DETAILED ACTION
This non-final action is in response to application filed on 17 May 2019. Claims 1-20 are pending, with claims 1, 19 and 20 being independent. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 17 May 2019 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 6 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of Although claim 6 depends from a previous claim, claim 6 fails to specify a further limitation of the subject matter of claim 1 because it is completely outside the scope of claim 1. In other words, claim 6 fails to narrow the scope of claim 1.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 7-8, 10 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015) and Livingood et al. (NPL: rfc6561, published March 2012).
As per claim 1, Khatri discloses: 
obtaining threat information (Khatri abstract, receive a malicious packet marker), the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic (Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, 
generating a control list (CL) corresponding to the threat information (Khatri abstract, store the malicious packet marker to the memory), the CL describing rules for identifying network flows to be logged in a network log (Khatri abstract, determine that a packet matches the malicious packet marker, and store log information from the packet to the memory); 
obtaining the network log identifying the network flows (Khatri par. 19, log module 132 operates to receive information from NIC 150 regarding the network traffic flows, and records the information in logs 134 such that MC 180 can retrieve the information and provide it to management system 190).
Khatri does not explicitly disclose:
identifying a suspect network flow identified by both the threat information and the network log; 
identifying an address corresponding to the suspect network flow; 
correlating the address with a user identifier; and 
issuing a notification to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.
Livingood teaches:
identifying a suspect network flow identified by both the threat information and the network log (Livingood pg. 11, An ISP may use Netflow [RFC3954] or other similar passive network monitoring to identify network anomalies that may be indicative of botnet attacks or bot communications. For example, an ISP may be able to identify 
identifying an address corresponding to the suspect network flow (Livingood pg. 11, an ISP may be able to identify compromised hosts; Livingood pg. 12, Once an ISP has detected a bot, or the strong likelihood of a bot, steps should be undertaken to inform the Internet user that they may have a bot-related problem… ISPs should maintain a record of the allocation of IP addresses to subscribers for a period long enough to allow any commonly used bot detection technology to be able to accurately link an infected IP address to a subscriber); 
correlating the address with a user identifier (Livingood pg. 12, ISPs should maintain a record of the allocation of IP addresses to subscribers for a period long enough to allow any commonly used bot detection technology to be able to accurately link an infected IP address to a subscriber); and 
issuing a notification to a user associated with the user identifier (Livingood pg. 12, Once an ISP has detected a bot, or the strong likelihood of a bot, steps should be undertaken to inform the Internet user that they may have a bot-related problem), the notification indicating a suspected existence of a malicious bot (Livingood pg. 12, Once an ISP has detected a bot, or the strong likelihood of a bot, steps should be undertaken to inform the Internet user that they may have a bot-related problem; Livingood pg. 14, Walled gardens are effective because it is possible to notify the user and simultaneously block all communication between the bot and the command and control channel).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Khatri with the teaching of Livingood 

As per claim 2, Khatri-Livingood discloses the method of claim 1. Khatri also discloses wherein the control list is an access control list (ACL) (Khatri abstract, store the malicious packet marker to the memory… determine that a packet matches the malicious packet marker, and store log information from the packet to the memory).

As per claim 3, Khatri-Livingood discloses the method of claim 1. Khatri does not explicitly disclose further comprising obtaining the threat information from a third-party threat intelligence provider.
Livingood teaches:
obtaining the threat information from a third-party threat intelligence provider (Livingood pg. 11, a well-known list of domains associated with malware. In many cases, such lists are distributed by or shared using third parties, such as threat data clearinghouses).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Khatri with the teaching of Livingood for obtaining the threat information from a third-party threat intelligence provider. One of 

As per claim 4, Khatri-Livingood discloses the method of claim 1. Khatri also discloses wherein the threat information comprises one or more of an address (Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, suspected suspicious port accesses, tags that indicate the presence of malicious code, or the like), a source or destination port, a protocol, a payload type, a payload size, contents of a payload, identification of a network traffic pattern, a match of the network traffic pattern with known threat signatures, headers or header metadata, a protocol type, a file analysis, frequency of beaconing, and a hash value.

As per claim 5, Khatri-Livingood discloses the method of claim 4. Khatri also discloses wherein the address is one of a destination IP address, a source IP address (Khatri claim 9, the malicious packet marker includes at least one of a source Internet Protocol (IP) address, a destination IP address, a port address, and a protocol), a command and control IP address, an IP address for a phishing website, a domain name, and a packet signature.

As per claim 7, Khatri-Livingood discloses the method of claim 1. Khatri does not explicitly disclose wherein the notification is issued via an email, postal mail, or an in-browser notification.
Livingood teaches:

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Khatri with the teaching of Livingood for the notification is issued via an email, postal mail, or an in-browser notification. One of ordinary skilled in the art would have been motivated because it offers the advantage of informing the user that they may have a bot-related problem.

As per claim 8, Khatri-Livingood discloses the method of claim 1. Khatri also discloses wherein the threat information is a blacklist of IP addresses known or suspected to correspond to malicious network traffic (Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, suspected suspicious port accesses, tags that indicate the presence of malicious code, or the like).

As per claim 10, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood also discloses further comprising identifying one or more networked devices that are sending the suspect network flow and are potentially infected by the malicious bot (Livingood pg. 11, an ISP may be able to identify compromised hosts by identifying traffic destined to IP addresses associated with the command and control of botnets). The same rationale as in claim 1 applies.



Claim 20 is a system claim reciting similar subject matters to those recited in the method claim 1, and is similarly rejected. Khatri-Livingood also discloses a system (Khatri Fig. 5, system 500) for botnet detection and mitigation (Livingood section 4: Detection of Bots and section 6: Remediation of Hosts Infected with a Bot) comprising: a memory; and at least one processor, coupled to said memory, and operative to perform operations (Khatri Fig. 5, system 500).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Ronen et al. (US 2003/0101357, published May 29, 2003).
As per claim 6, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose wherein metadata associated with the processed network traffic is logged in an incident and event reporting system by a cable-modem termination system.

metadata associated with the processed network traffic is logged in an incident and event reporting system by a cable-modem termination system (Ronen pars. 145-146, A CMTS 910 generates records 916 based on traffic through cable access network 902… the incoming and outgoing byte count field from record 916).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Ronen for metadata associated with the processed network traffic is logged in an incident and event reporting system by a cable-modem termination system. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing traffic information for further analysis.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Turbin (US 2015/0074807, published Mar. 12, 2015).
As per claim 9, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising comparing the threat information and a white list, and removing addresses that are on the white list from the threat information.
Turbin teaches:
comparing the threat information and a white list, and removing addresses that are on the white list from the threat information (Turbin par. 10, comparing the IP 
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Turbin for comparing the threat information and a white list, and removing addresses that are on the white list from the threat information. One of ordinary skilled in the art would have been motivated because it offers the advantage of improving accuracy of the list.

Claims 11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Mushtaq et al. (US 9,430,646, patented Aug. 30, 2016).
As per claim 11, Khatri-Livingood discloses the method of claim 1. Khatri also discloses further comprising identifying one or more corresponding indicators of compromise (Khatri abstract, determine that a packet matches the malicious packet marker). 
Khatri-Livingood does not explicitly disclose:
performing a deep packet inspection on the suspect network flow, and determining if the suspect network flow matches known threat detection signatures
Mushtaq teaches:
performing a deep packet inspection on network flow (Mushtaq Fig. 3A, perform deep packet inspection and analysis at 332), and determining if network flow matches 
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Mushtaq for performing a deep packet inspection on the suspect network flow, and determining if the suspect network flow matches known threat detection signatures. One of ordinary skilled in the art would have been motivated because it offers the advantage of detecting malicious communications.

As per claim 17, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising rerouting a packet to a deep packet inspection device to determine if the packet is malicious.
Mushtaq teaches:
rerouting a packet to a deep packet inspection device to determine if the packet is malicious (Mushtaq Fig. 3A and 4:30-31, FIG. 3A is flow chart of a method for deep packet investigation).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Mushtaq for rerouting a packet to a deep packet inspection device to determine if the 

As per claim 18, Khatri-Livingood-Mushtaq discloses the method of claim 17. Khatri-Livingood-Mushtaq also discloses wherein the deep packet inspection device (Mushtaq Fig. 3A and 4:30-31, FIG. 3A is flow chart of a method for deep packet investigation) blocks the packet in response to determining that the packet is malicious (Livingood pg. 14, Walled gardens are effective because it is possible to notify the user and simultaneously block all communication between the bot and the command and control channel). The same rationale as in claims 1 and 17 applies.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Barth et al. (US 9,100,206, patented Aug. 4, 2015).
As per claim 12, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute the suspect network flow to a deep packet inspection device.
Barth teaches:
configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute network flow to a deep packet inspection device (Barth claim 7, applying the at least one subscriber-specific service to 
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Barth for configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute network flow to a deep packet inspection device. One of ordinary skilled in the art would have been motivated because it offers the advantage of analyzing packet for filtering traffic.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Doctor et al. (US 2014/0096251, published Apr. 3, 2014).
As per claim 13, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising removing the malicious bot by running anti-virus software, upgrading an operating system (OS) of a device, or both.
Doctor teaches: 
removing the malicious bot by running anti-virus software (Doctor par. 24, antivirus and anti-malware producers may use the published information to provide updates for their software to remove the malware utilized by a botnet), upgrading an operating system (OS) of a device, or both.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of .

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Bahl (US 2008/0189788, published Aug. 7, 2008).
As per claim 14, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated.
Bahl teaches:
soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated (Bahl par. 67, the machine may inform the user of the new risk level and ask the user to confirm the triggering of specific mitigating actions).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Bahl for soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated. One of ordinary skilled in the art would have been motivated because it offers the advantage of allowing user to decide whether to proceed with the mitigating action.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Kallos et al. (US 2018/0375882, published Dec. 27, 2018).
As per claim 15, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising generating statistical data and metrics related to network traffic that is identified as malicious.
Kallos teaches:
generating statistical data and metrics related to network traffic that is identified as malicious (Kallos par. 7, Traditional malicious traffic detection mechanisms depend on techniques including network traffic interception and analysis or network connection summarization which can determine key characteristics of a network connection such as source and destination addresses, source and destination ports and a protocol).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Kallos for generating statistical data and metrics related to network traffic that is identified as malicious. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing characteristics of known malicious traffic.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012), Kallos et al. (US 2018/0375882, published Dec. 27, 2018) and Takahashi (US 2008/0244703, published Oct. 2, 2008).

Khatri-Livingood-Kallos does not explicitly disclose:
logging a time of an inspection.
Takahashi teaches:
logging a time of an inspection (Takahashi par. 92, stores the date and time in the inspection date and time 1604 when the inspection is executed).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Takahashi for logging a time of an inspection. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing record of inspection.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20190253504 A1; System And Method For Bot Detection

US 20170374084 A1; Botnet Detection System And Method
A system and method are provided for detecting a botnet in a network based on traffic flow, daisy chained mechanism and white-list generation mechanism.
US 20200021647 A1; Method Of P2P Botnet Detection Based On Netflow Sessions
The present invention relates to detecting peer-to-peer (P2P) botnets; more particularly, to an unsupervised algorithm of finding out a lot of flows having similar behaviors for marking out known or unknown botnets.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492