DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are pending.

Priority
Acknowledgement is made of applicant's claim for priority based on application 15/171,763 (now Patent No. 10505828) filed on 06/02/16 and application 62/171,899 filed on 06/05/15.

Claim Objections
Claim 4 is objected to because of the following informalities:  
“a first amount of the traffic” in line 2 of claim 4 should read “a first amount of traffic”.
“a second amount of the traffic” in line 3 of claim 4 should read “a second amount of traffic”.
“unauthorized activity” in line 5 of claim 4 should read “the unauthorized activity”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 7-11, 14-15, 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.  Claim 1 recites comparing characteristics of the data to determine a difference in the characteristics and based on the difference and determining a state of at least one of the plurality of capturing agents.
 The limitation of comparing characteristics of the data to determine a difference in the characteristics as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “comparing” in the context of this claim encompasses the user comparing characteristics of the data to identify any difference.  
The limitation of based on the difference, determining a state of at least one of the plurality of capturing agents as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind. For example, “determining” in the context of this claim encompasses the user finding out the state of one of at least one of the capturing agents based on the difference. 
If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claim does not recite additional elements that integrate the judicial exception into a practical application. 
Claim 1 recites the additional elements of receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices and 
However, these additional elements are recited at a high level of generality and amount to mere data gathering (i.e. general means of collecting data for use in the comparison step), which is a form of insignificant extra-solution activity.  The plurality of capturing agents and the plurality of devices are recited at a high-level of generality and are generic computers or computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Considering the claim as a whole, looking at the elements individually and in an ordered combination, does not integrate the abstract idea into a practical application using the considerations set forth above.
The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional elements are recited at a high level of generality and amount to mere data gathering (i.e. general means of collecting data for use in the comparison step), which is a form of insignificant extra-solution activity, the plurality of capturing agents and the plurality of devices are recited at a high-level of generality and are generic computers or computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
There are no well-understood, routine, and conventional additional elements recited in the claim.
	Thus, the claimed elements, either individually, or in the ordered combination do not add significantly more to the abstract idea.
Dependent claims 7-11 and 14 further clarify the concept recited in claim 1 however this clarification still falls under the concept recited in claim 1 and does not amount to significantly more than the judicial exception.  Dependent claims 7-11 and 14 are rejected for at least the reason stated above with respect to claim 1.
Claim 15 although not using the exact claim language, contains similar elements as recited in claim 1 and is also rejected for similar reasons.  Claim 15 recites the additional elements of “one or more processors” and “one or more computer-readable storage devices having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations”.  However, these additional elements are recited at a high level of generality and are generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 
Dependent claims 17-19 further clarify the concept recited in claim 15 however this clarification still falls under the concept recited in claim 15 and does not amount to significantly more than the judicial exception.  Dependent claims 18-19 are rejected for at least the reason stated above with respect to claim 15.
Claim 20 although not using the exact claim language, contains similar elements as recited in claim 1 and is also rejected for similar reasons.  Claim 20 recites the additional elements of “computer-readable storage device storing instructions which, when executed by a processor, cause the processor to perform operations”.  However, these additional elements are recited at a high level of generality and are generic computer components such that they amount to no more than mere instructions to apply the exception using a generic computer. Mere instructions to apply an exception using a generic computer cannot provide an inventive concept.  Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10505828. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 of U.S. Patent No. 10505828 include the limitations recited in claims 1-20 of the instant application.

Instant application 16704559
Patent No. 10505828
1
1
2-14
2-14
15
15
16-19
16-19
20
20


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
 (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 9, 15, and 20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Zatko (US 20160191469).

Claim 1, Zatko discloses A method (e.g. fig. 11, ¶201) comprising: 
receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated based on traffic at the plurality of devices; (e.g. fig. 11, ¶174, 184: the trusted device 130 communicates one or more event log entries from the secure storage 136 to a user 101 via the secure interface 137…The host device 110 then provides the event log entries to the user 101, such as via a user interface associated with the host device 110. The user 101 then receives the event log entries.  Note that the term traffic covers any type of message(s) or signal(s) transmitted or received)
comparing characteristics of the data to determine a difference in the characteristics; and based on the difference, determining a state of at least one of the plurality of capturing agents, (e.g. ¶185: the user 101 may optionally verify the authenticity of one or more log events that the user 101 receives via the host interface 132. For example, even though the isolated processor 135 may provide the log event entries to the read file 134 from the append-only log event entries stored in the secure storage 136, a compromised host device 110 may attempt to misrepresent the log event entries received from the read file 134. To detect or identify such misrepresentations, an authorized user 101 can compare one or more event log entries received via the read file 134 of the host interface 132 to one or more event log entries received via the secure interface 137. Because the secure interface 137 is inaccessible to the host device 110, any discrepancies identified based on the comparison provide an indication that the host device 110 is compromised. For example, if one or more log entry events are present on a log file received via the secure interface but are missing from a log file received via the host interface 132, the authorized user 101 may determine that the host device 110 is compromised based on the missing log event entries. Any other deletions, additions, or alterations of the log file received via the host interface 132—as compared to the log file received from the secure interface 137 may similarly provide an indication that the host device 110 is compromised)
wherein, the data is generated based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the plurality of devices. (e.g. ¶43, 101, 162-164, 166-168, 170: every time the host device transmits a request to a write file of the trusted device, the isolated processor of the trusted device determines log data for the write-file entry. The processor then records an event log entry for the write-file entry in the secure storage of the trusted device…the trusted device 130 establishes event log entries based on information received from the host device 110…the write-file entries may relate to or include system events that the operating system of the host device 110 may otherwise log. For example, the event logs may relate to or contain information about device changes, device drivers, system changes, system operations, or other information pertaining to the host computing system 110…the event logs may include application (program) events, with the events being classified as an error, a warning, or other information, depending on the severity of the event. An event log for an error, for example, may include a loss of data. Other event logs may relate to or include security-related events, including successful or failed audits or security breaches. Other event logs may relate to or include setup events or system events. Still other event logs may include forwarded events, such as events forwarded from other devices associated with the host device 110…the host device 110 creates the log events when a user 101 logs on to the host device 110, when a program or application on the host device 110 encounters an error, or when the host device 110 detects a threat or intrusion… the host device 110 may provide a request or command to the write file 133 of the trusted computing device 130 related to the user's financial information, such as a request for a money transfer or withdrawal, as described herein. The write file 133 receives the request as a write-file entry. The trusted computing device 130 then records the received write-file entry as an event log…the trusted computing device determines log data associated with the write-file entry. That is, the trusted computing device 130, such as via the isolated environment processor 135 of the isolated environment, retrieves the write file entry from the write file 133. The isolated processor then determines information associated the write-file entry, such as the date of the event associated with the write file entry, the time of the event associated with the write-file entry, or any other information associated with the write-file entry...the trusted computing device 130 establishes an event log entry based on determined log data. That is, after the trusted computing device 130 determines log data associated with the write-file entry, the isolated environment processor 135 creates an event log entry using the determined log data.)

Claim 9, Zatko discloses The method of claim 1, wherein the plurality of capturing agents includes at least one of a process, a kernel module, or a software driver. (e.g. figs. 1-2, ¶51, 53, 63)

Claim 15, this claim is rejected for similar reasons as in claim 1.

Claim 20, this claim is rejected for similar reasons as in claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 10-14 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zatko (US 20160191469) in view of Vaughn (US 20160183093).

Claim 10, Zatko discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state, marking traffic or packets.  (e.g. ¶27)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Zatko for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 11, Zatko discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state: aggregating or summarizing the data; or reducing an amount of the data.  (e.g. ¶27)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Zatko for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 12, Zatko discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state, increasing a time interval for receiving subsequent data from the plurality of capturing agents to reduce an amount of further data received during the state.  (e.g. ¶27) 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Zatko for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 13, Zatko discloses The method of claim 1, wherein, the data is received via a collector device, (e.g. ¶170, 185) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state: dropping, by the collector device, the data; or preventing, by the collector device, access by other devices to the data.  (e.g. ¶27)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Zatko for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 14, Zatko discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses determining that at least one other capturing agent is in the state based on a topology of an associated network and a placement in the associated network of at least one of the plurality of capturing agents.  (e.g. ¶23-25, 35)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Zatko for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 18, this claim is rejected for similar reasons as in claims 10 or 13.

Claim 19, this claim is rejected for similar reasons as in claims 11 or 12.


Claims 1, 9, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Shen (US 9582669) in view of Paxton (US 9686233).

Claim 1, Shen discloses A method (e.g. fig. 7, col. 8, ll. 35-44) comprising: 
receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated; (e.g. fig. 7, col. 8, ll. 45-54, col. 9, ll. 43-50: As illustrated in FIG. 7, at step 702, one or more of the systems described herein may receive data that indicates at least one attribute of an automobile and that was conveyed via an automobile-network message that was purportedly broadcast over an automobile network of the automobile. The systems described herein may receive data that indicates an attribute of an automobile and that was conveyed via an automobile-network message that was purportedly broadcast over an automobile network of the automobile in a variety of ways…At step 704, one or more of the systems described herein may receive additional data that indicates the same attribute indicated by the data received at step 702 and that was not conveyed via any automobile-network message that was broadcast over the same automobile network associated with the data received at step 702. The systems described herein may receive such data in a variety of ways)
comparing characteristics of the data to determine a difference in the characteristics; and (e.g. fig. 7, col. 9, ll. 26-43, col. 10, ll. 10-52, col, 11, ll. 2-39: As used herein, the term “automobile-network message” generally refers to any communication that conveys a state (e.g., a current or past value) of any attribute of an automobile and that is transmitted over an automobile network. In some examples, automobile-network messages may be broadcast over an automobile network by various components (e.g., ECUs, sensors, and/or actuators) that are connected to the automobile network. The phrase “attribute of an automobile” generally refers to any measurable characteristic of an automobile or one of its component parts and/or any measurable characteristic of a driver's driving behaviors. An attribute of an automobile may be considered conveyed by an automobile-network message if the attribute can be derived from data contained within the automobile-network message. Examples of automobile attributes include, without limitation, speed, acceleration, deceleration, turning angle, pedal position, steering wheel position, and g-forces.  At step 706, one or more of the systems described herein may detect a discrepancy between the data received at step 702 and the additional data received at step 704. The systems described herein may perform step 706 in a variety of ways…by (1) determining that a state of an attribute of an automobile indicated by the data received at step 702 does not match a state of the attribute indicated by the additional data received at step 704 and (2) determining that the data received at step 702 and the additional data received at step 704 indicate that the states occurred at the same time. For example, detecting module 106 may detect a discrepancy between the data received at step 702 and the additional data received at step 704 by determining that a speed conveyed by the data received at step 702 does not match a speed conveyed by the additional data received at step 704, wherein the data received at step 702 and the additional data received at step 704 indicate that the two speeds occurred at the same time)
based on the difference, determining a state of at least one of the plurality of capturing agents. (e.g. col. 2, ll. 47-55, col. 10, ll. 34-39, col. 11, ll. 2-9: the step of detecting the discrepancy between the data and the additional data may include determining that the discrepancy is indicative of the source device having malfunctioned. In other embodiments, the step of detecting the discrepancy between the data and the additional data may include determining that the discrepancy is indicative of the source device having broadcast the automobile-network message as part of an attack on the automobile network)
Although Shen discloses receiving, from a plurality of capturing agents deployed in a plurality of devices, data generated (see above), Shen does not appear to explicitly disclose but Paxton discloses data generated based on traffic at the plurality of devices and wherein, the data is generated based on observed data, statistics, and/or metadata about one or more packets, flows, communications, processes, events, and/or activities at the plurality of devices. (e.g. col. 2, ll. 34-56: a computer implemented method is described for calculating a first hash for each of a plurality of packet application layer payloads at a first server before a boundary, and storing a first hash data record from the calculated first hash of the plurality of packet application layer payloads on a device with access to the first server, or at the first server. A second hash can be calculated for each of the plurality of packet application layer payloads at a second server after the boundary, and a second hash data record from the calculated second hash of the plurality of packet application layer payloads can be stored on a device with access to the second server, or at the second server. Individual packet application layer payloads can then be matched based on the first hash data record and the second hash data record, which can be processed via a first-in-first-out queue based on recorded timestamps. The plurality of packets, each containing a packet application layer payload, can be transmitted from a client to a server, or from a server to a client, and the boundary can be between the client and the server. The first hash data record and second has data record can include a hash value, an IP address, and a timestamp for the first and second hash for each of a plurality of packet application layer payloads.)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Paxton into the invention of Shen for the purpose of providing an ability to identify the true source of packet transmission and providing a way to quickly identify nodes that are infected with malicious content which can allow the network administrator to better identify the scope of the malicious content (Paxton, col. 6, ll. 8-15).

Claim 9, Shen-Paxton discloses The method of claim 1, wherein the plurality of capturing agents includes at least one of a process, a kernel module, or a software driver. (e.g. Shen, e.g. fig. 7, col. 2, ll. 44-47, col. 8, ll. 54-col. 9, ll. 2, col. 9, ll. 30-33, 51-col. 10, ll. 9 or Paxton, e.g. col. 2, ll. 34-56)

Claim 15, this claim is rejected for similar reasons as in claim 1.

Claim 20, this claim is rejected for similar reasons as in claim 1.

Claims 10-14 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Shen (US 9582669) in view of Paxton (US 9686233) and further in view of Vaughn (US 20160183093).

Claim 10, Shen-Paxton discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state, marking traffic or packets.  (e.g. ¶27)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Shen-Paxton for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 11, Shen-Paxton discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state: aggregating or summarizing the data; or reducing an amount of the data.  (e.g. ¶27)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Shen-Paxton for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 12, Shen-Paxton discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state, increasing a time interval for receiving subsequent data from the plurality of capturing agents to reduce an amount of further data received during the state.  (e.g. ¶27) 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Shen-Paxton for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 13, Shen-Paxton discloses The method of claim 1, wherein, the data is received via a collector device, (Shen, e.g. fig. 7, col. 8, ll. 45-54, col. 9, ll. 43-50) and does not appear to explicitly disclose but Vaughn discloses in response to the determining the state: dropping, by the collector device, the data; or preventing, by the collector device, access by other devices to the data.  (e.g. ¶27)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Shen-Paxton for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 14, Shen-Paxton discloses The method of claim 1, (see above) and does not appear to explicitly disclose but Vaughn discloses determining that at least one other capturing agent is in the state based on a topology of an associated network and a placement in the associated network of at least one of the plurality of capturing agents.  (e.g. ¶23-25, 35)
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Vaughn into the invention of Shen-Paxton for the purpose of preventing a compromised wireless sensor node from compromising other wireless sensor nodes (Vaughn, ¶27).

Claim 18, this claim is rejected for similar reasons as in claims 10 or 13.

Claim 19, this claim is rejected for similar reasons as in claims 11 or 12.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

US 20040137908 discloses a terminal receives, from a plurality of access points, service reports containing various attributes of the plurality of access points and selects the best access point based on comparing the attributes in the service reports.

US 20080282347 discloses using the reported traffic information received from each of the NIDS server 51 and email server 42, determining aspects, elements, or attributes (characteristics) of the reported traffic information such as computing devices receiving or sending the traffic, the type of traffic, the amount of traffic, the time when the traffic was detected and the nature of the traffic (e.g. an unusually large volume of email being sent by desktop 11 or a large number of files was sent between the desktop 11 and other computing devices on network 90 within a very short time frame) for comparison to identify discrepancies and determining that one of the NIDS server 51 and email server 42 is compromised (e.g. infected)  (e.g. ¶39, 43, 49).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRONG NGUYEN whose telephone number is (571)270-7312.  The examiner can normally be reached on Monday through Thursday 9:00 AM - 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436