DETAILED ACTION


		Continued Examination Under 37 CFR 1.114

1. 	A request for continued examination under 37 GFR 1.114, including the fee set forth in 37 GFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 GFR 1,114, and the fee set forth in 37 GFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 GFR 1,114. Applicant's submission filed on 7/15/2020 has been entered.

Remarks
2.	 Pending claims for consideration are claims 1-5, 7-16, 18-20, and 23-24. Applicant has amended claims 1, 12, and 20. Claims 6, 17, and 21-22 have been cancelled.
Response to Arguments

3. 	Applicant's arguments filed 3/19/2021 have been fully considered, but they are not persuasive.
	In the remarks applicant argues in substance:
That –    Mualem does not teach a system that processes “access request authentication traffic and notifies a designated user that the first portion is indicative of said attack prior to allowing access to the protected computer resource’ as recited in claims 1, 12, and 20.
In response to applicant’s argument – It is the combination of Mualem in view of Zakas that teaches the claimed language, neither Mualem nor Zakas alone. Mualem in its broadest most reasonable interpretation in light of the specification teaches access request authentication traffic and notifies a designated user that the first portion is indicative of said attack prior to allowing access to the protected computer resource’ as recited in claims 1, 12, and 20. Mualem teaches one mode of configuration in which the threat detection system is placed between router 420 and firewall 430 to detect and respond to DoS attacks, port scans, and other externally initiated attacks. As shown, threat detection system 100 protects the target network's main Internet connection from attack [Col.20/lines 60-67], additionally, an access request authentication is illustrated in figure 1/item s70 an action request for access is either accepted or rejected.

    PNG
    media_image1.png
    864
    625
    media_image1.png
    Greyscale


Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


4.	Claims 1, 7-9, 12, 18, 20, and 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over No.: US 7,463,590 B2 to Mualem et al (hereafter referenced as Mualem) in view of Pub.No.: US 2006/0026669 A1 to Zakas.
Regarding claim 1, Mualem discloses An attack detection and response system comprising: at least one processor”, i.e. processor comprised within the threat detection system (Threat detection system[Fig.3]); “and at least one memory device which stores a plurality of instructions to cause the at least one processor to receive  at a firewall of a protected computer resource, access request authentication traffic passing between an external network and a protected computer resource”(in one mode of configuration the threat detection system is placed between router 420 and firewall 430 to detect and respond to DoS attacks, port scans, and other externally initiated attacks. As shown, threat detection system 100 protects the target network's main Internet connection from attack [Col.20/lines 60-67], an access request authentication is illustrated in figure 1/s70 in which an action request is either accepted or rejected)  ; “ analyze, at the protected computer resource a first portion of the authentication traffic from the external network to determine whether the first portion is indicative of an attack on the protected computer resource”( a Windows GINA client or a UNIX PAM module is installed on Workstation hosts from which users will access the network [Col.13/lines 51-57]), this client/module software interfaces with the relevant standard logon procedure to the  threat analysis module [Fig.3/item 170]) also see threat signature detection module [Fig.1/item S45]); “and  responsive to determining that the first portion is indicative of an attack on the protected computer resource, notify a designated user that the first portion is indicative of said attack -prior to allowing access to the protected computer resource” (alerts are used to report to the user interface the threat via the threat management system ([Fig.1/item s74] and a reject/block packet action is sent [Fig.1/item s76] see also [Col.14/lines 46-50]).
Mualem does not explicitly disclose “wherein analyzing authentication traffic includes comparing the authentication traffic to a security policy”
However, Zakas in an analogous art discloses “wherein analyzing authentication traffic includes comparing the authentication traffic to a security policy” (traffic sensor receives network traffic and analyzes traffic packets at the traffic sensors Zakas[Fig.5] via a policy compliance Zakas[par.0038] see also update directory rules based on watch list from past analyzed network traffic patterns Zakas [Fig.8/item 810]).

Regarding claim 7 in view of claim 1, the references combined disclose “wherein the plurality of instructions cause the at least one processor, while performing (c), to: perform at least one action selected from the group consisting of: preventing a second portion of the authentication traffic from reaching the protected computer resource” a second portion adapted for comparing the packet data to a predetermined set of threat signatures Mualem[Co.2/lines 26- 34]) ; “issuing an alert” (a rule number, Which is used to report alert Mualem[Col.7/lines 19]) ; “modifying the second portion of the authentication traffic” a second portion adapted for comparing the packet data to a predetermined set of threat signatures Mualem[Co.2/lines 26- 34]) ; “and reconfiguring network equipment or privileges”(set action based on reconfiguration Mualem[Fig.1/item S70]).
Regarding claim 8 in view of claim 1, the references combined disclose “wherein the plurality of instructions further cause the at least one processor to: determine whether the first portion of the authentication traffic originates from an unrecognized (interceptor Mualem [Fig.10] sends information regarding packet traffic for analyzation to NMD Mualem [Fig.10]). 
Regarding claim 9 in view of claim 1, the references combined disclose “wherein the plurality of instructions further cause the at least one processor to operate with at least one network interface device to enforce the security policy” (The permission detection module enforces the security model by filtering unauthorized packets from the network or by blocking switch ports Mualem [Col.12/lines 64-67]).
 Regarding claim 12, Mualem discloses “a method comprising:  receiving at a firewall of a protected computer resource” (in one mode of configuration the threat detection system is placed between router 420 and firewall 430 to detect and respond to DoS attacks, port scans, and other externally initiated attacks. As shown, threat detection system 100 protects the target network's main Internet connection from attack [Col.20/lines 60-67]), -access request authentication traffic passing between an external network and the protected computer resource” (in one mode of configuration the threat detection system is placed between router 420 and firewall 430 to detect and respond to DoS attacks, port scans, and other externally initiated attacks. As shown, threat detection system 100 protects the target network's main Internet connection from attack [Col.20/lines 60-67], an access request authentication is illustrated in figure 1/s70 in which an action request is either accepted or rejected); “at least one network interface device”(network interface portion [Fig.3/item 120]); “analyzing at the protected computer resource a first portion of the authentication traffic from the external network to determine whether  , i.e. network traffic passes though network interface portion (item 120) and enters  memory portion ([Fig.3/item 160] also see [Col.16/lines 22-24]); “and responsive to determining that the first portion is indicative of an attack on the protected computer resource, notifying a designated user that the first portion is indicative of said attack -prior to allowing access to the protected computer resource” (alerts are used to report to the user interface the threat via the threat management system ([Fig.1/item s74] and a reject/block packet action is sent [Fig.1/item s76] see also [Col.14/lines 46-50]).
Mualem does not explicitly disclose “wherein analyzing authentication traffic includes comparing the authentication traffic to a security policy”
However, Zakas in an analogous art discloses ““wherein analyzing authentication traffic includes comparing the authentication traffic to a security policy” (traffic sensor receives network traffic and analyzes traffic packets at the traffic sensors Zakas[Fig.5] via a policy compliance Zakas[par.0038] see also update directory rules based on watch list from past analyzed network traffic patterns Zakas [Fig.8/item 810]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s system for threat detection and response with Zaka’s Traffic sensors which receives network traffic and analyzes for policy compliance. One of ordinary skill in the art would have been motivated to combine because Mualem's system for threat detection comprises a threat 
Regarding claim 18, in view of claim 12, the references combined disclose “wherein further comprises: performing at least one action selected from the group consisting of: preventing a second portion of the authentication traffic from reaching the protected computer resource” a second portion adapted for comparing the packet data to a predetermined set of threat signatures Mualem[Co.2/lines 26- 34]); “issuing an alert” (a rule number, Which is used to report alert Mualem[Col.7/lines 19]); “modifying the second portion of the authentication traffic; and reconfiguring network equipment or privileges”(set action based on reconfiguration Mualem[Fig.1/item S70]).
Regarding claim 20, Mualem discloses “a computer-readable non-transitory storage medium storing executable instructions for attack detection and response” (Threat detection system[Fig.3]), which when executed by a computer system, cause the computer system to: receive, at a firewall of a protected computer resource, access request authentication traffic passing between an external network and the protected computer resource” (in one mode of configuration the threat detection system is placed between router 420 and firewall 430 to detect and respond to DoS attacks, port scans, and other externally initiated attacks. As shown, threat detection system 100 protects the target network's main Internet connection from attack [Col.20/lines 60-67], an access request authentication is illustrated in figure 1/s70 in which an action request is either accepted or rejected);  analyze, at the  i.e. network traffic passes though network interface portion (item 120) and enters  memory portion ([Fig.3/item 160] also see [Col.16/lines 22-24]; “and  responsive to determining that the first portion is indicative of an attack on the protected computer resource, notify a designated user that the first portion is indicative of said attack -prior to allowing access to the protected computer resource” (alerts are used to report to the user interface the threat via the threat management system ([Fig.1/item s74] and a reject/block packet action is sent [Fig.1/item s76] see also [Col.14/lines 46-50]).
Mualem does not explicitly disclose “wherein analyzing the authentication traffic includes comparing the authentication traffic to a security policy.”
However, Zakas in an analogous art discloses “wherein analyzing the authentication traffic includes comparing the authentication traffic to a security policy.” (traffic sensor receives network traffic and analyzes traffic packets at the traffic sensors Zakas[Fig.5] via a policy compliance Zakas[par.0038] see also update directory rules based on watch list from past analyzed network traffic patterns Zakas [Fig.8/item 810]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s system for threat detection and response with Zaka’s Traffic sensors which receives network traffic and analyzes for policy compliance. One of ordinary skill in the art would have been motivated to combine because Mualem's system for threat detection comprises a threat 
Regarding claim 23 in view of claim 1, the references combined disclose “wherein the security policy is updated based on at least one of external network details, past analyzed external network weaknesses, and past analyzed external network patterns of activity” (each analyzer has an analysis thread for each threat detection system, and a main thread to propagate updated attacks via it’s attack handler. The attack handler feeds into a RMI communication mechanism to propagate attack information to the report portion 248 of the threat management system 200 Mualem [Col.18/lines 18-23]).
Regarding claim 24 in view of claim 12, the references combined disclose “wherein the security policy is updated based on at least one of external network details, past analyzed external network weaknesses, and past analyzed external network patterns of activity” (each analyzer has an analysis thread for each threat detection system, and a main thread to propagate updated attacks via it’s attack handler. The attack handler feeds into a RMI communication mechanism to propagate attack information to the report portion 248 of the threat management system 200 Mualem [Col.18/lines 18-23]).

5.	Claims 2-5, 10-11, 13-16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Patent No.: US 7,463,590 B2 to Mualem et al (hereafter referenced .
Regarding claim 2 in view of claim 1, neither Mualem nor Zakas  explicitly disclose  “wherein the plurality of instructions cause the at least one processor, while performing to: integrate a set of rules to create a consolidated alert for presentation; designate a system administrator as the designated user; and present the consolidated alert for presentation to the designated user.”
However, Porras in an analogous art discloses “wherein the plurality of instructions cause the at least one processor, while performing to: integrate a set of rules to create a consolidated alert for presentation” (set of rules are integrated via monitoring  that collects event reports from different monitors and correlate activity to identify attacks causing disturbances in more than one network entity cause entities to be alerted Porras[Col.2/lines 64-67]) ; “designate a system administrator as the designated user; and present the consolidated alert for presentation to the designated user”( In addition to domain Surveillance, domain monitors 16a-16c can reconfigure System parameters, interface with other monitors beyond a domain, and report threats against a domain 12a-12c to administrators Porras [Col.4/lines 12-16]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response and Zakas Traffic sensors with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be 
Regarding claim 3 in view of claim 1, neither Mualem nor Zakas explicitly disclose “wherein the plurality of instructions further cause the at least one processor to: present, to the designated user, an administrator interface to enable the designated user to affect future analysis of first portion of a future received network traffic to determine whether the first portion is indicative of an attack on the protected computer resource.”
 However, Porras in an analogous art discloses “wherein the plurality of instructions further cause the at least one processor to: present, to the designated user, an administrator interface (administrator interface subscribing services are added to resolver interface Porras[Col.9/lines 9-13]) “to enable the designated user to affect future analysis of first portion of a future received network traffic to determine whether the first portion is indicative of an attack on the protected computer resource”(i.e. resolver operates as the interface between administrator and monitor for the purpose of allowing administrator to monitor and submit configuration request based on monitoring Porras[Col.9/lines 9-17] also see countermeasure unit resolver Porras[Fig.2/item 20]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response and Zakas Traffic sensors with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be 
Regarding claim 4 in view of claim 3, the references combined disclose “wherein affecting a future analysis of the first portion of future received network traffic comprises altering a collection of algorithms configured to determine whether the first portion is indicative of an attack on the protected computer resource.”(potential threats are analyzed and stored in threat library for future analysis of a received network as new threats are identified Mualem [Col6/lines 56-61])  
Regarding claim 5 in view of claim 2, the references combined disclose “wherein the plurality of instructions cause the at least one processor, while performing, to: determine whether the first portion indicative of an attack represents an exception” (threat analysis [Fig.3/item 170] analyzes attack to determine if there is an exception Mualem[Col.14/lines 42-44]) ; “and responsive to determining that the first portion indicative of an attack represents an exception, refrain from integrating the set of rules to create the consolidated alert for presentation” (actions/exceptions may include in step S72, sending an alert to the network management system in step S74, rejecting the packet and altering it out of the traffic stream in step S76, or rejecting the packet and blocking the port through which the offending packet traveled in step S78. Mualem [Col.14/lines 45-50]).
Regarding claim 10 in view of claim 1, neither Mualem nor Zakas explicitly disclose “wherein the plurality of instructions further cause at least one processor to 
However, Porrass discloses “wherein the plurality of instructions further cause the at least one processor to operate with the at least one network interface device to receive the security policy from a third party resource” (interface Specification, third party modules 28, 30 can communicate with monitors for analysis and processing Porras [Col.9/lines 21-24]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response and Zakas Traffic sensors with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be motivated to perform this modification in order to provide monitoring for a systems administrator, additional security and data integrity. 
Regarding claim 11 in view of claim 1, Mualem does not explicitly disclose “wherein the plurality of instructions cause the at least one processor, while performing to: integrate a set of rules to create a consolidated alert for presentation”; designate a third party management system as the designated user; and present the consolidated alert for presentation to the designated user via an application programming interface”
However, Porras in an analogous art discloses “wherein the plurality of instructions cause the at least one processor, while performing to: integrate a set of rules to create a (set of rules are integrated via monitoring  that collects event reports from different monitors and correlate activity to identify attacks causing disturbances in more than one network entity cause entities to be alerted Porras[Col.2/lines 64-67]) ; “designate a third party management system as the designated user; and present the consolidated alert for presentation to the designated user”( In addition to domain Surveillance, domain monitors 16a-16c can reconfigure System parameters, interface with other monitors beyond a domain, and report threats against a domain 12a-12c to third party administrators Porras [Col.4/lines 12-16]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be motivated to perform this modification in order to provide for a monitoring for a systems administrator, additional security and data integrity.
Regarding claim 13 in view of claim 12, neither Mualem nor Zakas explicitly disclose “wherein further comprises: integrating a set of rules to create a consolidated alert for presentation; designating a system administrator as the designated user; and presenting the consolidated alert for presentation to the designated user.”
However, Porras in an analogous art discloses “wherein the plurality of instructions cause the at least one processor, while performing to: integrate a set of rules to create a (set of rules are integrated via monitoring  that collects event reports from different monitors and correlate activity to identify attacks causing disturbances in more than one network entity cause entities to be alerted Porras[Col.2/lines 64-67]) ; “designate a system administrator as the designated user; and present the consolidated alert for presentation to the designated user”( In addition to domain Surveillance, domain monitors 16a-16c can reconfigure System parameters, interface with other monitors beyond a domain, and report threats against a domain 12a-12c to administrators Porras [Col.4/lines 12-16]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response and Zakas Traffic sensors with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be motivated to perform this modification in order to provide monitoring for a systems administrator, additional security and data integrity.
Regarding claim 14, in view of claim 12,niether Mualem not Zakas explicitly disclose “further comprising: presenting, to the designated user, an administrator interface to enable the designated user to affect a future analysis of the first portion of a received network traffic to determine whether the first portion is indicative of an attack on the protected computer resource”
However, Porras in an analogous art discloses “further comprising: presenting, to the designated user, an administrator interface (administrator interface subscribing services are added to resolver interface Porras[Col.9/lines 9-13]) to enable the designated user to affect a future analysis of the first portion of a received network traffic to determine whether the first portion is indicative of an attack on the protected computer resource” (i.e. resolver operates as the interface between administrator and monitor for the purpose of allowing administrator to monitor and submit configuration request based on monitoring Porras[Col.9/lines 9-17] also see countermeasure unit resolver Porras[Fig.2/item 20]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response and Zakas Traffic sensors with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be motivated to perform this modification in order to provide monitoring for a systems administrator, additional security and data integrity.
Regarding claim 15, in view of claim 14, the references combined disclose “wherein affecting a future analysis of the first portion of future received network traffic comprises altering a collection of algorithms configured to determine whether the first portion is indicative of an attack on the protected computer resource” (potential threats are analyzed and stored in threat library for future analysis of a received network as new threats are identified Mualem [Col6/lines 56-61]).  
Regarding claim 16, in view of claim 13, the references combined disclose “wherein further comprises: determining whether the first portion indicative of an  (threat analysis [Fig.3/item 170] analyzes attack to determine if there is an exception Mualem[Col.14/lines 42-44]); “and responsive to determining that the first portion indicative of an attack represents an exception, refraining from integrating the set of rules to create the consolidated alert for presentation.” (actions/exceptions may include in step S72, sending an alert to the network management system in step S74, rejecting the packet and altering it out of the traffic stream in step S76, or rejecting the packet and blocking the port through which the offending packet traveled in step S78. Mualem [Col.14/lines 45-50]).
Regarding claim 19 in view of claim 12, neither Mualem nor Zakas explicitly disclose “wherein  further comprises: integrating a set of rules to create a consolidated alert for presentation; designating a third party management system as the designated user; and presenting the consolidated alert for presentation to the designated user via an application programming interface” 
However, Porras in an analogous art discloses “wherein the plurality of instructions cause the at least one processor, while performing to: integrate a set of rules to create a consolidated alert for presentation” (set of rules are integrated via monitoring  that collects event reports from different monitors and correlate activity to identify attacks causing disturbances in more than one network entity cause entities to be alerted Porras[Col.2/lines 64-67]) ; “designate a third party management system as the designated user; and present the consolidated alert for presentation to the designated user”( In addition to domain Surveillance, domain monitors 16a-16c can reconfigure System parameters, interface with other monitors beyond a domain, and report threats against a domain 12a-12c to third party administrators Porras [Col.4/lines 12-16]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Mualem’s threat detection and response and Zakas Traffic sensors with Porras’s network surveillance system that allows for a system administrator as a designated user in order to provide additional security as suggested by Porras. One of ordinary skill in the art would be motivated to perform this modification in order to provide monitoring for a systems administrator, additional security and data integrity.

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL D ANDERSON whose telephone number is (571)270-5159. The examiner can normally be reached Mon-Fri 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL D ANDERSON/Examiner, Art Unit 2433                                                                                                                                                                                                        

/BRANDON S HOFFMAN/Primary Examiner, Art Unit 2433