Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1-5, 7-12 and 14-19 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Gong et al (US 20160065601), hereafter Gong and Saxe (US 10635813), hereafter Sax have been fully considered and are persuasive. Claim(s) 6, 13 and 20 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1-5, 7-12 and 14-19 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Samir Bhavsar (attorney) for filed amended claims:
(Currently Amended) An information security system comprising: a network comprising a plurality of data resources configured to store data; an emulated network comprising copies of the plurality of data resources; and hardware processor configured to: 
monitor data transmissions within the network; detect a first attack by a malicious software element, wherein the first attack attempts to transmit a first portion of data from a data resource in the network to a device located outside of the network; detect a second attack by the malicious software element within a predetermined time interval from the first attack, wherein: the second attack reduces a data transfer file size that does not exceed a predefined data transfer limit during an exfiltration attempt to transmit a second portion of data from the data resource in the network to the device located outside of the network; and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource; transfer the malicious software element from the network to the emulated network in response to detecting the second attack; generate an attack log comprising behavior characteristics for attacks performed by the malicious software element in the emulated network, wherein the behavior characteristics identify: data resources affected by the software element and file sizes for data transmission attempts by the malicious software element; and an attack type indicating a technique used by the malicious software element; and train a machine learning model based on behavior characteristics from the attack log, wherein the machine learning model is configured to: receive behavior characteristics of the malicious software element; and output a threat response indicating an action to perform on the malicious software element based at least in part on the behavior characteristics of the malicious software element.
 
8. (Currently Amended) A threat detection method, comprising: monitoring,reduces a data transfer file size that does not exceed a predefined data transfer limit during an exfiltration attempt and file sizes for data transmission attempts by the malicious software element; and an attack type indicating a technique used by the malicious software element; and training, , wherein the machine learning model is configured to: receive behavior characteristics of the malicious software element; and output a threat response indicating an action to perform on the malicious software element based at least in part on the behavior characteristics of the malicious software element.
15. (Currently Amended) A computer program comprising executable instructions stored in a non-transitory computer readable medium that when executed by a processor causes the processor to: monitor data transmissions within a network; detect a first attack by a malicious software element, wherein the first attack attempts to transmit a first portion of data from a data resource in the network to a device located outside of the network; detect a second attack by the malicious software element within a predetermined time interval from the first attack, wherein: the second attack reduces a data transfer file size to attempt wherein the machine learning model is configured to: receive behavior characteristics of the malicious software element; and output a threat response indicating an action to perform on the malicious software element based at least in part on the behavior characteristics of the malicious software element.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Gong teaches [0015] monitor simultaneously north-south traffic and east-west traffic; [0015] analyze traffic via first order indicator of compromise ([014] by a malicious software or malware) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts; [0015] analyze traffic via second order indicator of compromise ([014] by a malicious software or malware and [031] multiple events of the same type happen within a short period of time to the same target device) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts; [0035] transmit the network data to security server in response to detecting indicators of compromise and [0055] emulation module analyzes suspicious data for untrusted behavior (malware or distributed attacks); [0059] behavior of the suspicious data as well as the behavior of the emulation environment is monitored and logged to track the suspicious data's operations; [0038, 56] identifies any of a network device, an application that are compromised, and to identify a user, such as a rogue user, on an end-user device initiating suspicious activities on the network.

Further, a second prior art of record Sax teaches C2L29-31: number of fragments in the second set of fragments is less than a number of fragments in the first set of fragments.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: information security system that includes an information security engine configured to monitor data transmissions within a network and to detect a first attack by a malicious software element and a second attack by the malicious software element within a predetermined time interval from the first attack and where the second attack reduces the file sizes that is less than allowable limit. The information security engine is configured to identify the behavior characteristics: data resources affected by the software element and file sizes for data transmission attempts by the malicious software element.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 8 and 15 mutatis mutandis.  Claim(s) 6, 13 and 20 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/BADRINARAYANAN /Examiner, Art Unit 2496.