DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the amendments filed on 10/21/2021. 
Claims 31-60 are currently pending in this application. Claims 31-39, 42-50 and 52-59 have been amended.
No new IDS has been filed.

Response to Amendment
The previous objections to the drawings (e.g., figures 15, 16, 17A, 17B) have been withdrawn in response to the applicant’s submission of the replacement sheets of the drawings.

Regarding the 112(b) rejections, the applicant, in page 12 of the remarks, have argued that “…rejected independent claims 31, 44 and 53 for … applicant has amended the claims to address the rejections …”, however, the amendment does not overcome all rejections and causes new rejections. See the 112(b) rejections section below for detail.
The previous 112(b) rejections to the claims 32, 45 and 54 have been withdrawn in response to the applicant’s amendments/remarks.
Regarding the 112(b) rejections, the applicant, in page 12 of the remarks, have also argued that “… rejected claims 33-37, 46-48 and 55-57 … claim 32 recites the symmetry metric, the responsive metric, and the efficiency metric. Each of the claims 33-37 depend upon claim 32 and further define and limit a particular metric recited in claim 32 … Claim 45 recites the symmetric metric, the responsive metric, and the efficiency metric … Claim 54 recites the symmetric metric, the responsive metric, and the efficiency metric …”.
Examiner respectfully disagrees with the arguments.
As the applicant noticed (also explained during the previous interview), the claim 32 (and the claims 46 and 54) only two (NOT ALL) types of metrics. Each of the claims 33-37 (and 46-48, 55-57) depend upon claim 32 (or 45, 54) and further define limit a particular metric, which is not recited in the claim 32 (or 45, 54). Therefore, the rejections are maintained. See the 112(b) rejections section below for detail.
The applicant, in pages 13-14 of the remarks, have further argued that “…rejected claims 33, 46, and 55 … 34, 36, 47, 48, 56 and 57 … 37 … 38, 49, 58 … 39, 50 and 59 … 42 … 43 and 52 for … applicant has amended the claims to address the rejections …”, however, the amendments do not overcome all rejections (although some of them are overcome) and causes new rejections. See the 112(b) rejections section below for detail.

The previous double patenting rejections have been withdrawn in response to the applicants’ filing terminal disclaimers, which were approved on 10/21/2021.

Thus, the applicants’ arguments are not persuasive. Please see amended rejections below for amended claims. This action is final.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 33, 46 and 55 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirements (new matter issue).

Claims contain subject matter, for example, “… the symmetry metric is based on a number of bytes … and a number of bytes … network connection during a particular time duration”, which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention.
The specification describes “… this symmetry metric indicates the ratio of bytes transmitted in one direction via the connection versus the total number of bytes exchanged via the connection … the number of bytes transmitted in the opposite direction via the connection …” – see par. [0208]; “… the total number of bytes transmitted via the connection (in both directions), times 100, minus 50 …” – see par. [0209]; however, these paragraphs do not describe the claimed/amended limitations, “… the symmetry metric is based on a number of bytes … and a number of bytes … network connection during a particular time duration”.

The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

Claims 31-60 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claims 31, 44 and 53 recite:
“… classifying, based on the first set of network metrics, the first network connection as corresponding to a first network connection profile included in a plurality of network connection profiles, wherein each network connection profile included in the plurality of network connection profiles …”, however, it is not clear whether “each network connection profile” is the same as “a first network connection profile” or not because they both are included in the same plurality of network connection profiles – note: for examining purpose they are interpreted as different profiles;
“… each network connection profile included in the plurality of network connection profiles specifies a plurality of network metrics that characterize a network connection corresponding to the network connection profile ..”, however, it is not clear (1) whether “a plurality of network metrics” are specified by all of the plurality of network connection profiles or not because each network connection profile of the plurality of network connection profiles specifies a same plurality of network metrics; (2) “the network connection profile” has an antecedent basis 
“… wherein the first set of network metrics corresponds to a first plurality of network metrics …”, however, it is not clear how these two different terms (e.g., the first set of network metrics and the first plurality of network metrics) are different (e.g., using different terms but the same meaning).
Claims 32-43, 45-52 and 54-60 depend from the claim 31, 44 or 53, and analyzed and rejected accordingly.

Claims 33-37, 46-48 and 55-57 recite one of the metrics (e.g., the symmetry metric, the responsiveness metric or the efficiency metric), which is not actually claimed in their dependent claim (e.g., the claim 32, 45 or 54) – note: the claims 32, 45 and 54 do not claim one of the metric. It is not clear how the claims are further limiting the base limitation, which is not claimed before.
Claims 33, 46, and 55 recite “… the symmetric metric is based on a number of bytes transmitted … and a number of bytes transmitted … during a particular time duration”, however, it is not clear how to define the symmetric metric from transmitted bytes – or omitting necessary steps/components which cause the claimed limitation unclear.
Claims 34, 36, 47, 48, 56 and 57 recite “… the responsiveness/efficiency metric is associated with one or more computing devices exchanging data via the network connection …”, however, it is not clear how to define responsiveness/efficiency metrics, any metric associating with the one or more computing devices can be defined as responsiveness/efficiency metrics or not (e.g., omitting necessary steps/components which cause the claimed limitation unclear).
Claims 39, 50 and 59 recite “… metric comprise different network metrics”, however, it is not clear how a singular metric comprises a plurality of metrics.
Claim 42 recites “… detecting the potential security threat comprises determining that each network metric included in the first set of network metrics has deviated from each corresponding network metric included in the first plurality of network metrics …”, however, it is not clear how to define the corresponding network metric if they are deviated (depart from each other).
 Claims 43 and 52 recite “… detecting the potential security threat comprises … metric included in the first set of network metrics has deviated from at least one corresponding network metric specified in the first plurality of network metrics …”, however, it is not clear how to define the corresponding network metric if they are deviated (depart from each other).

Examiner’s Note Regarding Prior-art Rejections
As explained in the 112(b) rejections stated above, the current limitations are in a condition of lack of clarity and/or capability (e.g., the enablement issues) for a prior-art examination. However, a potential concept of the application can be found in:
Merza et al. (US 2013/0326620 A1) discloses a method and system for determining a metric value for each event in a set of events that characterizes a computational communication or object. The metric value could include a length of a URL or agent string in the event. A subset criterion is generated, such that metric values within the subset are relatively separated from a population’s center. Clients can use their knowledge system operations and observance of value frequencies and underlying events to identify anomalous metric values and potential security threats. A data aggregator identifies which value is to be extracted from the retrieved events. The extracted value is processed to determine the value for the metric to determine a length or number of bytes of the extracted value or to determine whether the extracted value matches a comparison value - see figs. 4, 5; abstract and paras. [0005], and [0048] of Merza.
Smith et al. (US 2011/0099500 A1) teaches a method to determine a displayable sub range of events from among event records in a stored repository of network event data. A time slider and a loaded event indicator area are graphically displayed over the event graph. The approach can be applied to records of normal network events, network security events, time sequenced log data relating to flows of traffic, status, messages, syslog data, notifications, and other packet, flow, logs maintained for audit purposes or other log records – see fig. 1; abstract, paras. [0032] and [0039] of Smith.

 Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845. The examiner can normally be reached Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/MAUNG T LWIN/Primary Examiner, Art Unit 2495