Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114
1.       A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.   Applicant's submission filed on 1-31-2022 has been entered.

2.        Claims 1 - 37 are pending.  Claims 1, 22 - 37 have been amended.  Claims 1, 15, 16, 21 are independent.   File date is 5-31-2019.  

Allowed Claims
3.         Claim 1 is allowed.  Dependent Claims 2 - 14, 22 - 33, 35 - 37 are allowed based upon their dependence upon independent Claim 1.  

Claim Rejections - 35 USC § 102  
4.        The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless -


5.        Claims 15 - 21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ahmed et al. (US Patent No. 10,320,813).     	

Regarding Claim 15, 16, Ahmed discloses a non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform a method comprising operations and an apparatus, comprising the operations of:
a)  with at least one processor in a network, obtaining information regarding network traffic flows, the obtained information comprising traffic pattern information and packet destination information; (Ahmed col 3, ll 21-36: threat detection and mitigation platform employing machine learning and machine models to understand and classify the behavior of network endpoints, behavior that is visible in the form of network traffic emitted from machine, instance, or endpoint; classify behavior of network endpoint; classification depends on patterns observed in traffic (i.e. number of packets sent/received, sizes of packets, etc.); col 32, ll 19-37: processors implementing an instruction set, memory configured to store instructions, program instructions executed and processing data in order to implement one or more desired functions (i.e. methods, techniques))    
b)  with the at least one processor in the network, generating a classification model based on the obtained traffic pattern information and packet destination information, the classification model comprising one or more classification rules for classifying network 
c)  with the at least one processor in the network, classifying the network traffic as anomalous or normal based on the generated classification model; (Ahmed col 3, ll 42-45: classify a communication as being malicious or “good” (normal); col 4, ll 47-55: security platform maintains a library of fingerprints of different types of network traffic, classifying the traffic and categorizing the traffic as being malicious or benign (i.e. normal)) and
d)  with the at least one processor in the network, initiating at least one mitigation action based on the network traffic being classified as anomalous. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting either malicious behavior or good behavior; if behavior is classified as malicious, then method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken)    

Furthermore for Claim 16, Ahmed discloses wherein a memory; and at least one processor, coupled to said memory, and operative to perform operations. (Ahmed col 32, ll 19-37: processors implementing an instruction set, memory configured to store instructions, program instructions executed and processing data in order to implement one or more desired functions (i.e. methods, techniques)) 

Regarding Claim 17, Ahmed discloses the apparatus of claim 16, the operations further comprising blocking or rate limiting anomalous network traffic in response to determining that the network traffic is anomalous. (Ahmed col 14, ll 2-5: configured to assess communication and initially classify it as malicious and if necessary initiate an action to block traffic (i.e. block network communication or “network traffic” if malicious traffic detected); col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance” including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify user)    

Regarding Claim 18, Ahmed discloses the apparatus of claim 16, the operations further comprising notifying a user in response to network traffic being classified as anomalous. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken) 

Regarding Claim 19, Ahmed discloses the apparatus of claim 16, further comprising soliciting a user to review and approve the mitigation action before the mitigation action is initiated. (Ahmed col 19, ll 31-43: the event and the corresponding action taken can be provided to a security platform console so and the event and response are made visible to a user (i.e. a reviewer); the reviewer may validate or override the response action that was taken automatically; if a determination is made that the behavior was not malicious or that the 

Regarding Claim 20, Ahmed discloses the apparatus of claim 16, further comprising defining one or more mitigation rules. (Ahmed col 7, ll 28-34: classifying a computing resource instance as exhibiting malicious behavior or good behavior; if behavior is classified as malicious, the method includes automatically performing an action to mitigate the detected security threat; if the behavior is not classified as malicious then no mitigation action is needed or taken)    

Regarding Claim 21, Ahmed discloses a method for classifying network traffic, comprising the operations of:
a)  with at least one processor in a network, obtaining information regarding network traffic flows, the obtained information comprising traffic pattern information and packet destination information; (Ahmed col 3, ll 21-36: threat detection and mitigation platform employing machine learning and machine models to understand and classify the behavior of network endpoints, behavior that is visible in the form of network traffic emitted from machine, instance, or endpoint; classify behavior of network endpoint; classification depends on patterns observed in traffic (i.e. number of packets sent/received, sizes of packets, etc.); col 32, ll 19-37: processors implementing an instruction set, memory configured to store instructions, program instructions executed and processing data in order to implement one or more desired functions (i.e. methods, techniques))     

c)  with the at least one processor in the network, initiating at least one notification based on the classification of the network traffic. (Ahmed col 14, ll 2-5: configured to assess communication (i.e. network traffic) and initially classify network traffic as malicious and if necessary initiate an action to block traffic (i.e. block network communication or “network traffic” if malicious traffic is detected); col 11, ll 61-66: response to one type of event (i.e. detection of malicious traffic) is performing a “shut down instance” including a series of actions to throttle (i.e. rate limiting) or block network traffic and notify the user)     

Claim Rejections - 35 USC § 103  
6.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

34 is rejected under 35 U.S.C. 103 as being unpatentable over Ahmed in view of Narayanaswamy et al. (US PGPUB No. 2011/005,5921) and further in view of Xu et al. (US Patent No. 10,820,810).     

Regarding Claim 34, Ahmed discloses the apparatus of claim 16, packet information used to generate the one or more classification rules of the classification model. (Ahmed col 3, ll 25-31: employ machine models to classify the behavior of network endpoints, behavior that is visible in the form of traffic (i.e. network traffic); classification depends on patterns observed in traffic (i.e. number of packets sent/received, sizes of packets, etc.))
Ahmed does not explicitly disclose packet destination information comprises an Internet Protocol (IP) address corresponding to an attempt by a given host to communicate with a computer in a given country corresponding to a location assigned to the IP address.
However, Narayanaswamy discloses wherein the packet destination information comprises an Internet Protocol (IP) address, the IP address corresponding to a first attempt by a given host to communicate with a computer. (Narayanaswamy ¶ 068, ll 14-15: attack detection module identifies the IP address of client performing transaction (i.e. host associated with IP address))    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ahmed for packet destination information comprises an Internet Protocol (IP) address corresponding to an attempt by a given host to communicate with as taught by Narayanaswamy.  One of ordinary skill in the art would have been motivated to employ the teachings of Narayanaswamy for the benefits achieved from a system that enables techniques protecting against distributed network attacks without disabling or throttling all access to a targeted service. (Narayanaswamy ¶ 008, ll 1-5)   

However, Xu discloses wherein a computer in a given country corresponding to a location assigned to the IP address. (Xu col 10, ll 59-64: provide control over traffic, block traffic that leaks a user’s location information; blocking traffic to servers outside a geographic area)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Ahmed-Narayanaswamy for a computer in a given country corresponding to a location assigned to the IP address as taught by Xu. One of ordinary skill in the art would have been motivated to employ the teachings of Xu for the benefits achieved from a system that enables protecting or blocking transfer user location information such as geographic location. (Xu col 10, ll 59-64)  

Response to Arguments
9.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 1-31-2022, with respect to the rejection(s) of claim(s) 1 under Ahmed have been fully considered and are persuasive.  Therefore, the rejection for Claim 1 has been withdrawn.  Applicant's arguments for Claims 15, 16 and 21 have been fully considered, however upon further consideration of the prior art and the claimed limitation(s), they were not persuasive.

A.  Claim 1 is allowed.  Claims dependent on Claim 1 are allowed due to their dependence upon independent Claim 1. (Claims 2 - 14, 22 - 33, 35 - 37)



C.  Applicant argues on pages 10-12 of Remarks: The Office Action employs the same rationale employed in rejecting Claim 1 against Claims 15, 16, and 21. Thus, applicant submits that Claims 15, 16, and 21 are allowable in view of Ahmed for at least the reasons set forth above in support of Claim 1.

    The Examiner respectfully disagrees.  Applicant has amended Claim 1 and has not amended Claims 15, 16 and 21.  Claims 15, 16 and 21 do not utilize the same rationale as amended Claim 1.  Claim 1 is allowed.  Claims 15, 16 and 21 are not allowed. 

D.  Applicant argues on pages 25-27 of Remarks: Narayanaswamy does not, however, disclose or suggest that the packet destination information that comprises an Internet Protocol (IP) address corresponding to a first attempt by a given host to communicate with a computer in a given country (the given country corresponding to a location of a computer assigned to the IP address) is used to generate the one or more classification rules of the classification model.

    The Examiner respectfully disagrees. Dependent Claim 34 and its base independent Claim (Claim 16) do not disclose the following: “the packet destination information that comprises an Internet Protocol (IP) address corresponding to a first attempt by a given host to communicate with a computer in a given country (the given country corresponding to a location of a computer assigned to the IP address) is used to generate the one or more classification rules”.  The indicated claim language is only disclosed in amended Claim 1. 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F: 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KYUNG H SHIN/                                                                                                2-24-2022Primary Examiner, Art Unit 2452