DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
Applicant’s arguments, see Remarks, filed 10/26/2021, with respect to the rejection of claims 1 and 13 under 35 U.S.C. § 103(a) have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Cheryl Figlin (Reg. 39,562) on 12/16/2021.
Claim 13 is amended as follows:

13. (Currently Amended) An apparatus comprising: 
a network probe, which is configured to monitor request-response transactions exchanged in a computer network without having the request-response transactions pass through the network probe; 
hardware processor, which is connected to the network probe and configured to execute software to: 
evaluate at least one feature of the monitored request-response transactions over request- response transactions known to be associated with first malicious software and request-response transactions known to be not associated with the first malicious software by estimating an aggregated statistical property of the at least one feature over the request-response transactions in the subsets over each of a plurality of different time periods; and 
based on the evaluation of the at least one feature, filter from the monitored request- response transactions at least one request-response transaction having the at least one feature indicating a presence of second malicious software in the request-response transaction, 
wherein the filtered at least one request-response transaction is one of the request- response transactions exchanged between one or more clients and a given host and between one or more hosts and a given client, 
wherein the at least one feature comprises a characteristic of one or more underlying protocols used for transmitting the at least one request-response transaction, and further wherein the processor is further configured to execute software to extract the at least one request-response transaction and to identify whether the request-response transaction is exchanged with the second malicious software that runs in the given client.

----------------------------------END OF EXAMINER’S AMENDMENT--------------------------------

Allowable Subject Matter
Claims 1, 3-5, 7-13, 15-17, and 19-23 are allowed. 
The following is an examiner’s statement of reasons for allowance:
This communication warrants no examiner's reason for allowance, as applicant's reply makes evident the reason for allowance, satisfying the record as whole as required by rule 37 CFR 1.104 (e). In this case, the substance of applicant's remarks in the Amendment/Remarks (pgs. 9-11) filed on 10/26/2021 point out the reason claims are patentable over the prior art of record. Thus, the reason for allowance is in all probability evident from the record and no statement for examiner's reason for allowance is necessary (see MPEP 1302.14).
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Mahaffey et al. (US 20160099963 A1) teaches aggregating behavioral data and performing statistical analysis on the aggregated data ([0368]).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552. The examiner can normally be reached M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

ALEXANDER R. LAPIAN
Examiner




/ALEXANDER R LAPIAN/Examiner, Art Unit 2437   


/MATTHEW SMITHERS/Primary Examiner, Art Unit 2437