DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 3/7/2022. Claims 1-7, 10-16 and 19-20 are pending.

Response to Arguments
Applicant’s arguments, filed 3/7/2022, along with examiner's amendment have been fully considered and are persuasive. All previous rejections have been withdrawn.

Examiner's Amendment
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given by Mr. Sun on 4/13/2022. An examiner's amendment to the record appears below (amendment to claims 1, 10 and 19; cancellation of claims 7 and 16), which is based on claims submitted 3/7/2022. Rest of the claims remain the same.

In the Claims:

1.  (Currently amended)  A method, comprising:
performing, by a processor configured to implement a virtual security appliance: 
adding or deleting one or more alert modules to or from a set of alert modules according to a predetermined schedule or as decided by a machine learning system, wherein individual ones of the alert modules in the set is configured to analyze different subsets of attribute data about connections accepted by the virtual security appliance for one or more anomalies, wherein the one or more anomalies includes:
an IP port of a particular connection, 
a TCP flag of the particular connection, 
a handshake of the particular connection, 
a timing of the particular connection, 
a duration of the particular connection, or 
a termination of the particular connection;
accepting a request for a connection to the virtual security appliance;
collecting attribute data about the connection, wherein the attribute data includes date of the connection, a number of bytes associated with the connection, source IP address, or content of data sent through the connection; 
filtering the collected attribute data to discard non-anomalous attribute data about the connection;
applying the set of alert modules to at least some of the attribute data about the connection to identify an incident; and
automatically generating an alert reporting the identified incident.

	2. (Previously presented) The method of claim 1, wherein identifying the incident comprises identifying at least one anomalous connection attribute in the attribute data.

3. (Original) The method of claim 1, further comprising supplying the alert to a user using a user interface.

	4. (Original) The method of claim 1, wherein the alert concerning the identified incident includes the time at which the incident occurred.

5. (Original) The method of claim 1, wherein the alert module is automatically applied at fixed time intervals. 

6. (Previously presented) The method of claim 1, further comprising formatting, using the processor, the attribute data into at least one of a plot, a table, or a chart.

7. (Canceled) 

8. (Canceled)

9. (Canceled)

10.  (Currently amended)  An alert system, comprising: 
a memory;
at least one processor coupled to the memory, wherein the processor is configured to execute instructions stored on the memory to implement a virtual security appliance and cause the virtual security appliance to:
add or delete one or more alert modules to or from a set of alert modules according to a predetermined schedule or as decided by a machine learning system, wherein individual ones of the alert modules in the set is configured to analyze different subsets of attribute data about connections accepted by the virtual security appliance for one or more anomalies, wherein the one or more anomalies includes:
an IP port of a particular connection, 
a TCP flag of the particular connection, 
a handshake of the particular connection, 
a timing of the particular connection, 
a duration of the particular connection, or 
a termination of the particular connection;
accept a request for a connection to the virtual security appliance;
collect attribute data about the connection, wherein the attribute data includes date of the connection, a number of bytes associated with the connection, source IP address, or content of data sent through the connection;
filter the collected attribute data to discard non-anomalous attribute data about the connection;
apply at least one alert module in the set to at least some of the attribute data about the connection to identify an incident; and
automatically generate an alert reporting the identified incident.

11. (Previously presented) The system of claim 10, wherein the virtual security appliance is further configured to identify at least one anomalous connection attribute in the attribute data.

12. (Previously presented) The system of claim 10, wherein the virtual security appliance is further configured to supply the alert to a user using a user interface.

13. (Original) The system of claim 10, wherein the alert concerning the identified incident includes the time at which the incident occurred.

14. (Previously presented) The system of claim 10, wherein the virtual security appliance is configured to apply the alert module at fixed time intervals.

	15. (Previously presented) The system of claim 10, wherein the virtual security appliance is further configured to format the collected attribute data into at least one of a plot, a table, or a chart.

16. (Canceled) 

17. (Canceled)

18. (Cancelled)

19.  (Currently amended)  A non-transitory computer-readable storage medium storing program code that when executed on a processor cause the processor to implement a virtual security appliance and to: 
add or delete one or more alert modules to or from a set of alert modules according to a predetermined schedule or as decided by a machine learning system, wherein individual ones of the alert modules in the set is configured to analyze different subsets of attribute data about connections accepted by the virtual security appliance for one or more anomalies, wherein the one or more anomalies includes:
an IP port of a particular connection, 
a TCP flag of the particular connection, 
a handshake of the particular connection, 
a timing of the particular connection, 
a duration of the particular connection, or 
a termination of the particular connection;
accept a request for a connection to the virtual security appliance;
collect attribute data about the connection, wherein the attribute data includes date of the connection, a number of bytes associated with the connection, source IP address, or content of data sent through the connection;
filter the collected attribute data to discard non-anomalous attribute data about the connection;
apply at least one alert module in the set to a subset of the attribute data about the connection to identify an incident; and
automatically generate an alert reporting the identified incident.

20. (Previously presented) The non-transitory computer-readable storage medium of claim 19, wherein the program code when executed on the processor cause the processor to supply the alert to a user using a user interface.

Allowable Subject Matter
The claims 1-6, 10-15 and 19-20 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:
In interpreting the currently amended claims, in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.

Demopoulos (US 20050193429 A1) teaches a plurality of monitoring modules, independently performing one or more different monitoring and security functions, and new rule being added to the set of rules used by the monitoring module.

Seigel (US 20170031741 A1) teaches managing alert profiles. The alert profile may be deactivated (or deleted) when the alert profile is no longer relevant. The alert profile may be created by a human or created by a classifier (e.g., trained using machine learning) performing an analysis of gathered event logs in an enterprise or other large computing system. An alert profile may thus be temporary and may expire after a predetermined amount of time, or a classifier (e.g., trained using machine learning) may be used to determine when the alert profile is no longer relevant. For example, alert profiles may be automatically created based on anomalous event logs and set to expire after a predetermined period of time that is determined based on an analysis of previous incidents or based on a set of predefined options.

Martin (US 20180004948 A1) teaches to discard various signals from the set in order to find a best-match with a particular cyber attack pattern in the attack database, thereby confirming a relationship between a subset of these signals and a possible cyber attack and refuting a relationship between this subset of signals and other signals in the set. In summary Martin discloses discarding irrelevant signals and keeping pertinent signals to find a particular cyber-attack pattern.

The prior art of record fails to teach or suggest, individually or in combination, each and every limitation of the claimed invention as a whole.  For example, Demopoulos, Seigel and Martin in combination do not disclose “wherein the one or more anomalies includes: an IP port of a particular connection, a TCP flag of the particular connection, a handshake of the particular connection, a timing of the particular connection, a duration of the particular connection, or a termination of the particular connection”, within the context of the claimed invention as a whole, as recited in claims 1, 10 and 19.
Thus, the Examiner finds that the prior art does not provide sufficient teaching or motivation for anticipating or rendering obvious, within the claimed invention as a whole, without the usage of impermissible hindsight reasoning.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638. The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493