Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Remarks, filed 8-4-2021, with respect to claim objections, 35 USC 112 and 101 (non-statutory) rejections have been fully considered and are persuasive in light new amendments.  The objection and rejections are withdrawn. 
Applicant’s arguments with respect to claim(s) rejections under 35 USC 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Specifically, the arguments are based on the amended part of the claims and a new rejection with a new secondary art is used, therefore the arguments are moot in light of new amendments.

Claim Objections
Claim 10 is objected to because of the following informalities: “an apparatus, comprising: at least one processor; at least one memory including program code, wherein the at least one memory including the program code is configured with the at least one processor to cause the apparatus to;”.  It is suggested to have a colon [ : ] instead of a semicolon in that bold and underlined part. Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tamersoy et al (US 10142357), hereafter Tam and Buchanan et al (US 20150256431), hereafter Buch.
Claim 1: Tam teaches a method, comprising: protecting a computer system against remote exploitation attacks performed over a network to which the computer system is connected, C21L40-43: receive protection from one or more systems for endpoint security wherein endpoint security is protection of endpoint systems from unauthorized and/or illegitimate use, access, (C5L30 remote access behaviors) and/or control) comprising:
b) based on the identifying, reporting the identified network connection as a real or potential remote exploitation attack; (C14L54-56: security module reports the subsequent network connection as being malicious or suspicious to an administrator and (C5L19-46, Fig. 1) data set includes the volume of certain remote access behaviors (such as SSH, VNC, and/or FTP) based on (C10L9-13) determination module determining that the network connection is actually malicious based at least in part on the great deviation in behavior between the baseline and the time of network connection); and 
c) taking at least one action comprising at least one of terminating or modifying the identified network connection to mitigate against the real or potential remote exploitation attack. (C14L24-27: security module prevents and/or terminate the malicious network connection attempted at or around the same time as the detection of feature);
Tam teaches the concept but is not explicit about a) identifying a network connection which carries a traffic level in excess of a predefined threshold that is not associated with a preceding authentication allowed for the network connection originating from an end point of the network 
But the analogous art Buch teaches a) identifying a network connection which carries a traffic level in excess of a predefined threshold that is not associated with a preceding authentication allowed for the network connection originating from an end point of the network [018] the identity of the initiator is checked against a database to determine if the initiator is new. If the initiator is new, a corresponding record containing historical usage information does not yet exist in the database (i.e., no preceding authentication) and [024] the corresponding traffic flow is automatically categorized as untrusted (by virtue of the initiator being unknown), [043] Every new connection is compared to the [012] historical data and predefined thresholds... Connections that deviate from or exceed expected usage patterns are identified as untrusted or malicious).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Tam to include the idea of reporting network connection carrying excess traffic and not previous authentication as taught by Buch thus reducing computational load, while providing a deterrent by using smart inspection policies to screen for malicious activity ([053]).
Claim 8: Tam teaches a computer program embodied on a non-transitory memory, the computer program executed by at least one processor to perform operations, comprising (Figs. 1 & 2): protecting a computer system against remote exploitation attacks performed over a network to which the computer system is connected, comprising: b) based on the identifying, reporting the identified network connection as a real or potential remote exploitation attack; and c) taking at least one action comprising at least one of terminating or modifying the identified network connection to mitigate against the real or potential remote exploitation attack. (C21L40-43: receive protection from one or more systems for endpoint security wherein endpoint security is protection of endpoint systems from unauthorized and/or illegitimate use, access, (C5L30 remote access behaviors) and/or control; C14L54-56: security module reports the subsequent network connection as being malicious or suspicious to an administrator and (C5L19-46, Fig. 1) data set includes the volume of certain remote access behaviors (such as SSH, VNC, and/or FTP) based on (C10L9-13) determination module determining that the network connection is actually malicious based at least in part on the great deviation in behavior between the baseline and the time of network connection; C14L24-27: security module prevents and/or terminate the malicious network connection attempted at or around the same time as the detection of feature);
Tam teaches the concept but is not explicit about a) identifying a network connection which carries a traffic level in excess of a predefined threshold that is not associated with a receding authentication allowed for the network connection originating from an end point of the network 
But the analogous art Buch teaches a) identifying a network connection which carries a traffic level in excess of a predefined threshold that is not associated with a receding authentication allowed for the network connection originating from an end point of the network [018] the identity of the initiator is checked against a database to determine if the initiator is new. If the initiator is new, a corresponding record containing historical usage information does not yet exist in the database (i.e., no preceding authentication) and [024] the corresponding traffic flow is automatically categorized as untrusted (by virtue of the initiator being unknown), [043] Every new connection is compared to the [012] historical data and predefined thresholds... Connections that deviate from or exceed expected usage patterns are identified as untrusted or malicious).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Tam to include the idea of reporting network connection carrying excess traffic and not previous authentication as taught by Buch [053]).
Claim 10: Tam teaches an apparatus, comprising: at least one processor; at least one memory including program code, wherein the at least one memory including the program code is configured with the at least one processor to cause the apparatus to (Figs. 1 & 2); protect a computer system against remote exploitation attacks performed over a network to which the computer system is connected, comprising: b) based on the identifying, reporting the identified network connection as a real or potential remote exploitation attack; and c) taking at least one action comprising at least one of terminating or modifying the identified network connection to mitigate against the real or potential remote exploitation attack. (C21L40-43: receive protection from one or more systems for endpoint security wherein endpoint security is protection of endpoint systems from unauthorized and/or illegitimate use, access, (C5L30 remote access behaviors) and/or control; C14L54-56: security module reports the subsequent network connection as being malicious or suspicious to an administrator and (C5L19-46, Fig. 1) data set includes the volume of certain remote access behaviors (such as SSH, VNC, and/or FTP) based on (C10L9-13) determination module determining that the network connection is actually malicious based at least in part on the great deviation in behavior between the baseline and the time of network connection; C14L24-27: security module prevents and/or terminate the malicious network connection attempted at or around the same time as the detection of feature);
Tam teaches the concept but is not explicit about a) identifying a network connection which carries a traffic level in excess of a predefined threshold that is not associated with a preceding authentication allowed for the network connection originating from an end point of the network 
But the analogous art Buch teaches a) identifying a network connection which carries a traffic level in excess of a predefined threshold that is not associated with a preceding authentication allowed for the network connection originating from an end point of the network [018] the identity of the initiator is checked against a database to determine if the initiator is new. If the initiator is new, a corresponding record containing historical usage information does not yet exist in the database (i.e., no preceding authentication) and [024] the corresponding traffic flow is automatically categorized as untrusted (by virtue of the initiator being unknown), [043] Every new connection is compared to the [012] historical data and predefined thresholds... Connections that deviate from or exceed expected usage patterns are identified as untrusted or malicious).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Tam to include the idea of reporting network connection carrying excess traffic and not previous authentication as taught by Buch thus reducing computational load, while providing a deterrent by using smart inspection policies to screen for malicious activity ([053]).
Claim 2: the combination of Tam and Buch teaches the method according to claim 1, wherein the computer system is a system utilizing a Windows& operating system. (Tam: col. 15 lines 58-60: operating system includes MICROSOFT WINDOWS, WINDOWS MOBILE etc).
Claim 3: the combination of Tam and Buch teaches the method according to claim 2, wherein said network connection is a connection associated with one of the following services: server Tam: col. 19 lines 16-20: Network-Attached Storage (NAS) devices configured to communicate with servers using various protocols, such as Network File System (NFS), Server Message Block (SMB), or Common Internet File System (CIFS)).
Claim 4: the combination of Tam and Buch teaches the method according to claim 1, steps a), b) and c) all being carried out at the computer system. (Tam: col. 1 lines 40-42: monitoring computing activity within a network that includes a plurality of computing devices over a plurality of time periods).
Claim 5: the combination of Tam and Buch teaches the method according to claim 1, wherein said predetermined threshold is selected from a set of predefined thresholds associated with respective services and/or protocols facilitating network connections. (Tam: See Fig. 6: A list of thresholds for each filter that must be met before an incident is generated).
Claim 6: the combination of Tam and Buch teaches the method according to claim 1, wherein said authentication is an operating system level authentication. (Tam: col. 14 lines 51-53: the network connection to increased authentication and/or verification measures (three-factor authentication), (col. 20 lines 33-35) server programmed in this manner shares an operating system among multiple customers).
Claim 7: the combination of Tam and Buch teaches the method according to claim 1, wherein said authentication is an application level authentication. (Tam: col. 14 lines 51-53: the network connection to increased authentication and/or verification measures (three-factor authentication), (col. 20 lines 33-35) server programmed in this manner shares an application among multiple customers).
Claim 9: the combination of Tam and Buch teaches the computer program according to claim 8 and being configured as a third party application to be run under the control of an operating system of the computer system. (Tam: col. 20 lines 22-23: systems shall be provided through a remote desktop environment or any other cloud-based computing environment).
Claim 11: the combination of Tam and Buch teaches the apparatus according to claim 10, the apparatus being part of said computer system. (Tam: col. 1 lines 40-42: monitoring computing activity within a network that includes a plurality of computing devices over a plurality of time periods).
Claim 12: the combination of Tam and Buch teaches the apparatus according to claim 10, wherein the computer system is a system utilising a Windows® operating system. (Tam: col. 15 lines 58-60: operating system includes MICROSOFT WINDOWS, WINDOWS MOBILE etc).
Claim 13: the combination of Tam and Buch teaches the apparatus according to claim 12, wherein said network connection is a connection associated with one of the following services: server message block (SMB), remote desktop protocol (RDP), and remote procedure call (RPC). (Tam: col. 19 lines 16-20: Network-Attached Storage (NAS) devices configured to communicate with servers using various protocols, such as Network File System (NFS), Server Message Block (SMB), or Common Internet File System (CIFS)).
Claim 14: the combination of Tam and Buch teaches the method according to claim 1, wherein taking at least one action comprising terminating or modifying the identified network connection comprises modifying firewall rules to limit connections with the identified network connection. (Tam: C22L8-11: restricted platforms that restrict modifications to system level configurations and that limit the ability of third party software to inspect the behavior of other applications, controls to restrict the installation of applications).
Claim 15: the combination of Tam and Buch teaches the method according to claim 1, wherein taking at least one action comprising terminating or modifying the identified network connection comprises disabling network adapters to isolate machines exploited by the identified network connection. (Tam: C22L8-11: restricted platforms that restrict modifications to system level configurations and that limit the ability of third party software to inspect the behavior of other applications, controls to restrict the installation of applications).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.



Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and 






/BADRINARAYANAN /Examiner, Art Unit 2496.