Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The following is a Non-Final Office Action in response to applicant’s filing on 07/31/2019.
Claims 1-20 are pending.

Specification
The disclosure is objected to because of the following informalities:
In Para. [0036] it states “chasses” and it should be “Chassis”.
In Para. [0032], the reference number 526, does not exist in Fig. 4.
In Para. [0032], the reference number 524 is used for “Instructions” in Fig. 4, however the reference number 524 should be used for “a tangible computer-readable storage medium”.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.




 Claim 7 recites the limitation “the operations” in line 1.  There is insufficient antecedent basis for this limitation in the claim, since it is unclear which operations the term is referring to. For examination purposes the limitation “the operations” will be treated as “analyzing historical data of logs”. The examiner suggests to clarify the difference between “the operations” to rectify the issue. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 4, 7, 9-10, 12, 15, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (US 2020/0304381 A1) in view of Papaxenopoulos et al. (US 2018 / 0336356 A1).

In regards to claim 1, Wang discloses a method comprising: obtaining a machine learning model (Wang, Fig. 7 and Para. 0049, Training module 335 may run supervised learning 405 to obtain a benchmark pattern model (e.g., trained model 410), note the benchmark pattern model which can interpret as obtaining a machine learning model from supervised learning 405);
715)), wherein the log of data traffic comprises information associated with a first application (Wang, Para. 0040, Traffic pattern recognition function 320 may apply pattern recognition to identify a pattern (e.g. a particular combination of data speed, latency, and jitter for each direction) in the filtered data that may be attributed, for example, to a particular application); 
analyzing the log of data traffic using the machine learning model (Wang, Para. 0061, traffic evaluation function 322 may compare a relevant benchmark from trained model 410 to the actual network data to determine how much the live network traffic for the application has been impacted by the network); 
determining, based on the analysis used the machine learning model (Wang, Para. 0062, If there is not a match in the benchmark pattern model (block 730—No), process 700 may include analyzing the network data with a learning function (block 745)), whether to alter security rules for the first application (Wang, Para. 0065, PCF 814 may support policies to control network behavior, provide policy rules to control plane functions (not shown), access subscription information relevant to policy decisions, perform policy decisions, and/or perform other types of processes associated with policy enforcement); and 
Wang fails to disclose based on the determination to alter the security rules for the first application, sending instructions to alter the security rules for the first application. However, Papaxenopoulos teaches based on the determination to alter the security rules for the first application (Papaxenopoulos, Fig. 4, Para. 0048, the security generator can generate security path rules 416 utilizing a rules repository (e.g., 215B) provided by the static analysis application), sending instructions to alter the security rules for the first application (Papaxenopoulos, Para. 0048, Fig. 4, Item 426, Those security patch rules that are verified 422 can then be provided for further processing 426 along with source code changes, descriptions of the security patches).  
Wang and Papaxenopoulos are both considered to be analogous to the claimed invention because they are in the same field of analyzing the log of data traffic of an application in the cloud network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling 

In regards to claim 2, the combination of Wang in view of Papaxenopoulos teaches the method of claim 1, wherein the log of data traffic comprises error information or throughput information associated with the first application (Wang, Para. 0039, Coarse filter 314 may filter out unnecessary raw data, such as data unrelated to data speeds, throughput, frame size, packet size, latency, jitter, etc. Coarse filter 314 may pass the remaining).  

In regards to claim 4, the combination of Wang in view of Papaxenopoulos teaches the method of claim 1, wherein the security rules are altered in an application programming interface of the first application (Papaxenopoulos, Para. 0014, The remediation process can include security rules created from one or more application programming interfaces (API) accessible by the security application).  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang to incorporate the teachings of Papaxenopoulos to include wherein the security rules are altered in an application programming interface of the first application (Papaxenopoulos, Para. 0014). Doing so would aid to auto-remediating security vulnerabilities in source code, and more specifically pertains to utilizing pre-existing security controls for auto-remediating security vulnerabilities in source code (Papaxenopoulos, Para. 0002).

In regards to claim 7, the combination of Wang in view of Papaxenopoulos teaches the method of claim 1, the operations further comprising: analyzing historical data of logs for the first application 328 may use output from intelligent analysis function 318 as well as historical data from benchmark performance database 330); and based on the analyzing, updating the machine learning model to a new machine learning model (Wang, Para.0058, process 700 may include training a benchmark pattern model from historical training data (block 705), and storing a local copy of the benchmark pattern model).  

In regards to claim 9, Wang discloses an apparatus comprising:
 a processor (Wang, Fig. 2, Item 210); and 
a memory coupled with the processor, the memory storing executable instructions that when executed by the processor cause the processor to effectuate operations comprising (Wang, Fig. 2, Item 215): 
obtaining a machine learning model (Wang, Fig. 7 and Para. 0049, Training module 335 may run supervised learning 405 to obtain a benchmark pattern model (e.g., trained model 410), note the benchmark pattern model which can interpret as obtaining a machine learning model from supervised learning 405); 
obtaining a log of data traffic (Wang, Fig. 7 and Para. 0059, collecting live network traffic data from a local network (block 715)), wherein the log of data traffic comprises information associated with a first application; (Wang, Para. 0040, Traffic pattern recognition function 320 may apply pattern recognition to identify a pattern (e.g. a particular combination of data speed, latency, and jitter for each direction) in the filtered data that may be attributed, for example, to a particular application); 
analyzing the log of data traffic using the machine learning model (Wang, Para. 0061, traffic evaluation function 322 may compare a relevant benchmark from trained model 410 to the actual network data to determine how much the live network traffic for the application has been impacted by the network); 
determining, based on the analysis used the machine learning model (Wang, Para. 0062, If there is not a match in the benchmark pattern model (block 730—No), process 700 may include analyzing the 745)), whether to alter security rules for the first application (Wang, Para. 0065, PCF 814 may support policies to control network behavior, provide policy rules to control plane functions (not shown), access subscription information relevant to policy decisions, perform policy decisions, and/or perform other types of processes associated with policy enforcement); and 
Wang fails to disclose based on the determination to alter the security rules for the first application, sending instructions to alter the security rules for the first application. However, Papaxenopoulos teaches based on the determination to alter the security rules for the first application (Papaxenopoulos, Fig. 4, Para. 0048, the security generator can generate security path rules 416 utilizing a rules repository (e.g., 215B) provided by the static analysis application), sending instructions to alter the security rules for the first application (Papaxenopoulos, Para. 0048, Fig. 4, Item 426, Those security patch rules that are verified 422 can then be provided for further processing 426 along with source code changes, descriptions of the security patches).  
Wang and Papaxenopoulos are both considered to be analogous to the claimed invention because they are in the same field of analyzing the log of data traffic of an application in the cloud network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang to incorporate the teachings of Papaxenopoulos to include based on the determination to alter the security rules for the first application (Papaxenopoulos, Fig. 4, Para. 0048), sending instructions to alter the security rules for the first application (Papaxenopoulos, Para. 0048, Fig. 4, Item 426). Doing so would aid to auto-remediating security vulnerabilities in source code, and more specifically pertains to utilizing pre-existing security controls for auto-remediating security vulnerabilities in source code (Papaxenopoulos, Para. 0002).

In regards to claim 10, the combination of Wang in view of Papaxenopoulos teaches the apparatus of claim 9, wherein the log of data traffic comprises error information or throughput information associated with the first application (Wang, Para. 0039, Coarse filter 314 may filter out 314 may pass the remaining).   

In regards to claim 12, the combination of Wang in view of Papaxenopoulos teaches the apparatus of claim 9, wherein the security rules are altered in an application programming interface of the first application Papaxenopoulos, Para. 0014, The remediation process can include security rules created from one or more application programming interfaces (API) accessible by the security application).  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang to incorporate the teachings of Papaxenopoulos to include wherein the security rules are altered in an application programming interface of the first application (Papaxenopoulos, Para. 0014). Doing so would aid to auto-remediating security vulnerabilities in source code, and more specifically pertains to utilizing pre-existing security controls for auto-remediating security vulnerabilities in source code (Papaxenopoulos, Para. 0002).

In regards to claim 15, the combination of Wang in view of Papaxenopoulos teaches the apparatus of claim 9, the operations further comprising: analyzing historical data of logs for the first application(Wang, Para, 0043 Artificial intelligence (AI) prediction function 328 may use output from intelligent analysis function 318 as well as historical data from benchmark performance database 330); and based on the analyzing, updating the machine learning model to a new machine learning model (Wang, Para.0058, process 700 may include training a benchmark pattern model from historical training data (block 705), and storing a local copy of the benchmark pattern model).  

In regards to claim 17, Wang discloses a computer readable storage medium storing computer executable instructions that when executed by a computing device cause said computing device to effectuate operations comprising:
335 may run supervised learning 405 to obtain a benchmark pattern model (e.g., trained model 410), note the benchmark pattern model which can interpret as obtaining a machine learning model from supervised learning 405); 
obtaining a log of data traffic (Wang, Fig. 7 and Para. 0059, collecting live network traffic data from a local network (block 715)), wherein the log of data traffic comprises information associated with a first application (Wang, Para. 0040, Traffic pattern recognition function 320 may apply pattern recognition to identify a pattern (e.g. a particular combination of data speed, latency, and jitter for each direction) in the filtered data that may be attributed, for example, to a particular application);
 analyzing the log of data traffic using the machine learning model (Wang, Para. 0061, traffic evaluation function 322 may compare a relevant benchmark from trained model 410 to the actual network data to determine how much the live network traffic for the application has been impacted by the network);
 determining, based on the analysis used the machine learning model (Wang, Para. 0062, If there is not a match in the benchmark pattern model (block 730—No), process 700 may include analyzing the network data with a learning function (block 745)), whether to alter security rules for the first application (Wang, Para. 0065, PCF 814 may support policies to control network behavior, provide policy rules to control plane functions (not shown), access subscription information relevant to policy decisions, perform policy decisions, and/or perform other types of processes associated with policy enforcement); and 
Wang fails to disclose based on the determination to alter the security rules for the first application, sending instructions to alter the security rules for the first application. However, Papaxenopoulos teaches based on the determination to alter the security rules for the first application (Papaxenopoulos, Fig. 4, Para. 0048, the security generator can generate security path rules 416 utilizing a rules repository (e.g., 215B) provided by the static analysis application), sending instructions to alter the security rules for the first application (Papaxenopoulos, Para. 0048, Fig. 4, Item 426, Those security patch 422 can then be provided for further processing 426 along with source code changes, descriptions of the security patches).
Wang and Papaxenopoulos are both considered to be analogous to the claimed invention because they are in the same field of analyzing the log of data traffic of an application in the cloud network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang to incorporate the teachings of Papaxenopoulos to include based on the determination to alter the security rules for the first application (Papaxenopoulos, Fig. 4, Para. 0048), sending instructions to alter the security rules for the first application (Papaxenopoulos, Para. 0048, Fig. 4). Doing so would aid to auto-remediating security vulnerabilities in source code, and more specifically pertains to utilizing pre-existing security controls for auto-remediating security vulnerabilities in source code (Papaxenopoulos, Para. 0002).

In regards to claim 18, the combination of Wang in view of Papaxenopoulos teaches the computer readable storage medium of claim 17, wherein the log of data traffic comprises error information or throughput information associated with the first application (Wang, Para. 0039, Coarse filter 314 may filter out unnecessary raw data, such as data unrelated to data speeds, throughput, frame size, packet size, latency, jitter, etc. Coarse filter 314 may pass the remaining).   

In regards to claim 20, the combination of Wang in view of Papaxenopoulos teaches the computer readable storage medium of claim 17, wherein the security rules are altered in an application programming interface of the first application (Papaxenopoulos, Para. 0014, The remediation process can include security rules created from one or more application programming interfaces (API) accessible by the security application).  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang to incorporate the teachings of Papaxenopoulos to include wherein the security rules are altered in an application programming interface of the first application (Papaxenopoulos, Para. 0014). Doing so would aid to auto-.

Claims 3, 5-6, 8, 11, 13-14, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (US 2020/0304381 A1) in view of Papaxenopoulos et al. (US 2018 / 0336356 A1), and further in view of Cooper et al.  (US 2014/0115578 A1).
In regards to claim 3, Wang in view of Papaxenopoulos fails to teach the method of claim 1, wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application. However, Cooper teaches wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application (Cooper, Fig. 0013 and Para. 0127, A packet of a network flow is sent at 1301 to guest VM 1330-2, but is intercepted by intercept code module 1390 in vSwitch 1322). Wang, Papaxenopoulos, and Cooper are all considered to be analogous to the claimed invention because they are in the same field of analyzing the log of data traffic of an application in the cloud network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application (Cooper, Fig. 0013 and Para. 0127). Doing so would aid to enable customers to buy only the resources it uses or wants, and can provide flexibility and speed in responding to changes in a customer's network resource requirements. Virtual machines, however, are likely to become more popular targets for malicious attacks, as the use of virtualized cloud infrastructures continues to grow. While cloud virtualization provides many advantages, it can also present unique security challenges, as the nature of the virtualized infrastructure is to enable quick deployment of new resources (Cooper, Para.0004).
374 can use VMM security policies database 376 to update VM security policies database 386 with security policies for guest VMs 330).  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the security rules are altered in a virtual machine associated with the first application (Cooper, Para. 0063). Doing so would aid to provide security in a virtual cloud infrastructure. More specifically, virtual security system 160 of communication system 100 includes a distribution layer at a front-end, network stream level, that routes packets of network traffic to back-end security processes (Cooper, Para.00034).
In regards to claim 6, the combination of Wang and Papaxenopoulos further in view of Cooper teaches the method of claim 1, wherein the security rules are altered in a firewall located between the first application and a second application (Cooper, 0073, VSA 440-1 may forward the packet to VSA 440-3 using the same source route mechanism 495. VSA 440-3 is a firewall that applies firewall policy to the packet). Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the security rules are altered in a firewall located between the first application and a second application (Cooper, 0073). Doing so would aid to any number and type of VSAs could be configured in a virtual server to provide various security inspections on network traffic from virtual machines (Cooper, Para.0097).
In regards to claim 8, the combination of Wang and Papaxenopoulos further in view of Cooper teaches the method of claim 1, wherein the security rule comprises denying traffic from a second application (Cooper, Para. 0093, sending alerts to a system administrator or other authorized user, and blocking new packets from the same source guest virtual machine). Therefore, it would have been 
In regards to claim 11, the combination of Wang and Papaxenopoulos further in view of Cooper teaches the apparatus of claim 9, wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application.  However, Cooper teaches wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application (Cooper, Fig. 0013 and Para. 0127, A packet of a network flow is sent at 1301 to guest VM 1330-2, but is intercepted by intercept code module 1390 in vSwitch 1322). Wang, Papaxenopoulos, and Cooper are all considered to be analogous to the claimed invention because they are in the same field of analyzing the log of data traffic of an application in the cloud network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application (Cooper, Fig. 0013 and Para. 0127). Doing so would aid to enable customers to buy only the resources it uses or wants, and can provide flexibility and speed in responding to changes in a customer's network resource requirements. Virtual machines, however, are likely to become more popular targets for malicious attacks, as the use of virtualized cloud infrastructures continues to grow. While cloud virtualization provides many advantages, it can also present unique security challenges, as the 
In regards to claim 13, the combination of Wang and Papaxenopoulos further in view of Cooper teaches the apparatus of claim 9, wherein the security rules are altered in a virtual machine associated with the first application (Cooper, Para. 0063, policy module 374 can use VMM security policies database 376 to update VM security policies database 386 with security policies for guest VMs 330).  Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the security rules are altered in a virtual machine associated with the first application (Cooper, Para. 0063). Doing so would aid to provide security in a virtual cloud infrastructure. More specifically, virtual security system 160 of communication system 100 includes a distribution layer at a front-end, network stream level, that routes packets of network traffic to back-end security processes (Cooper, Para.00034).
In regards to claim 14, the combination of Wang and Papaxenopoulos further in view of Cooper teaches the apparatus of claim 9, wherein the security rules are altered in a firewall located between the first application and a second application (Cooper, 0073, VSA 440-1 may forward the packet to VSA 440-3 using the same source route mechanism 495. VSA 440-3 is a firewall that applies firewall policy to the packet). Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the security rules are altered in a firewall located between the first application and a second application (Cooper, 0073). Doing so would aid to any number and type of VSAs could be configured in a virtual server to provide various security inspections on network traffic from virtual machines (Cooper, Para.0097).


In regards to claim 19, the combination of Wang and Papaxenopoulos further in view of Cooper teaches the computer readable storage medium of claim 17, wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application (Cooper, Fig. 0013 and Para. 0127, A packet of a network flow is sent at 1301 to guest VM 1330-2, but is intercepted by intercept code module 1390 in vSwitch 1322). Wang, Papaxenopoulos, and Cooper are all considered to be analogous to the claimed invention because they are in the same field of analyzing the log of data traffic of an application in the cloud network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filling date of the claimed invention to have modified Wang in view of Papaxenopoulos to incorporate the teaching of Cooper to include wherein the log of data traffic comprises type of data traffic during a period that flows to the first application from a second application (Cooper, Fig. 0013 and Para. 0127). Doing so would aid to enable customers to buy only the resources it uses or wants, and can provide flexibility and speed in responding to changes in a customer's network resource requirements. Virtual machines, however, are likely to become more popular targets for .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Becker et al. (US 2015/0128279 A1) teaches to determine whether the application qualifies for security testing based on at least the calculated total exposure score; and initiating the presentation of the qualified application to the user to implement security testing.       
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.                                                                                                                                                                        Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 
/G.F./                                                                                                                                                 Examiner, Art Unit 4132
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496