DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.  According to applicant's arguments filed on 09/24/2021, claims 23, 26, 30, 33, 37 and 40 have been amended hereby acknowledged.

3. Applicant argues that the prior art of record does not disclose the newly amended features of independent claim 23 which recites in part: “determine an erroneous Classification of, or an override of a classification decision that identifies, computing resource behavior; train, based on the features of interest and based on data used in the erroneous classification or override, a machine model to distinguish malicious behavior in network traffic.”.

4. Examiner would like to point out that, it isn’t clear what is meant by this limitation: For example independent claim 23 in line 7 recites; “determine an erroneous classification of, or an override of a classification ….”, but the claims do not recite a classification step preceding to line 7, as such it is not clear how an erroneous classification is determined [see, the 112 (b) rejection below].
Clarification is required.

Claim Rejections - 35 USC § 112
5. The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


6. Claims 23,30 and 37 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  
The omitted element is: In claim 23 line 7 recites: “determine an erroneous classification of, or an override of a classification ….”, but the claims do not recite a classification step preceding to line 7, as such it is not clear how an erroneous classification is determined.

Similar problem is found in other independent claims 30 and 37

Appropriate correction is needed.

                                                              Double Patenting

7.    The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP §§ 706.02(l) (1) -706.02(l) (3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-l.jsp.

8. Claims 23, 26-27, 30, 33-34, 37 and 40-41 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1, 7, 10 and 18-19 of U.S. Patent No 10,320,813. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the Patent contain every element of the claims of the instant application and as such anticipate the claims of the instant application.

"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi 759 F.2d at 896, 225 USPQat651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness- type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). " ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).

Claim Rejections - 35 USC § 103
9. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

10. Claims 23-24, 25-27, 29-31-34 and 36-40 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Korsunsky (US Pub.No.2011/0214157) in view of Cruz Mota (US Pub.No.2016/0028754).

 11.  Regarding claims 23, 30 and 37 Korsunsky teaches a system, a method and a non-transitory computer-readable media comprising: a plurality of compute nodes of a network comprising two or more compute nodes that host respective virtual computing resource instances, each compute node comprising at least one processor and a memory; and a security threat detection and mitigation platform to: analyze traffic patterns of network traffic to extract 

determine an erroneous classification of, or an override of a classification decision that identifies, computing resource behavior; and train based on data used in erroneous classification (Examiner Note: It is not clear how an erroneous classification is determined, as such these limitations are rejected under 112(b). Please see the 112 (b) rejection above);

Korsunsky teaches all the above claimed limitation, but does not expressly teach classify, based on application of the trained machine model to the received network traffic, behavior of the computing resource instance with respect to a security threat of a particular type; and take action, in response to classification of the behavior as malicious with respect to the security threat, to mitigate the security threat.

Cruz Mota teaches receive network traffic from one of the computing resource instances; classify, based on application of the trained machine model to the received network traffic, behavior of the computing resource instance with respect to a security threat of a particular type (Para:0033 teaches the machine learning process will act as an attack detection classifier that classifies network traffic or conditions into either an " attack" category or a "normal operation" category, based on the learned behavior of the network); 

).

Therefore it would have been obvious to one of the ordinary skill in the art at the time of the invention was filed to modify Korsunsky to include classify, based on application of the trained machine model to the received network traffic as taught by Di Pietro such a setup would yield a predictable result of classifying network traffic pattern based on a set of rules an detecting potential network attack.

12.    Regarding claims 24, 31 and 38 Korsunsky teaches the system, the method and the non-transitory computer readable media wherein to perform said analyze and said train, the security threat detection and mitigation platform is to perform said analyze and said train without knowledge of content of packets in the network traffic (Para: 0020-0021 teaches analyze the patterns in the data flow. Para: 0163 -0164 teaches train the network behavior of the data flow, which includes a connection time, an inter-connection time, a request time, a response time, a count of a number of bytes in a connection of the packet header).



14.    Regarding claims 26, 33 and 40 Cruz Mota teaches the system, the method and the non-transitory computer readable media, wherein the machine model is a new machine model (Cruz Mota: Para: 0042 teaches an attack mitigation mechanism allows traffic to be segregated based on whether the traffic is attack-related or normal traffic. For e.g., once an attack has been detected using aggregated metrics for the entire set of traffic data, the set of traffic data will be clustered into various subsets and provided to one or more other attack detectors that have been specifically trained to analyze the clusters. Para: 0035 teaches Artificial Neural Networks (ANNs) is a type of machine learning technique. ANN will be trained to identify deviations in the behavior of a network that could indicate the presence of a network attack (e.g., a change in packet losses, link delays, number of requests, etc.).

15.    Regarding claims 27, 34 and 41 Cruz Mota teaches the system, the method and the non-transitory computer readable media, wherein the security threat detection and mitigation platform is to create, based on data used in an erroneous classification of behavior, a white list feature or inference engine rule indicating that an instance of the corresponding erroneously-classified behavior is malicious unless a flag is set to indicate that an instance is permitted (Para:0033 teaches learning machine process 248 will be an attack detection classifier that classifies network traffic or conditions into either an " attack" category or a "normal operation" category, based on learned behavior of the network.. Fig.7 and Para: 0095-0097 teaches the 

16.    Regarding claims 29 and 36 Cruz Mota teaches the system and the method, wherein the security threat detection and mitigation platform is to create, via application of machine learning techniques, a hyperplane that separates (a) a cluster of instances exhibiting behavior that was previously being classified as malicious based on one traffic pattern from (b) all other clusters of instances and a particular instance that was previously in that cluster (Figs.4-6, Para: 0061 and Para:0091 teaches once trained, a cluster-based attack detector 410 will analyze the corresponding clusters, to label each cluster as either " attack-related" or " normal traffic." In other words, one of attack detectors 410 will segregate the analyzed clusters into a set 412 of attack-related clusters (e.g., the clusters that signaled an attack) and a set 414 of normal traffic clusters (e.g., the clusters that were considered safe by attack detector 410). For example, assume that final classification 408 indicates that an HTTP Slow Loris type of attack has been detected using the aggregated set of traffic data. If cluster process 249 uses mean-shift clustering to divide the set of traffic data into clusters A-D, it may provide aggregated metrics for these clusters to an attack detector 410 that has been specifically configured to detect HTTP Slow Loris attacks. In response, attack detector 410 will analyze and label each cluster accordingly, to form sets 412-414 (e.g., clusters A-C contain normal traffic, but cluster D relates to an HTTP Slow Loris attack).

.
   
17. Claims 28, 35 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over Korsunsky (US Pub.No.2011/0214157) in view of Cruz Mota (US Pub.No.2016/0028754) as applied to claims 23, 30 and 37 and further in view of Schmidtler (US Pub.No.2015/0033341).

18.    Regarding claims 28, 35 and 42 Korsunsky in view of Cruz Mota teaches all the above claimed limitations but does not expressly teach the system, the method and the non-transitory computer readable media, wherein the security threat detection and mitigation platform is to retrain, based on an override of a classification decision that identifies an observed pattern as not being associated with a malicious attack, the machine model to recognize a difference between malicious and benign traffic patterns.

Schmidtler teaches the security threat detection and mitigation platform is to retrain, based on an override of a classification decision that identifies an observed pattern as not being associated with a malicious attack, the machine model to recognize a difference between malicious and benign traffic patterns (Para:0004 and Para:0024-0026 teaches by creating trained models in the threat identification system, the threat identification system will automatically detect threats that have evolved and changed over time and that have never been observed by the threat identification system. In one example, feature vectors representing information associated with instances of data may be generated and sent to a classifier to determine a threat assessment score for the feature vectors. The threat assessment score may 

Therefore it would have been obvious to one of the ordinary skill in the art at the time of the invention was filed to modify Korsunsky in view of Cruz Mota to include retrain, based on an override of a classification decision that identifies an observed pattern as not being associated with a malicious attack as taught by Schmidtler such a setup would determine the threat and protect the endpoint devices from the threat.


                                                               Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-





/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431