DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in reply to Applicant’s Response dated 08/02/2021. Claims 1-20 remain pending in the application.
	
Response to Arguments
The Applicant argues (see pages 7-8), with respect to claims 1, 13, and 17, that Lau and Worth do no teach or suggest, alone or in combination, each and every limitation of independent claims 1, 13, and 17, in particular the limitation "wherein the flow session comprises a source port, a source device, a destination device, a destination port, and a communication protocol;". The Applicant argues that nothing in Worth that links the tables of Fig. 2A and 2B. They have separate purposes within Worth, and at no point are they combined or can be used to teach "wherein the flow session comprises a source port, a source device, a destination device, a destination port, and a communication protocol;" as required by the claims.
In response to the Applicant’s argument, the Examiner respectfully disagrees. The limitation in question above merely requires that the flow session comprises a source port, a source device, a destination device, a destination port, and a 

The Applicant argues (see page 8) that the port priority table specifies, for each port, a priority ordered list of destination ports for the port, and the trigger source and condition table specifies destination ports from the priority ordered lists based on the port health status data." This is not the same as "generating a confidence score for each port on the list of common destination ports". A priority is not the same as a confidence score. As it is possible to have a low priority and a high confidence score and/or a high priority and a low confidence. The manner in which Liam uses "priority" does not read on the "confidence" of the referenced claim limitation. 

While the Applicant’s specification discloses features that clarifies the term “confidence score”, the Applicant is respectfully reminded that although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).

Claim Objections
Claims 4-8, 16 and 20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 13 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Lau et al. (U.S. PGPub 2003/0033430) in view of Worth (U.S. PGPub 2013/0036469).

Regarding claims 1, 13 and 17, Lau teaches A computer-implemented method comprising, on a processor of a network flow monitor: (Lau, see figs. 1, 4 and 6; see 
observing a plurality of data packets as each data packet travels past a connection point; (Lau, see figs. 1, 4 and 6; see paragraph 0024 where flow monitors 150 and 160, which extract addresses of data packets in the network at measuring points 170 and 180…; see paragraph 0035 where flow monitor 160 identifies the destination addresses of data packets flowing through measuring point...)
identifying, from the plurality of data packets, a flow session, (Lau, see figs. 1, 4 and 6; see paragraph 0024 where flow monitors 150 and 160, which extract addresses of data packets in the network at measuring points 170 and 180…; see paragraph 0035 where flow monitor 160 identifies the destination addresses of data packets flowing through measuring point...)
gathering, from the plurality of data packets, directional metadata; (Lau, see figs. 1, 4 and 6; see paragraph 0024 where flow monitors 150 and 160, which extract addresses of data packets in the network at measuring points 170 and 180…; see paragraph 0035 where flow monitor 160 identifies the destination addresses of data packets flowing through measuring point...determine the origin of the data packets; see paragraph 0022 where determine the direction of the flow of data; see paragraph 0050 where determine the direction of data flow between measuring points 170 and 180)
determining, based on the plurality of data packets, a flow direction of the flow session; and (Lau, see figs. 1, 4 and 6; see paragraph 0036 where Flow identifier 
storing the flow session in a database. (Lau, see figs. 1, 4 and 6; see paragraphs 0027-0028 where flow database; see paragraph 0052 where stored in flow database…; see paragraph 0055 where flow database 280 identifies data packets flowing in a direction from source ISP 110 to destination ISP 130...)
However, Lau does not explicitly teach wherein the flow session comprises a source port, a source device, a destination device, a destination port, and a communication protocol;
comparing the source port and the destination port against a list of common destination ports;
Worth teaches wherein the flow session comprises a source port, a source device, a destination device, a destination port, and a communication protocol; (Worth, see Fig. 2A protocol TCP/UDP; see fig. 3; see paragraph 0026 where includes source ports ("src_port") 210-S, destination ports ("dst_port") 210-D, source addresses ("arc_addr") 218-S, destination addresses ("dst_addr") 218-D, and a number of addresses associated with each port on the list ("# of hits") 220)
comparing the source port and the destination port against a list of common destination ports; (Worth, see figs. 2B and 3; see abstract where comparing source ports and destination ports in the flow sampled network traffic to a list of approved ports 
It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Lau and Worth to provide the techniques of the flow session comprises a source port, a source device, a destination device, a destination port, and a communication protocol and comparing the source port and the destination port against a list of common destination ports of Worth in the system of Lau in order to allow for easier tracking and identification of activities or flow data (Worth, see paragraphs 0001 and 0010).

Claims 2-3, 11-12, 14-15 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Lau-Worth in view of Lian et al. (U.S. PGPub 2017/0026227).

Regarding claims 2, 14 and 18, Lau-Worth teaches further comprising: analyzing a set of previously observed flow sessions; (Lau, see figs. 1, 4 and 6; see paragraph 0048 where flow identifier program 360 may compare an identified destination address against other previously identified network addresses stored in network address table 390…)
However, Lau-Worth does not explicitly teach creating the list of common destination ports; and
generating a confidence score for each port on the list of common destination ports.

generating a confidence score for each port on the list of common destination ports. (Lian, see fig. 3; see paragraph 0044 where The system determines destination ports for incoming network traffic using the priority paths and a port priority table (506). The port priority table specifies, for each port, a priority ordered list of destination ports for the port, and the trigger source and condition table specifies destination ports from the priority ordered lists based on the port health status data...; see paragraph 0037 where ports 304a-d can be configured in a priority order (confidence score); see paragraph 0039 where the highest priority (confident score) monitor ports 304a are in an active state, so that the monitor ports 304a are routing network traffic to the highest priority monitor ports 308a)
It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Lau-Worth and Lian to provide the techniques of creating the list of common destination ports and generating a confidence score for each port on the list of common destination ports of Lian in the system of Lau-Worth in order to improve the system by allowing network traffic to be routed according a priority or confidence score (Lian, see paragraph 0039).

Regarding claims 3, 15 and 19, Lau-Worth-Lian teaches wherein each port in the list of common destination ports is included in the set of previously observed flow sessions. (Worth, see fig. 3; see paragraph 0027 where added to the list in association with the previously included port…; see paragraph 0030 where add the particular port to the list of approved ports (e.g., when the network administrator approves of the previously suspicious network activity (flow session))...)
The motivation regarding to the obviousness to claims 1, 13 and 17, with respect to the combination of Lau and Worth, is also applied to claims 3, 15 and 19.

Regarding claim 11, Lau-Worth teaches all the features of claim 1. However, Lau-Worth does not explicitly teach further comprising: updating, in response to the storing the flow session, the confidence score for each port on the list of common destination ports.
Lian teaches further comprising: updating, in response to the storing the flow session, the confidence score for each port on the list of common destination ports. (Lian, see fig. 3; see paragraph 0044 where The system determines destination ports for incoming network traffic using the priority paths and a port priority table (506). The port priority table specifies, for each port, a priority ordered list of destination ports for the port, and the trigger source and condition table specifies destination ports from the priority ordered lists based on the port health status data...; see paragraph 0037 where ports 304a-d can be configured in a priority order (confidence score); see paragraph 0039 where the highest priority (confident score) monitor ports 304a are in an active 
It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Lau-Worth and Lian to provide the technique of updating, in response to the storing the flow session, the confidence score for each port on the list of common destination ports of Lian in the system of Lau-Worth in order to improve the system by allowing network traffic to be routed according a priority or confidence score (Lian, see paragraph 0039).

Regarding claim 12, Lau-Worth teaches all the features of claim 1. However, Lau-Worth does not explicitly teach wherein the flow session is marked as state 1 in response to determining the flow direction based on the directional metadata.
Lian teaches wherein the flow session is marked as state 1 in response to determining the flow direction based on the directional metadata. (Lian, see fig. 3; see paragraph 0044 where The system determines destination ports for incoming network traffic using the priority paths and a port priority table (506). The port priority table specifies, for each port, a priority ordered list of destination ports for the port, and the trigger source and condition table specifies destination ports from the priority ordered lists based on the port health status data...; see paragraph 0037 where ports 304a-d can be configured in a priority order (confidence score); see paragraph 0039 where the highest priority (confident score) monitor ports 304a are in an active state, so that the monitor ports 304a are routing network traffic to the highest priority monitor ports 308a)
.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Lau-Worth in view of Chen et al. (U.S. PGPub 2010/0235522).

Regarding claim 9, Lau-Worth teaches wherein the protocol is transmission control protocol (TCP), and (Worth, see Fig. 2A protocol TCP/UDP; see fig. 3; see paragraph 0025 where illustrated as "TCP/UDP," …). The motivation regarding to the obviousness to claim 1, with respect to the combination of Lau and Worth, is also applied to claim 9.
However, Lau-Worth does not explicitly teach directional metadata includes a synchronization (SYN) data packet and an acknowledgement (ACK) data packet.
Chen teaches directional metadata includes a synchronization (SYN) data packet and an acknowledgement (ACK) data packet. (Chen, see fig. 6; see paragraph 0050 where copy the hardware session information (e.g., the destination port) to the session cache entry corresponding to the previously cached new session for the HTTP SYN packet; see paragraph 0039 where  packets sent/received within the same HTTP 
It would have been obvious to one of ordinary skill in the art, at the time the invention was filed, to combine Lau-Worth and Chen to provide the technique of the directional metadata includes a synchronization (SYN) data packet and an acknowledgement (ACK) data packet of Chen in the system of Lau-Worth in order to improve response time (Chen, see paragraph 0017).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Lau-Worth in view of Li et al. (U.S. PGPub 2008/0077705).

Regarding claim 10, Lau-Worth teaches all the features of claim 1. However, Lau-Worth does not explicitly teach wherein the directional metadata is based on the protocol.
Li teaches wherein the directional metadata is based on the protocol. (Li, see figs. 4A-4F; see paragraph 0047 where determining an individual packet's direction based on state information associated with the flow with which the subject packet is associated...recognize TCP SYN packets...recognizes a SYN packet (based on a SYN flag being set in the packet's header), the network device 201 can store the packet's associated L2-L4 information (such as source address /port, destination address/port, protocol, etc.) along with an indication that the packet is traveling...; see also paragraph 0049)
.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG VANG whose telephone number is (571)270-7023. The examiner can normally be reached Monday - Friday 8:30 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, NICHOLAS TAYLOR can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG VANG/Primary Examiner, Art Unit 2457