DETAILED ACTION

Currently pending claims are 1 – 20.

Claim Objection

Claims 8 and 15 are objected to because of the following informalities (and Examiner respectfully request to correct as follows): “one or more processors” should be replaced with “one or more hardware processors (or a processor devices)” – Examiner notes this is because a computer processor could be a software processor (e.g. a Microsoft WORD processor).  Appropriate correction(s) is (are) required.  // “A computer processor” may include the “software processor” (e.g. a word processor) //
Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 8 and 15 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant) because the claim languages such as (i) notifying a NetFlow of the first log including the metadata versus (ii) providing the first log by the NetFlow of the network device is considered to be unclear and ambiguous in its meaning regarding what exactly is the attribute of the NetFlow by itself and as such the precise metes and bound of the claim, as alleged, cannot be determined.  See § MPEP 2173.05(b).  Any other claims not addressed are rejected by virtue of their dependency should also be corrected.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1 – 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Holeman et al. (U.S. Patent 2018/0191766). 

As per claim 1, 8 & 15, Holeman teaches a computer-implemented method comprising: 
receiving, at a network device, a first set of rules from a security controller of an enterprise network, the first set of rules being different from a second set of rules provided to a firewall by the security controller (Holeman: Para [0087] / Para [0086], Para [0018], Para [0082] / [0084] and Para [0071] – [0073]: (a) different network control points, such as a network analyzer device and a firewall, perform control actions differently based on received different policies (i.e. a set of rules) from an enterprise that first defines the security policies – for example, at least, based on (b) the efficiency of network bandwidth consumed to reduce the amount of what is being monitored and reported such that the control points may take different actions more globally (about a Firewall area) or locally (about a computer system) depending on what is being monitored as well as the security risk-assessment and the necessitated adjustments and the necessitated adjustments and mitigated resolutions); 
implementing, at the network device, the first set of rules received from the security controller (see above); 
generating, at the network device, a first log including metadata based on the first set of rules, the first log being generated on a per flow basis (Holeman: see above & Figure 5 / E-502 & E-106 and Para [0025]: a network flow such as a sequence of packets being transmitted or received within a network or a sequce of packets that share certain network characteristics (e.g. same source and detsination IP addresses and etc.)); 
notifying, at the network device, a NetFlow of the first log including the metadata of the first set of rules (Holeman: see above & Para [0084] / [0082]: a log report of network flow metadata versus full packet capture can also be defined by the policy rules); and 
providing, from the network device, the first log to a cloud-log store by the NetFlow of the network device, the cloud-log store receiving the first log from the network device and a second log from the firewall (Holeman: see above & Para [0026] / [0030] / [0021]: each of the network flow data log are collected and sent to a network management entity for analysis, which can be a cloud-based device including a cloud-log store of memory in a virtualized networks / systems).  

As per claim 2, 9 and 16, Holeman teaches the first set of rules is routed from security controller and through a network controller to the network device (Holeman: see above & Para [0018], Para [0082] / [0084], Para [0071] – [0073] and Para [0087] / Para [0086]: (a) different network control points, such as a network analyzer device and a firewall, perform control actions differently based on received different policies (i.e. a set of rules) – (b) the respective security rules can be defined by the enterprise (Para [0018]) and routed to the corresponding network device (e.g. network management (flow analyzer) entity) and the router / firewall respectively) and (c) for example, at least, based on the efficiency of network bandwidth consumed to reduce the amount of what is being monitored and reported such that the control points may take different actions more globally (about a Firewall area) or locally (about a computer system) depending on what is being monitored as well as the security risk-assessment and the necessitated adjustments).  

As per claim 3, 10 and 17, Holeman teaches the first set of rules of the network device and the second set of rules of the firewall divide network traffic to offload the firewall, drop network traffic to a closest source, or increase scale (Holeman: see above & Para [0087] / Para [0086], Para [0018], Para [0082] / [0084] and Para [0072]: at least, based on the efficiency of network bandwidth consumed to reduce the amount of what is being monitored and reported such that the control points may take different actions more globally (about a Firewall area) or locally (about a computer system) depending on what is being monitored as well as the security risk-assessment and the necessitated adjustments).  

As per claim 4, 11 and 18, Holeman teaches wherein the implementing of the first set of rules occurs at a security access control list stage of the network device (Holeman: see above & Para [0018] / [0071] – [0073]: a security access control entity (including at least network flow collector / analyzer (network flow device)) that performs collecting, monitoring, analyzing, identifying, determining the security mitigation solution and generating security alerts constitutes a security access control list stage of the corresponding network device).  

As per claim 5, 12 and 19, Holeman teaches wherein the security access control list stage notifies the NetFlow of the first log (Holeman: see above & Para [0062] – [0066], Para [0018] / [0071] – [0073]).  

As per claim 6 and 13, Holeman teaches supplementing, by the NetFlow, the first log to include a marker that indicates a dropped flow (Holeman: see above & Para [0063]: supplementing based on a configurable holding time designated as an indication (i.e. a marker) associated with a dropped flow (i.e. loss of network connection)).  

As per claim 7 and 14, Holeman teaches the supplemented first log further includes at least one of flow telemetry, volume, or duration of a flow of network traffic (Holeman: see above & Para [0084]: includes at least a time period (duration), size (volume) and etc.).  

As per claim 20, the claims contain(s) similar limitations to claim(s) 6 and 7 and thus is/are rejected with the same rationale.





Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2333 – 2021
---------------------------------------------------