DETAILED ACTION
This office action is in response to the application filed on 12/17/2019. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claims 18-20 are objected to because of the following informalities:
 	Claims 18, 19 and 20 recite “The non-transitory computer readable medium of claim 15” should be “The non-transitory computer readable medium of claim 17”. 
 Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 1, 3, 5, 9, 11, 13 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sartran et at. (U.S Pub No. 2017/0279698 A1, referred to as Sartran), in view of Kumaran et al. (U.S Pub No. 2020/0313979 A1, referred to as Kumaran.
Regarding claims 1, 9 and 17, Sartran teaches:	
collecting, by a control system comprising a processor and memory, a set of network data communicated by a plurality of network nodes over a network during a time duration (Sartran: Fig. 4, Item 400; Fig. 5, Item 408; ¶ 0050, “A DLA (EN: control system) may be operable to monitor network conditions (e.g., router states, traffic flows, etc.), perform anomaly detection on the monitored data using one or more machine learning models, report detected anomalies to the SCA, and/or perform local mitigation actions”; ¶ 0059- ¶ 0061, “In some embodiments, DLA 400 may execute a Network Sensing Component (NSC) 416 that is a passive sensing construct used to collect a variety of traffic record inputs 426 from monitoring mechanisms deployed to the network nodes.”; Fig. 6A; ¶ 0095, “As shown in FIG. 6A, plot 600 illustrates a plot of the observed number of packets between two network hosts over the course of time.” (EN: during a time duration)); 
identifying, by the control system, one or more seasonalities from the set of network data (Sartran: ¶ 0004; ¶ 0067- ¶ 0073; Fig. 5; ¶ 0076- ¶ 0092, “FIG. 5 illustrates an example architecture for using seasonal network patterns (EN: one or more seasonalities) to detect network anomalies.”; Fig. 8; ¶ 0097- ¶ 0102, “FIG. 8 illustrates an example simplified procedure for detecting a network anomaly using seasonal network patterns”);
generating, by the control system, a temporal profile based on the one or more identified seasonalities (Sartran: ¶ 0071, e techniques herein allow for the detection and analysis of patterns that are unusual in view of their seasonality and periodicity. In some aspects, a clustering process can assess network traffic to learn different traffic (EN: a temporal profile)”; ¶ 0083);
detecting, by the control system and based on the temporal profile, an anomalous behavior performed by one of the plurality of network nodes (Sartran: Fig. 5, Item 506; ¶ 0087- ¶ 0092; Fig. 6B; Fig 7A; Fig. 7B; ¶ 0094- ¶ 0096; Fig. 8, Step 825, “At step 825, as detailed above, the device may detect an anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity. For example, if the predicted seasonality of the host's traffic activity is “low activity” and the new traffic data indicates “high activity,” the device may deem this behavior to be anomalous.”).
Sartran does not explicitly disclose, however Kumaran teaches:
identifying, by the control system and based on the temporal profile, a root cause for the anomalous behavior (Kumaran: Fig. 2, Item 248; ¶ 0033; Fig. 3, Item 304; ¶ 0042; ¶ 0082, “During execution, corrective measure module 308 may take any or all of the following steps: Receive as input the tunnels identified by seasonality detection module 302 as experiencing seasonal SLA violations. Collect the SLA behavior time series data for all tunnels between the same two endpoints. Compare the SLA behavior of the seasonal tunnel with the each of the alternate tunnels, finding the tunnel that has the most negatively correlated, SLA behavior.”; Fig. 9; ¶ 0093- ¶ 0097, “step 910, where, as described in greater detail above, the supervisory service may detect seasonal SLA violations by one or more tunnels in the SD-WAN using a machine learning-based regression model. Such a model may, for example, take as input a time series of SLA violations for the tunnel(s) and use features such as time-of-day and day-of-week, to (EN: temporal profile), etc.). At step 915, as detailed above, the supervisory service may identify a root cause of the seasonal SLA violations. In some embodiments, the service may do so in part by determining whether the root cause of the seasonal SLA violations is associated with an internal network connected to the one or more tunnels (EN: a root cause for the anomalous behavior)”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Sartran by Kumaran and have a system capable of identifying a root cause for an anomalous behavior of a network in order to initiate a corrective measure based on the determined root cause. (Kumaran: ¶ 0096).

Regarding claim 9, Sartran further teaches:
A computing device comprising: a memory; and one or more processors operatively coupled to the memory, the one or more processors (Sartran: Fig. 2; ¶ 0032- ¶ 0035).

Regarding claim 17, Sartran further teaches:
A non-transitory computer readable medium storing program instructions for causing one or more processor (Sartran: Fig. 2; ¶ 0032- ¶ 0035).

Regarding claims 3 and 11, the combination of Sartran and Kumaran teaches all the features of claims 1 and 9, as outlined above.
Sartran teaches:
wherein the set of network data includes at least one of: a plurality of raw data packets over the network, respective source IP addresses of the plurality of raw data packets, respective destination IP addresses of the plurality of raw data packets, respective source TCP ports of the plurality of raw data packets, respective destination TCP ports of the plurality of raw data packets, respective source UDP ports of the plurality of raw data packets, respective destination UDP ports of the plurality of raw data packets, and respective data sizes of the plurality of raw data packets (Sartran: ¶ 0059- ¶ 0060, “traffic record inputs 426 may include Cisco™ Netflow records or other traffic information, application identification information from a Cisco™ Network Based Application Recognition (NBAR) process or another application-recognition mechanism, administrative information from an administrative reporting tool (ART), local network state information service sets, media metrics, raw packets (EN: a plurality of raw data packets over the network), or the like.”).

Regarding claims 5 and 13, the combination of Sartran and Kumaran teaches all the features of claims 1 and 9, as outlined above.
Sartran does not explicitly disclose, however Kumaran teaches:
wherein identifying a root cause for the anomalous behavior further comprises: determining, by the control system, a network flow associated with the anomalous behavior using highest magnitude interaction analysis; and identifying, by the control system, the network nodes associated with the network flow (Kumaran: Fig. 8, Step 915; ¶ 0094, “the service may do so in part by determining whether the root cause of (EN: network nodes associated with the network flow). For example, the service may attempt to see whether seasonal spikes in traffic in the internal network, packet drops, or other measurements in the internal network are correlated with the SLA violations. In another embodiment, the service may use a machine learning-based classifier to identify one or more traffic features of traffic in the internal network as associated with the SLA violations. In yet another embodiment, the service may perform deep packet inspection on traffic of the internal network sent via the one or more tunnels, to identify one or more applications associated with the traffic. (EN: highest magnitude interaction analysis)”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Sartran by Kumaran and have a system capable of identifying a root cause for an anomalous behavior of a network in order to initiate a corrective measure based on the determined root cause. (Kumaran: ¶ 0096).

Allowable Subject Matter

Claims 2, 4, 6-8, 10, 12 and 14-16 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claims 18-20 would be allowable should Applicant overcome the objection, set forth therein AND if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for identifying allowable subject matter.	

The closest prior arts made of records are, Sartran et at. (U.S Pub No. 2017/0279698 A1, referred to as Sartran) and Kumaran et al. (U.S Pub No. 2020/0313979 A1, referred to as Kumaran).

Sartran discloses a device in a network determines cluster assignments that assign traffic data regarding traffic in the network to activity level clusters based on one or more measures of traffic activity in the traffic data. The device uses the cluster assignments to predict seasonal activity for a particular subset of the traffic in the network. The device determines an activity level for new traffic data regarding the particular subset of traffic in the network. The device detects a network anomaly by comparing the activity level for the new traffic data to the predicted seasonal activity.

Kumaran discloses a supervisory service for a software-defined wide area network (SD-WAN) detects seasonal service level agreement (SLA) violations by one or more tunnels in the SD-WAN using a machine learning-based regression model. The service identifies a root cause of the seasonal SLA violations by determining whether 

However, regarding claim 2, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “switching, by the control system, from a data collection mode to an anomaly detection mode in response to the generation of the temporal profile.”.

Regarding claim 10, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “switch from a data collection mode to an anomaly detection mode in response to the generation of the temporal profile.”.

Regarding claim 4, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “segmenting, by the control system, the time duration into a plurality of monitoring time periods; grouping, by the control system based on a plurality of timestamps of the set of network data, the set of 

Regarding claim 12, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “segment the time duration into a plurality of monitoring time periods; group, based on a plurality of timestamps of the set of network data, the set of network data into respective subsets of the plurality of monitoring time periods; and determine the one or more seasonalities based on an occurrence rate associated with each of the subset of the monitoring time periods.”.

Regarding claim 6, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “wherein detecting an anomalous behavior performed by one of the plurality of network nodes further comprises: collecting, by the control system, a second set of network data communicated by the plurality of network nodes over the network during a second time duration; identifying, by the control system, one or more detection mode seasonalities from the second set of network data; comparing, by the control system, the detection mode seasonalities with the temporal profile to calculate a confidence margin; and detecting, by the control system, an anomalous behavior based on the calculated confidence margin exceeding a predetermined threshold.”.

Regarding claims 14 and 18, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “collect a second set of network data communicated by the plurality of network nodes over the network during a second time duration; identify one or more detection mode seasonalities from the second set of network data;  29 4812-1055-5308.1compare the detection mode seasonalities with the temporal profile to calculate a confidence margin; and detect an anomalous behavior based on the calculated confidence margin exceeding a predetermined threshold.”.

Regarding claim 7, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “identifying, by the control system, from the set of network data, a network communication between two network nodes, wherein at least one of the network nodes is on a list of known malicious network nodes; identifying, by the control system, one or more malicious seasonalities of the identified network communication; and  27 4812-1055-5308.1generating, by the control system, a malicious temporal profile based on the one or more identified malicious seasonalities; comparing, by the control system, the one or more seasonalities to the malicious temporal profile to determine a malicious network communication with an unknown network node; and adding, by the control system, the unknown network node to the list of known malicious network nodes.”.

Regarding claim 15 and 19, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “identify, from the set of network data, a network communication between two network nodes, wherein at least 

Regarding claim 8, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest” identifying, by the control system, from the set of network data, a network communication between two network nodes, wherein at least one of the network nodes is on a list of known trusted network nodes; identifying, by the control system, one or more trusted seasonalities of the identified network communication; generating, by the control system, a trusted temporal profile based on the one or more identified trusted seasonalities; comparing, by the control system, the one or more seasonalities to the trusted temporal profile to determine a trusted network communication with an unknown network node; and adding, by the control system, the unknown network node to the list of known trusted network nodes.”.

Regarding claim 16 and 20, the prior art of Sartran and Kumaran when taken in the context of the claim as a whole do not disclose nor suggest, “identify, from the set of network data, a network communication between two network nodes, wherein at least one of the network nodes is on a list of known trusted network nodes; identify one or 

Claims 2-8 depends on claim 1, claims 10-16 depend on claim 9 and claims 18-20 depend on claim 17, and are of consequence identified as allowable.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/HASSAN SAADOUN/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435