DETAILED ACTION
 	Claims 1-20 are pending. This communications is in response to an application filed on April 10, 2020 which claims priority to 15/173489 filed on June 3, 2016 as Patent 10,623,283 which claims priority to a provisional filed on June 5, 2015.
 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

 	Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Step2A, Prong1: The claim(s) recite(s)  an ideal of detecting a plurality of traffic flows then determining a plurality of entropies associated with the plurality of flows; determining an amount based on the plurality of flows; determining whether an entropy of the plurality of entropies is greater or less than the amount to be deemed anomalous or normal. Step 2B, Prong 2: This judicial exception is not integrated into a practical application because it is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “implemented a computer,” nothing in the claim element precludes the step from practically being performed in the mind. The claim encompasses the user (or using a generic computer) evaluates abnormal flow based on an entropy collected. Hence, it does not take the claim limitation out of the mental processes grouping. Thus, the claim 
	Claims 2-7 are rejected as being dependent to claim 1.
Regarding claims 8-20, the claims recite the computer program product, and the system for detecting anomalous flows carried out the method claim of claim 1. They are rejected for the same reasoning presented in claim 1 rejection above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 4, 8, 11, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over NPL Jan-2013 - Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud (hereinafter Navaz) in view of  NPL Feb 2015 - An Entropy-Based Network Anomaly Detection Method (hereinafter Berezinski). Both NPLs provided by Applicant 
 	Regarding claim 1, Navaz discloses detecting a plurality of flows; determining a plurality of entropies associated with the plurality of flows (page 45, sections 8.2 to 8.3 disclose analyzing the change in entropy between two traffic distributions); 
 	determining an amount based on the plurality of flows (page 46, right column, 3rd paragraph states “System administrator assigns a threshold (e.g. amount) value for packets.”); 
 	determining whether an entropy of the plurality of entropies is greater than the amount; in response to the entropy of the plurality of entropies being greater than the amount, determining the associated flow of the plurality of flows is anomalous; and in response to the entropy of the plurality of entropies being less than or equal to the amount, determining the associated flow of the plurality of flows is normal (pages 45-46, Sections 8.2 to 8.4 traffic analysis based entropy where a normalized entropy value H(x), based on  Shannon-Wiener index scheme, obtained from collecting a sample of packet header fields. This value is compared to a threshold for anomaly. Note that in Navaz anomaly is found if H(x) < Threshold but not greater than the amount as claimed. However, Berezinski discloses an Anode architecture for analysis also bases on entropy where a threshold can represent in values rα (xi) < 0 or rα (xi) > 1 is abnormal (Berezinski modifies the Shanon’s scheme where entropy vale set to 1 from α (pages, 2378-2380)). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Navaz with Berezinski to teach the claimed features. One would have done so to arrive at the claimed invention with reasonable expectation for success using known entropy analysis scheme such as Shannon’s). 
	Regarding claim 4, Navaz and Berezinski discloses wherein, at least one of the plurality of entropies is associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a packet identification field of Internet Protocol version 4 standard (as presented in claim 1 rejection, entropy analysis obtained from data in a header field. Furthermore, Navaz discloses measuring the entropy of packets over nd paragraph).

	Regarding claims 8 and 15, the claims are rejected in view of claim 1.

	Regarding claims 11 and 18, the claims are rejected in view of claim 4.

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Navaz in view of Berezinski and further in view of PG Pub 20130055373 (hereinafter Beacham)
	Regarding claim 2, Navaz discloses threshold value mainly depends on false positive rate (page 46, last sentence of 3rd paragraph). Berezinski also discusses efficiency for false-positive rate using various scheme and Shannon is the worst (page 2398). But neither Navaz nor Berezinski discloses provide a buffer when the amount is greater than a second entropy of the plurality of entropies. Beacham discloses a threshold value can be adjusted (buffered) to improve false-positive (Fig. 5 and related paragraph). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Navaz and Berezinski with Beacham to teach the claimed features One would have done so to improve the detection for more efficient and fewer false positives.

	Regarding claims 9 and 16, the claims are rejected in view of claim 2.

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Navaz in view of Berezinski and further in view of PG Pub  20150256555 (hereinafter Choi)
 	Regarding claim 3, neither Navaz nor Berezinski discloses wherein, the plurality of flows includes a portion of flows detected via a first sensor installed on a first endpoint, the first endpoint is a destination for the portion of flows, the detecting of the plurality of flows includes detecting, via a second sensor associated with a second endpoint, the portion of flows, and the second endpoint is a source for the portion of flows. However, installing traffic data collector at various device is known. Choi discloses this feature (Fig. 3 and related paragraphs). Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Navaz and Berezinski with Choi to teach the claimed features. One would have done so to benefit with the use of trace agent installed among computer machines (Choi, Summary section).

 	Regarding claims 10 and 17, the claims are rejected in view of claim 3.

	Claims 5-7, 12-14 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Navaz in view of Berezinski and further in view of PG Pub 20130198839 (hereinafter Wei)
 	Regarding claim 5, Berezinski discloses entropy analyses for DDoS attacks applied to TCP SYN flood attack (page 2370, Kim et al. - NPL April-2004 - a flow-based method for abnormal network traffic detection. Presented at IEEE/IFIP Network  wherein at least one of the plurality of entropies includes associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a time to live field and/or a sequence identifier field. Wei discloses detecting a SYN flooding attack can apply to any value in the header field including time to live and sequence number fields and further discusses analysis on the sequence number (par. [0058]-[0060]). Note that Wei does not use entropy scheme analyses but in Shannon entropy analyses, it is an algorithm that based on a distribution of any value in the header field in the form of probability distribution p(X = xi) of a discrete random variable X as shown on page 2373 of Berezinski and pages 45-46 of Navaz. Therefore, it would have been obvious before the effective filing date of the claimed invention to modify Navaz and Berezinski with Choi to teach the claimed features. One would have done so as an obvious variation for entropy-based analysis using information obtained from the header field including the sequence number.
	
	Regarding claims 6-7, Wei further discloses determining an expected sequence identifier field wherein the determining of the plurality of entropies includes determining a difference between the expected sequence identifier field and a detected sequence identifier field (again, flooding attack occurs when sequence numbers between packets appear out of sequence (not expected). Hence an entropy analyses on the distribution of sequence numbers in a pluralities of flows would show whether anomaly occurs or not). 
	
 	Regarding claims 12-14, the claims correspond to claims 5-7 rejections. Therefore, the claims are rejected in view of claims 5-7 respectively.

	Regarding claims 19-20, the claims are rejected in view of claims 5-7.
	
INQUIRY COMMUNICATION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571) 270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 

/TRI M TRAN/Primary Examiner, Art Unit 2432