DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/28/2021.
Status of claims in the instant application:
Claims 1-6, 8-13 and 15-20 are pending.
Claim 7 and 14 remain canceled.
Claims 1-6 have been amended.
No new claim has been added.
Priority
This application is a “CON of 15/476,212 filed on 03/31/2017 now PAT 10440037”.
Response to Arguments
Applicant’s arguments, see page [9-10] of the remarks filed on 12/28/2021 with respect to “Rejection of Claims under 35 USC 101”, have been fully considered in view of the amended claims, and they are persuasive. Therefore, the “Claim Rejections” have been withdrawn.
Allowable Subject Matter
Claims 1-6, 8-13 and 15-20 are allowed, but they renumbered as claims 1-18.
The following are examiner's statement of reasons for allowance: The following prior arts were yielded during the examination of applicant’s amended claim set filed on 12/28/2021 in response to office action mailed on 10/28/2021. They do not explicitly 
US-PGPUG 20160359881, Yadav et al.:  Yadav discloses an approach for detecting anomalous flows in a network using header field entropy. This can be useful in detecting anomalous or malicious traffic that may attempt to "hide" or inject itself into legitimate flows. A malicious endpoint might attempt to send a control message in underutilized header fields or might try to inject illegitimate data into a legitimate flow. These illegitimate flows will likely demonstrate header field entropy that is higher than legitimate flows. Detecting anomalous flows using header field entropy can help detect malicious endpoints.
The system/method described by Yadav can detect first, second plurality of flows and determine entropies associated with header fields of the two flows, and compare the entropies of the flows to determine anomalous flows associated with end point devices/nodes.
US-PGPUG 20080184367, McMillan et al.:  McMillan discloses s Systems and methods for performing malware detection for determining suspicious data based on data entropy. The method includes acquiring a block of data, calculating an entropy value for the block of data, comparing the entropy value to a threshold value, and recording the block of data as suspicious when the entropy value exceeds the threshold value. An administrator may then investigate suspicious data.
Methods and systems consistent with embodiments of the invention review arbitrary blocks of data from a computer system and identify that data's entropic characteristics to reach conclusions about how suspicious or interesting the data may 
US-PGPUG 20160127406, Smith et al.: Smith’s disclosure relates to identifying requests that may be tied to a DDOS attack. For example, the primary identifiers (e.g., a source address) of requests for a network resource (e.g., an entire website or a particular element of the website) can be tracked. In one embodiment, a statistical analysis of how often a particular source address (or other primary identifier) normally makes a request can be used to identify source addresses that make substantially more requests. A normal amount can correspond to an average number of request that a source address makes. According to some embodiments, a system can use statistical analysis methods on various request data in web server logs to identify potential attacks and send data concerned potential attacks to an HBA system for further analysis.
US-PGPUG 20140298461, Hohndel et al.:  Hohndel’s disclosure relates to detecting malware. The embodiments are configured to receive an entropy rate of a potentially affected system. The embodiments are further configured to compare the 
US-PGPUG 20090276852, Alderson et al.:  Alderson discloses a method, system, and computer program product for identifying a worm attack on a computer network. The method includes setting a predetermined time period for monitoring non-packet event(s). A log entry associated with the packet event(s) is received and stored. The one or more received log entries identify a first source of a worm infection threat, first destination(s) of the worm infection threat, first timestamp(s) of the worm infection threat, and a non-packet event type of the worm infection threat. A counter is configured for recording, within the predetermined time period, a number of infection attempts of the same event type by the first destination(s) of the worm infection threat to a second destination(s) of the worm infection threat. In response to determining that the number of infection attempts satisfies a defined infection attempt threshold value, an alert confirming the worm attack on the computer network is communicated.
US-PGPUG 20130104230, Tang et al.:  Tang discloses systems and methods for detecting a denial of service attack are disclosed. These may include receiving a plurality of web log traces from one of a plurality of web servers; extracting a first set of features from the plurality of web log traces; applying a first machine learning technique to the first set of features; producing a first plurality of user classifications for communication to the web server; extracting a second set of features from the plurality of web log traces; applying a second machine learning technique to the second set of features; producing a second plurality of user classification for communication to the web server; communicating the first plurality of user classifications to the web server based at least on the plurality of web log traces; and communicating the second plurality of user classifications to the web server based at least on the plurality of web log traces.
US-PGPUG 20120117254, Ehrlich et al.:  Ehrlich discloses methods for providing alerts in a network are disclosed. Some methods include collecting network traffic data corresponding to multiple subsets of network addresses during a predefined time interval. A suspect subset of the subsets of network addresses that corresponds to anomalous network activity may be identified based on the network traffic data and using at least one of multiple anomaly detection metrics. A source network address within the suspect subset of network addresses that corresponds to the anomalous network activity is identified. An alert corresponding to the source network address may be generated.
US-PGPUG 20160350165, LeMond et al.:  LeMond discloses techniques for detecting anomalous accounts. An example method includes receiving, via a processor, a list of monitored machines and event logs including logons for the list of monitored 
However, none of the prior arts of record, alone or in combination, discloses all the limitations of the amended independent claims 1, 8 and 15; specifically they do not disclose “determine a second entropy value for the first monitored device based on numbers of unique event identifiers included in corresponding groups of log entries obtained for respective ones of a plurality of monitored devices including the first monitored device, the groups of log entries associated with the first time window, the numbers of unique event identifiers on which the second entropy value is based to include the first number of unique event identifiers included in the first group of log entries obtained for the first monitored device; determine whether the first monitored device is compromised based on the first entropy value and the second entropy value; and quarantine the first monitored device in response to a determination that the first monitored device is compromised”.
Therefore, the independent claim are allowable over the prior arts. The dependent claims being definite, further limiting, and fully enabled by the specification are also allowed by virtue of their dependence on the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434