment, if possible, that would narrow the claim to those embodiments that fall within a statutory category.” In light of the disclosure, it is suggested that the claim be amended to recite “a non-transitory computer-readable medium”, especially given that such would be consistent with paragraph 0079 of the specification.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):



The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Claims 1-20 recite “the packet capture management system”. There is insufficient antecedent basis for this limitation in the claims.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1-3, 8-10, and 14-16 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20170214718 to Couterier et al. (“Couterier”).


storing (“ingesting”; paragraph 0045) a first network packet capture file (“index” of “packets” stored in “capture files”; paragraph 0045) (consider also paragraph 0055 regarding “flow records”) in a primary storage (“first repository”; see also the “storage device” of Figure 3, element 320), wherein a retention policy specifies an amount of time that traffic captured by the packet capture management system should be stored and includes a time-to-live (TTL) (“predetermined age”) of the first network packet capture file, wherein the first network packet capture file stores a captured data flow between a source and a destination (“endpoints”) exchanging network packets; (consider paragraph 0044, “A first repository is used to store network traffic by the packet capture utility according to a first filtering policy. For example, the first filtering policy in a first embodiment can be that all of the packets received by or transmitted by a network system which is being monitored by the security apparatus would be stored in the first repository.”) (consider further paragraph 0068, “the packets in the first repository are reviewed so that aged packets can be deleted in first repository, step 817. This step can be performed once the first repository is full, e.g., using a FIFO policy, or at a predetermined time interval, disposing of packets once they have reached a predetermined age in the repository.”)
receiving an instruction, from a first network monitoring device that monitors or analyzes the traffic, identifying the first network packet capture file as being of interest to a network administrator (“forensically interesting traffic” resulting from an “incident” or “event” or is “suspicious”); (consider paragraph 0042 wherein an “administrator” can “allow the administrator 
in response to the instruction, moving the first network packet capture file from the primary storage to a secondary storage; and in response to the moving, changing the TTL to specify that the first network packet capture file remains in the secondary storage after the first network packet is scheduled for deletion in the primary storage. (consider paragraph 0046, “An Archiver process 411 scans the indexes created on ingestion, and copies forensically interesting packets to a secondary storage…The collection of filtering policies characterize packets which the security application has identified over the course of monitoring the network…The security application 409 can specify the length of interest, i.e. how long the filtering policies should be in place and how long packets should be retained in the second repository, in addition to the packet characteristics of interesting packets. For example, the filtering policies may have retention parameters like “packets like this are interesting for a deterministic period”, “packets like this are interesting forever”, or “packets like this are interesting for until termination is expressly indicated”…Packets stored in secondary storage 417 can be ‘tagged’ according to the particular filtering policy which caused them to be retained as well as their retention parameter. In the absence of a requested retention parameter, default retention parameters can be used, both for how long a given filtering policy will be in effect as well as how long packets should be retained in the second repository.”)
Regarding claim 15, Couterier taught the non-volatile computer-readable device of claim 14, wherein the method steps further comprise: storing metadata corresponding to the first 
analyzing, using a machine learning model, historical data of instructions received from the first network monitoring device, wherein the analysis includes analyzing a relationship between the metadata the instructions. (consider further paragraph 0049, “SIEM technology provides a real-time analysis of security alerts generated by network hardware and applications. SIEM products are sold as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes. The security application could be a network intrusion prevention application or appliance such as the IBM Security Network Protection XGS or Cisco Intrusion Prevention System products. Network intrusion prevention applications perform one or more processes such as SSL/TLS inspection, application control and IP reputation analysis to detect possible security threat. In addition to known signatures of known exploits, network intrusion prevention applications provide behavior based methods of detecting new, undiscovered security threats.”) (consider further paragraph 0050, “The security application can send the second filter in a workload message, based upon a security event to the retrieve all packets from the packet capture appliance associated with the security event. The association between the security event and the packets to be retrieved is made by providing a BPF (Berkley Packet Filter) filter that matches the timeframe, IP address, MAC, Port addressing, or VLAN, associated with the event. Once the Archiver 411 receives the request, the filtering policy is added to the collection of policies which comprise the second filtering policy. In 
Regarding claim 16, Couterier taught the non-volatile computer-readable device of claim 15, wherein the method steps further comprise: storing a second network packet capture file in the primary storage (again, consider the “index” of “packets” stored in “capture files” within paragraph 0045 and also paragraph 0055 regarding “flow records”); and flagging (“tagging”) the second network packet capture file as a packet file of interest based on the machine learning model analysis. (again, consider paragraph 0044, “A first repository is used to store network traffic by the packet capture utility according to a first filtering policy. For example, the first filtering policy in a first embodiment can be that all of the packets received by or transmitted by a network system which is being monitored by the security apparatus would be stored in the first repository.”) (again, consider paragraph 0045, “The collection of filtering policies characterize packets which the security application has identified over the course of monitoring the 
Claims 1-3 and 8-10 recite a method and system that contain substantially the same limitations as recited in claims 14-16 respectively and are also rejected under 35 USC § 102(a)(1) as being anticipated by the same teachings of Couterier.	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 4, 11, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Couterier in view of US 20170279817 to Campbell et al. (“Campbell”).

deleting the second network packet capture file from the primary storage based on an amount of storage provisioned for the primary storage. (consider further paragraph 0068, “the packets in the first repository are reviewed so that aged packets can be deleted in first repository, step 817. This step can be performed once the first repository is full, e.g., using a FIFO policy, or at a predetermined time interval, disposing of packets once they have reached a predetermined age in the repository.”) (consider also paragraph 0043, “As mentioned above, a 64 Terabyte repository may only provide a few days of forensic visibility at 10 Gbit speeds. When the repository is filled, stored packets are removed for newer packets on a first-in-first-out (FIFO) basis. The prior art solutions present a user with two unattractive alternatives: a) the user can supply a reasonable amount of storage, e.g., 64 Terabytes, but only receive a small window of visibility of any forensically interesting data; or b) the user can purchase massive amounts of storage for longer term visibility.”)
Couterier may be interpreted as not expressly teaching deleting the second network packet capture file from the primary storage based also on a change in a network traffic rate.
However, in an analogous art relating to using first and second repositories to store network packet capture files (consider paragraph 0006), Campbell teaches that network packet capture files can be deleted from a primary storage (“short-term storage pool”) based on a change in a network traffic rate (consider paragraph 0022, “[T]he storage constraint includes a timeout condition, in which the stream tracking engine 106 stops storing copied packets after the 
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to combine the teachings of these references such that their combination includes every element as claimed. One skilled in the art could have combined the teachings by known methods such as integration of software routines with no changes to the operation of either reference such that, in combination, each element merely performs the same function as it does separately. Additionally, the Examiner finds that, based on the references’ analogous disclosure regarding deletion of network packet capture files within repositories based on various criteria, further demonstrates that a combination of their features would have been known and obvious. Therefore, such a combination of the teachings of the references would have yielded nothing more than predictable results to one of ordinary skill in the art.
Claims 4 and 11 recite a method and system that contain substantially the same limitations as recited in claim 17 and are also rejected under 35 USC § 103 as being unpatentable over the same combined teachings of Couterier and Campbell and the same rationale supporting the conclusion of obviousness.
Allowable Subject Matter
Claims 5-7, 12-13, and 18-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The cited prior art teaches moving network packet capture files from a first repository to another repository based on such being of interest to a network administrator and other related technologies.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to George C Neurauter, Jr. whose telephone number is (571)272-3918. The examiner can normally be reached Mon.-Fri. 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon Hwang, can be reached on 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/George C Neurauter, Jr./Primary Examiner, Art Unit 2447