DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-19 are pending and examined below. This action is in response to the claims filed 1/13/22.

Response to Amendment
Applicant’s arguments, see Applicant Remarks 35 U.S.C. § 103 filed on 1/13/22, regarding 35 U.S.C. § 103 rejections have been fully considered and are not found persuasive.

Applicant’s arguments, pages 7-8, regarding the teachings of Strub covering the increase in data volume in response to the security breach asserts the increase in volume is not caused by a first command to a second portion of data collected.  This portion of the claim is disclosed within the combination as a whole rather than explicitly within Strub alone, and is instead disclosed by Hunt as recited below ([0215] discusses the remote server initiating (first command) of a deep dive investigation and a node uploading local context data (second portion) related to the event of interest (second rules).) In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

the collected data itself is not altered, however the written and cited portion of Strub ¶58 discloses the flow is altered, not that the data itself is altered.  The claim stating that it send[s] a higher volume of the collected data itself is describing an altered flow of data and therefor further affirms the analogousness of the rejection and cited art.

Applicant’s arguments, page 10, regarding the teaching of Strub increasing a collection of data vs the claimed increase in data selected and sent again is an argument against the reference alone and not the combination as written. This portion of the claim element is again addressed by Hunt as written below: ([0206] mentions returning (sending) the identified (selected) subset (portion) of the event information to remote server) and ([0215] discusses the remote server initiating (first command) of a deep dive investigation and a node uploading local context data (second portion) related to the event of interest (second rules).)

Further remarks, pages 11-13, simply rely upon previous arguments applied to other claims.  Therefore, based upon the arguments above, all rejections are maintained and rejections are reiterated below.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 2-7, 11-14, 16, 17, and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) and Strub et al. (US20070153689).

Regarding claim 1, Musuvathi discloses a method of probing and responding to a security breach in a computer network, the method comprising (Musuvathi: [0002] describes a system that monitors data traffic patterns and determines illegitimate data traffic that is associated with a cyber-attack.): 
defining a model to output a probability that a security breach has occurred based on an input and to generate commands (Musuvathi: [0047] discusses remedial action (command) that can be taken in response to detection of cyber-attack based on probability output computed by a model based on data instance (first portion) provided as input to the model.);
inputting the selected first portion into the model to obtain an output probability that a security breach has occurred (Musuvathi: [0047] discusses detection of cyber-attack based on probability output computed by a model based on data instance (first portion) provided as input to the model.); 

 (c) generating a second command with the model to cause a change in settings at one or more of the first nodes (Musuvathi: [0115] states remedial action (second command) comprises blocking  (change in settings) an Internet Protocol (IP) address of a host or a source of the illegitimate data traffic.).
storing the collected data at one or more of the plurality of first nodes or at a dedicated storage location on the first computer network;
Musuvathi does not disclose, defining first rules and second rules. 
collecting data at a plurality of first nodes according to the first rules, said first nodes forming a first computer network; 
selecting a first portion of the collected data according to the first rules; 
sending the selected first portion from the first nodes to a second node, said second node forming part of a second computer network; 
(b) generating a first command with the model to cause a second portion of the collected data to be selected and sent from the first nodes to the second node according to the second rules, wherein the second portion of the collected data comprises a portion of the collected data different than the first portion of collected data; and
Hunt discloses, defining first rules and second rules (Hunt: [0208] discusses defining one or more (first and second) filtering criteria (rules).). 

storing the collected data at one or more of the plurality of first nodes or at a dedicated storage location on the first computer network (Hunt: [0208] discloses that the event information are provided to the local database, therefore, the collected information are stored in the local database.);
selecting a first portion of the collected data according to the first rules (Hunt: [0206] a node identifies (selecting) a subset (first portion) of event information and [0208] discusses filtering criteria (first rules).); 
sending the selected first portion from the first nodes to a second node, said second node forming part of a second computer network (Hunt: [0206] mentions returning (sending) the identified (selected) subset (portion) of the event information to remote server); 
(b) generating a first command with the model to cause a second portion of the collected data to be selected and sent from the first nodes to the second node according to the second rules, wherein (Hunt: [0215] discusses the remote server initiating (first command) of a deep dive investigation and a node uploading local context data (second portion) related to the event of interest (second rules).)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi with the teachings of 
Musuvathi in view of Hunt does not explicitly disclose a dynamic increase in volume of data in response to the security breach however Strub discloses a method of monitoring malicious traffic in communications networks including the second rules are dynamically created in response to the detected security breach to at least select and send a higher volume of the collected data based on the detected security breach (Strub: [0058] discusses increasing sampling rate in response to a detected attack corresponding to the recited dynamic rules in response to a breach where the rules include sending a higher volume of the collected data]), and wherein the collected data itself is not altered (Strub: [0058] discloses sampling packets which does not discuss altering or changing the data).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt with the teachings of Strub, in order to focus on traffic which relates to a particular suspected or detected threat (Strub: Abstract).

Regarding claim 17, the claim is rejected under same rationale as applied to claim 1 above.

Regarding claim 2, Hunt discloses, sending of the selected first and second portions is performed at first predetermined time intervals (Hunt: [0205] - [0206] states that subsets of 

Regarding claim 3, Hunt discloses, if the output probability meets predetermined criteria (Hunt: [0073] states detection of IOC (criteria) indicates high probability of compromise), generating a third command with the model to cause the length of time between each of the first predetermined time intervals to be changed (Hunt: [0205] states remote server periodically deploys the integrity reporting request (third command) at predetermined schedule.  Therefore, time intervals can be changed.).

Regarding claim 4, Hunt discloses, changing that comprises decreasing the length of time between each of the first predetermined time intervals (Hunt: [0205] states that the intervals are predetermined.  So, time intervals can be increased or decreased.).

Regarding claim 5, Hunt discloses, a method wherein said inputting is performed at the first nodes (Hunt: [0206] states requested information is received (inputting) by the remote server (first nodes)); and said first, second, and third commands are generated by the model at the first node (Hunt: [0205] states remote server (model and first node) periodically deploys the integrity reporting request. Since request (command) is deployed periodically, first, second, and third requests (commands) occur over time.).

Regarding claim 6, Hunt discloses, a method wherein said inputting is performed at the second node (Hunt: [0206] states requested information is received (inputting) by the remote server (first nodes)); and said first, and third commands are generated by the model at the second node (Hunt: [0205] states remote server (model and first node) periodically deploys the integrity reporting request. Since request (command) is deployed periodically, first, second, and third requests (commands) occur over time.). 

Regarding claim 7, Musuvathi discloses defining a model comprises training a neural network using a training data set (Musuvathi: [0029] states number of processing nodes (neural network) provides training data subsets locally, and in further generates a global model as mentioned in [0033].); 
and said defining first and second rules is performed by the trained neural network (Musuvathi: [0105] states that a set of global model parameters (first and second rules) are generated).

Regarding claim 11, Hunt discloses a method comprising defining third rules; and if the output probability meets predetermined criteria (Hunt: [0073] states detection of IOC (criteria) indicates high probability of compromise): generating a fourth command with the model to cause a third portion of the collected data to be selected according to the third rules and sent from the first nodes to the second node (Hunt: [0209] discusses integrity reporting request (fourth command) and the integrity reporting criterion can include two or more filtering criteria (third rules).); and


	Regarding claim 12, Musuvathi discloses a method wherein the first, second and third portions comprise one or more selected from the list of: program or file hashes, files stored at the first nodes, logs of network traffic, logs of network connections (Musuvathi: [0046] states features of data instance (portions) comprises a number of sources or hosts identifiable via IP addresses that attempt to establish a connection in a defined period of time.), process logs, binaries or files carved from memory, and logs from monitoring actions executed by programs running at the first nodes.

Regarding claim 13, Musuvathi discloses a method wherein said training data set is compiled from said logs from monitoring actions executed by programs running at the first node and said training is determined to be complete when a predetermined error rate threshold has been met or when the model has been trained on a predetermined amount of training data (Musuvathi: [0058] states training data subset includes data instances of a feature set (logs) and a label indicating whether received data traffic comprises a known cyber-attack. [0045] mentions training data subset that includes quantities (amount) of training data instances (Fig. 3) to complete a training for a model.).

Regarding claim 14, Hunt discloses, a method comprising storing the collected data at one or more of the first nodes, or at a dedicated storage location on the first computer network (Hunt: [0202] states event information is stored locally in the local database of the respective node.).

Regarding claim 16, Musuvathi: discloses a method wherein said change in settings comprises one or more of the list of: preventing one or more of the first nodes from being switched off; switching on a firewall at one or more of the first nodes (Musuvathi: [0115] states remedial action (second command) comprises blocking  (change in settings) an Internet Protocol (IP) address of a host or a source of the illegitimate data traffic.); warning a user of one or more of the first nodes that signs of a security breach have been detected; and/or sending a software update to one or more of the first nodes.

Regarding claim 18, Musuvathi discloses a computer program product comprising a non-transitory computer storage medium having computer code stored thereon which, when executed on a computer system, causes the network security system to perform operations according to claim 17 (Musuvathi: [0138] states that all of the methods and processes described may be embodied in, and fully automated via, software code modules executed by one or more general purpose computers or processors).

Regarding claim 19, Hunt discloses the second portion of the collected data comprises a portion of the collected data different than the first portion of collected data (Hunt; [0206] 

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) and Strub et al. (US20070153689) as applied to the parent claim above, and further in view of Wright (US20180063190).

Regarding claim 8, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method wherein said defining a model comprises defining exact or heuristic rules.
Wright discloses, a method wherein said defining a model comprises defining exact or heuristic rules (Wright: [0056] states models possessing heuristic properties.).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi and Hunt with the teachings of Wright, in order to provide methods for identifying phishing websites and hindering associated activity.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) Musuvathi in view of Hunt and Strub as applied to the parent claim above, and further in view of Lam (US20200028874).

Regarding claim 9, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method wherein said defining a model comprise defining a fuzzy logic based model.
Lam discloses, a method wherein said defining a model comprise defining a fuzzy logic based model (Lam: [0055] discusses fuzzy logic models.).
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt and Strub with the teachings of Lam, in order to provide methods for responding to cyberattacks using counter intelligence bot technology as taught by Lam.

Claims 9 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) Musuvathi in view of Hunt and Strub as applied to the parent claim above, and further in view of Howard (US20180288126).

Regarding claim 10, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method wherein said defining a model comprises defining a statistical inference based model.

It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Musuvathi in view of Hunt and Strub with the teachings of Howard, in order to provide methods for detection of intentional and non-intentional anomalies on dedicated IP surveillance networks as taught by Howard.
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Musuvathi (US20180367550) in view of Hunt (US20180013768) and Strub et al. (US20070153689) as applied to the parent claim above, and further in view of Tanzer (US20070255818).

Regarding claim 15, Musuvathi in view of Hunt and Strub discloses the invention as in the parent claim above.
Musuvathi in view of Hunt and Strub does not disclose, a method comprising generating a command with the model to cause the remainder of the collected data which does not form part of the first, the second or the third portion to be sent from the first nodes to the second node.
Tanzer discloses, a method comprising generating a command with the model to cause the remainder of the collected data which does not form part of the first, the second or the third portion to be sent from the first nodes to the second node (Tanzer: [0069] states remaining capture data is transmitted to the collecting server.).
.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthew J Reda whose telephone number is (408)918-7573.  The examiner can normally be reached on Monday - Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hunter Lonsberry can be reached on (571) 272-7298.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/M.J.R./             Examiner, Art Unit 3665                                                                                                                                                                                           	
/HUNTER B LONSBERRY/            Supervisory Patent Examiner, Art Unit 3665