DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the RCE filed on 03/16/2022. 
Claims 31-60 are currently pending in this application. Claims 31-37, 39-48, 50-57, 59 and 60 have been amended.
No new IDS has been filed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/16/2022 has been entered.

Allowable Subject Matter
Claim 35 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and amended to overcome the 112(a) and/or 112(b) rejections stated below.


Response to Arguments
The previous 112(a) rejections to the claim 33, 46 and 55, and the previous 112(b) rejections to the claims 31-60 have been withdrawn in response to the applicant’s amendments/remarks. However, the current amendments cause the claims under 112(a) and 112(b) rejections – see the 112 rejections section below for detail.

Thus, the applicant’s arguments are not persuasive. Please see amended rejections below for amended claims.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 31-60 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirements (new matter issue).

Claims 31-37, 39-48, 50-57, 59 and 60 have been amended. Claims contain subject matter, for example, “… classifying, based on the first set of network metrics, the first network connection as corresponding to a first network connection profile … specifies a first plurality of network metric …” – see the claims 31, 44 and 53; “…the first network connection profile specifies at least two different types of metrics … (or … specifies a symmetry metric …, specifies a responsiveness metric …, specifies an efficiency metric …, etc.) – see claims 32-37, 45-48, 53-57, which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention. Note: the current application is a continuation of the parent application 15/418464 and the new matter issue is analyzed based on the disclosure filed on 01/27/2017.
The specification describes:
“the security monitoring program 1230 may receive and analyze second network traffic data representing subsequent or additional network traffic exchanged over the connection … the security monitoring program 123 identifies second network traffic metrics from the accessed second network data to indicate parameters and/or metrics for the network traffic ...” – see paras. [0188] – [0189]; 
“… the security monitoring program 1230 may identify a network traffic metric representing an efficiency of network connection from the received network traffic data … the efficiency or average packet size metric may indicate the overall efficiency of the network connection … in such connections having a low efficiency where the write buffer is filled slowly … an example of a connection of high/low efficiency could/may be a connection … the monitoring program 1230 may identify a network traffic metric representing a responsiveness of the computing devices … the responsiveness or number of packets transmitted per second metric may indicate … during each interaction, a gap may exist in between successive responses … a low value of the number of packets exchanged per second may also indicate a patient or persistent connection … ” – see paras. [0199] – [0207]; and
“… the security monitoring program 1230 may store the identified network traffic metrics associated with the connection in order to compare new or additional metrics … such storing of metrics associated with the connection may be applicable to monitoring by the real-time analyzer 1231 to monitor network traffic data in real-time to detect …” – see paras. [0244] – [0245].
However, these paragraphs do not describe the claimed/amended limitations, “… classifying, based on the first set of network metrics, the first network connection as corresponding to a first network connection profile … specifies a first plurality of network metric …”; “…the first network connection profile specifies at least two different types of metrics … (or … specifies a symmetry metric …, specifies a responsiveness metric …, specifies an efficiency metric …, etc.)…”.
Claims 32-43, 45-52 and 54-60 depend from claim 31, 44 or 53, and are analyzed and rejected accordingly.

The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

Claims 31-60 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Claims 31, 44 and 53 recite “… identifying a first set of network metrics … based on the network traffic data … classifying, based on the first set of network metrics, the first network connection profile specifies a first plurality of network metrics … wherein the first set of network metrics corresponds to the first plurality of network metrics …”, however, it is not clear whether “the first plurality of network metrics” is the same as “the first set of network metrics” or not because they both are corresponding metrics (or it is not clear how to define a metric of the corresponding metric).

Claims 32-43, 45-52 and 54-60 depend from the claim 31, 44 or 53, and are analyzed and rejected accordingly.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 31-34 and 36-60 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Merza et al. (US 2013/0326620 A1).

As per claim 31, Merza teaches a computer-implemented method [see fig. 1 and par. 0008], comprising:
analyzing network traffic data for a first network connection associated with a computing device [fig. 1; par. 0041, lines 1-9 of Merza teaches analyzing network traffic data (e.g., the data collected by the security monitoring system 150 or HTTP events information) for a first network connection associated with a computing device (e.g., the user device 110 or 120)];
identifying a first set of network metrics for the first network connection based on the network traffic data [par. 0041, lines 5-16 of Merza teaches identifying a first set of network metrics (e.g., the metric values of the events of the collected data) for the first network connection based on the network traffic data (e.g., the data collected by the security monitoring system 150)];
classifying, based on the first set of network metrics, the first network connection as corresponding to a first network connection profile included in a plurality of network connection profiles, wherein the first network connection profile specifies a first plurality of network metrics that characterize a network connection corresponding to the first network connection profile, and wherein the first set of network metrics corresponds to the first plurality of network metrics [fig. 2; par. 0048, lines 1-11; par. 0068, lines 1-28; par. 0133, lines 1-16 of Merza teaches classifying (e.g., categorizing), based on the first set of network metrics (e.g., the metric values of the events of the collected data), the first network connection as corresponding to a first network connection profile (e.g., the category defining the pattern) included in a plurality of network connection profiles (e.g., the access patterns or behavioral patterns of the network categories), wherein the first network connection profile specifies a first plurality of network metrics that characterize a network connection corresponding to the first network connection profile, and wherein the first set of network metrics (e.g., the metrics values related to a user agent string, a URL, a traffic size, etc.) corresponds to the first plurality of network metrics];
detecting a potential security threat for the first network connection based on the first network connection profile [par. 0049, lines 1-10; par. 0096, lines 1-14; par. 0116, lines 1-22 of Merza teaches detecting a potential security threat for the first network connection based on the first network connection profile (e.g., the category defining the pattern)]; and
initiating a mitigation action with respect to the first network connection in response to detecting the potential security threat [par. 0062, lines 1-20; par. 0063, lines 1-7; par. 0111, lines 1-18 of Merza teaches initiating a mitigation action (e.g., triggering an alert, blocking an action, enhance/mitigate a level off detail of the security threat, etc.) with respect to the first network connection in response to detecting the potential security threat].

As per claim 32, Merza teaches the computer-implemented method of claim 31.
Merza further teaches wherein the first network connection profile specifies at least two different types of metrics, wherein the types of metrics include a symmetry metric, a responsiveness metric, and an efficiency metric [par. 0047, lines 1-13; par. 0048, lines 1-16; par. 0068, lines 1-28; par. 0125, lines 1-6; par. 0128, lines 1-3 of Merza teaches wherein the first network connection profile specifies at least two different types of metrics, wherein the types of metrics include a symmetry metric (e.g., a high count or frequency of requests, etc.), a responsiveness metric (e.g., time between receipt and query time), and an efficiency metric (e.g., misspellings, profanity or old version identifiers, etc.)].

As per claim 33, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies a symmetry metric, wherein the symmetry metric is based on a number of bytes transmitted in one direction via the network connection and a number of bytes transmitted in an opposite direction via the network connection during a particular time duration [fig. 18A; par. 0048, lines 1-16; par. 0068, lines 1-28; par. 0128, lines 1-19; par. 0131, lines 1-13 of Merza teaches the first network connection profile specifies a symmetry metric, wherein the symmetry metric is based on a number of bytes transmitted (e.g., determining a length or number of bytes of the extracted value or the traffic size) in one direction via the network connection (e.g., the query or GET request) and a number of bytes transmitted (e.g., determining a length or number of bytes of the extracted value) in an opposite direction via the network connection(e.g., receipt or POST request) during a particular time duration (e.g., time between receipt and a query time or occurring within a particular time period)].

As per claim 34, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies a responsiveness metric, wherein the responsiveness metric represents a responsiveness of one or more computing devices exchanging data via the network connection [fig. 1; par. 0005, lines 1-19; par. 0068, lines 1-28 of Merza teaches wherein the first network connection profile specifies a responsiveness metric (e.g., the time between a receipt and a query), wherein the responsiveness metric represents a responsiveness of one or more computing devices exchanging data via the network connection (see the network connection of fig. 1)].

As per claim 36, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies an efficiency metric, wherein the efficiency metric represents an efficiency of the network connection [par. 0127, lines 1-17 of Merza teaches the first network connection profile specifies an efficiency metric (e.g., the metric value matching suspicious strings, wherein the efficiency metric represents an efficiency (e.g., profanity, old version or misspellings) of the network connection – see also rejections to the claim 31].

As per claim 37, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies an efficiency metric, wherein the efficiency metric indicates an average size of a plurality of packets exchanged via the network connection [par. 0076, lines 1-10; par. 0128, lines 1-19 of Merza teaches the first network connection profile specifies an efficiency metric, wherein the efficiency metric indicates an average (e.g., the determining average) size of a plurality of packets exchanged (e.g., the output of the traffic-sensitive events of the packet analyzer) via the network connection].

As per claim 38, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein: a second network connection profile included in the plurality of network connection profiles specifies a second plurality of network metrics that is different from the first plurality of network metrics specified by the first network connection profile [par. 0058, lines 1-15; par. 0139, lines 1-14 of Merza teaches a second network connection profile (e.g., a second category defining the pattern of the traffic events or timestamp) included in the plurality of network connection profiles (e.g., the access patterns or behavioral patterns of the network categories) specifies a second plurality of network metrics that is different from the first plurality of network metrics specified by the first network connection profile (e.g., the category defining the pattern) – see also rejections to the claim 31].

As per claim 39, Merza teaches the computer-implemented method of claim 38. 
Merza further teaches wherein: the first plurality of network metrics specifies at least a first network metric and a second network metric; the second plurality of network metrics specifies at least a third network metric and a fourth network metric, wherein the first network metric, second network metric, third network metric, and fourth network metric comprise different network metrics [figs. 18A, 20; par. 0133, lines 1-16; par. 0137, lines 1-12 of Merza teaches the first plurality of network metrics specifies at least a first network metric and a second network metric; the second plurality of network metrics specifies at least a third network metric and a fourth network metric, wherein the first network metric, second network metric, third network metric, and fourth network metric comprise different network metrics (e.g., the category metrics)].

As per claim 40, Merza teaches the computer-implemented method of claim 38. 
Merza further teaches wherein: the first plurality of network metrics specifies a first network metric, at least one of a first threshold or a first range for the first network metric, a second network metric, and at least one of a second threshold or a second range for the second network metric; and the second plurality of network metrics specifies a third network metric, at least one of a third threshold or a third range for the third network metric, a fourth network metric, and at least one of a fourth threshold or a fourth range for the fourth network metric, wherein the first network metric is different from the third network metric and the fourth network metric [fig. 1, 19B; par. 0061, lines 1-12; par. 0112, lines 1-7; par. 0136, lines 1-12; par. 140, lines 1-19 of Merza teaches the first plurality of network metrics specifies a first network metric, at least one of a first threshold or a first range for the first network metric, a second network metric, and at least one of a second threshold or a second range for the second network metric; and the second plurality of network metrics specifies a third network metric, at least one of a third threshold or a third range for the third network metric, a fourth network metric, and at least one of a fourth threshold or a fourth range for the fourth network metric, wherein the first network metric is different from the third network metric and the fourth network metric (e.g., the range of the values in the set of metrics and the lower and/or upper threshold set for each category].

As per claim 41, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the plurality of network connection profiles are predetermined prior to analyzing the network traffic data [par. 0066, lines 1-17 of Merza teaches the plurality of network connection profiles (e.g., the access patterns/structures or behavioral patterns of the network categories) are predetermined (e.g., predefined and/or identified) prior to analyzing the network traffic data].

As per claim 42, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that each network metric included in the first set of network metrics has subsequently deviated from each corresponding network metric included in the first plurality of network metrics specified by the first network connection profile [par. 0082, lines 1-17; par. 0096, lines 1-17; par. 0138, lines 1-9 of Merza teaches detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that each network metric included in the first set of network metrics has subsequently deviated (e.g., deviation or modifying the first object or metric value) from each corresponding network metric included in the first plurality of network metrics specified by the first network connection profile].

As per claim 43, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that at least one network metric included in the first set of network metrics has subsequently deviated from at least one corresponding network metric specified in the first plurality of network metrics by a predetermined threshold amount [par. 0056, lines 1-18; par. 0057, lines 1-6; par. 0082, lines 1-17; par. 0096, lines 1-17; par. 0138, lines 1-9 of Merza wherein detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that at least one network metric included in the first set of network metrics has subsequently deviated from at least one corresponding network metric specified in the first plurality of network metrics by a predetermined threshold amount (e.g., the threshold selected by a client)].

Claims 44-52 are non-transitory computer-readable storage medium claims that corresponds to the method claims (or the combination of the method claims) 31-34, 36, 38, 39 and 41-43, and are analyzed and rejected accordingly – see par. 0009 for the processing components.
Claims 53-60 are device claims that corresponds to the method claims 31-34, 36, 38, 39 and 41, are analyzed and rejected accordingly – see par. 0009 for the processing components.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MAUNG T LWIN/Primary Examiner, Art Unit 2495