DETAILED ACTION
Applicant’s amendment and arguments filed February 9, 2022 is acknowledged.
Claims 1, 2, 9, and 17 have been amended.
Claims 1-20 are currently pending.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-7, 9-15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Di Pietro et al. (hereinafter Di Pietro) (U.S. Patent Application Publication # 2016/0028762 A1) in view of Karasaridis et al. (hereinafter Karasaridis) (U.S. Patent Application Publication # 2020/0195669 A1), and further in view of Bingham et al. (hereinafter Bingham) (U.S. Patent Application Publication # 2017/0339029 A1).
Regarding claims 1, 9, and 17, Di Pietro teaches and discloses a network monitoring system and method of monitoring a protected network, the method comprising: in a scoring phase: 
receiving a learned model having learning requests of learning network traffic, wherein the learning network traffic is network traffic observed during non-strain operation of the protected network, wherein the learning requests are requests for a network service sent to or from the protected system ([0040]; [0042]; “…observe traffic behavior and…determine that a sharp increase in request traffic is indicative of an attack (e.g., the observed behavior may be labeled as an attack by the device's machine learning process)…”; [0051]; “…a learning machine (LM) can be used to continuously build and train a LM-based model of normal (or “expected”) traffic, which allows for computing an anomaly score for each flow (i.e., a measure of how “far” that flow is to expected traffic behavior)…”; [0072]; [0074]; teaches a machine learning model receiving information on normal network traffic in a computer network and detects request traffic); 
receiving a score request to score a network service request of the network traffic, wherein the network service request is associated with a network service provided to or from the protected network and the score request includes fields of the network service request ([0034]; [0040]; “…perform functions that include allowing an anomaly score to be calculated for data flows based on a degree of divergence from the generated expected traffic model…”; [0042]; “…observe traffic behavior and…determine that a sharp increase in request traffic is indicative of an attack (e.g., the observed behavior may be labeled as an attack by the device's machine learning process)…”;[0057]; [0073]; [0079]; teaches a score request related to classification/field associated with the network traffic, such as request traffic); and 
calculating a score ([0040]; [0073]; [0079]; teaches calculating an anomaly score); and adjusting supportive handling of the network service request based on the score ([0093]; [0097]; teaches adjusting the handling of network traffic based on the score). 
However, Di Pietro may not expressly disclose multiple clusters of learning requests of learning network traffic, wherein the learning requests are requests for a network service sent to or from the protected system; classifying the network service request with one of the multiple clusters by comparing the fields of the network service request to fields used for clustering the learning requests with the cluster, wherein the network service request is classified regardless of whether the network service request is potentially associated with a cause of strain on the protected network (although Di Pietro does suggest clustering technique in order to detect a potential network attack and classifying network traffic; [0034]; [0038]).
Nonetheless, in the same field of endeavor, Karasaridis teaches and suggests multiple clusters of learning requests of learning network traffic, wherein the learning requests are requests for a network service sent to or from the protected system; classifying the network service request with one of the multiple clusters by comparing the fields of the network service request to fields used for clustering the learning requests with the cluster, wherein the network service request is classified regardless of whether the network service request is potentially associated with a cause of strain on the protected network ([0016]; [0020]; [0021]; [0023]; [0060]; teaches clustering  multiple clusters of network traffic, such as request traffic, and classifying the traffic with multiple clusters and classifying regardless of potential strain on the network).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate clustering  multiple clusters of network traffic, such as request traffic, and classifying the traffic with multiple clusters and classifying regardless of potential strain on the network as taught by Karasaridis with the method and apparatus as disclosed by Di Pietro for the purpose of monitoring and classifying network traffic in order to determine malicious traffic.
However, Di Pietro, as modified by Karasaridis, may not expressly disclose each cluster having an associated characteristic learning response time based on learning response times determined for learning requests and corresponding learning responses of the learning network traffic; calculating a score based on the characteristic learning response times generated for the learned cluster to which the network service request is classified (although Di Pietro does suggest clustering technique in order to detect a potential network attack and calculating an anomaly score; [0038]).
Nonetheless, in the same field of endeavor, Bingham teaches and suggests wherein the learning requests are requests for a network service sent to or from the protected system ([0223]; “…monitor for a service and which heterogeneous machine data to use for a particular KPI…one or more KPIs can be created for a service…a user may wish that the request response time be monitored as the average response time over a period of time…”), each cluster having an associated characteristic learning response time based on learning response times determined for learning requests and corresponding learning responses of the learning network traffic ([0234]; “…The service 102 can be monitored using one or more KPIs 106 for the service…KPI 106C may be a measurement of request response time for the service 102…”; [0533]; [0580]); calculating a score based on the characteristic learning response times generated for the learned cluster to which the network service request is classified ([0260]; “…calculate an aggregate KPI score 480 for the service for continuous monitoring of the service…”; [0580]; teaches grouping is associated with request response time and calculating a KPI score based on the KPI metric such as the request response time).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate grouping is associated with request response time and calculating a KPI score based on the KPI metric such as the request response time as taught by Bingham with the method and apparatus as disclosed by Di Pietro, as modified by Karasaridis, for the purpose of monitoring key performance indicators of a service.

Regarding claims 2, 10, and 18, Di Pietro, as modified by Karasaridis and Bingham, discloses the claimed invention, but may not expressly disclose associating one of the learning responses or lack of learning response to each corresponding learning request of the clusters; determining the learning response time for the respective learning responses; and determining the characteristic learning response time per cluster based on the learning response times of the learning responses that correspond to the learning requests associated with the cluster. 
Nonetheless, Bingham further teaches and suggests associating one of the learning responses or lack of learning response to each corresponding learning request of the clusters; determining the learning response time for the respective learning responses; and determining the characteristic learning response time per cluster based on the learning response times of the learning responses that correspond to the learning requests associated with the cluster ([0234]; “…The service 102 can be monitored using one or more KPIs 106 for the service…KPI 106C may be a measurement of request response time for the service 102…”; [0533]; [0580]).

Regarding claims 3 and 11, Di Pietro, as modified by Karasaridis and Bingham, further teaches and suggests normalizing selected fields of each learning request before clustering the learning requests using the normalized selected fields; and normalizing the fields of the network service request before classifying the network service request ([0034]; [0037]; [0048]; [0051]; teaches determining normal traffic conditions before classification of the traffic). 

Regarding claims 4 and 12, Di Pietro, as modified by Karasaridis and Bingham, further teaches and suggests normalizing selected fields of each learning responses before clustering the learning requests using the normalized selected fields ([0034]; [0037]; [0048]; [0051]; teaches determining normal traffic conditions before classification of the traffic). 

Regarding claims 5 and 13, Di Pietro, as modified by Karasaridis and Bingham, discloses the claimed invention, but may not expressly disclose determining a maximum return time, wherein the selected fields of the learning requests and requests are normalized using the maximum return time. 
Nonetheless, Bingham further teaches and suggest determining a maximum return time, wherein the selected fields of the learning requests and requests are normalized using the maximum return time ([0234]; “…The service 102 can be monitored using one or more KPIs 106 for the service…KPI 106C may be a measurement of request response time for the service 102…”; [0533]; [0881]).

Regarding claims 6 and 14, Di Pietro, as modified by Karasaridis and Bingham, discloses wherein calculating the score includes determining a score that represents a percentile for a statistical value that is closest to the fields of the network service request ([0034]; [0051]; [0073]; [0089]), but may not expressly disclose wherein the characteristic return time is based on a statistical function determined using the response times associated with the cluster, the method further comprising: in the learning phase: generating a learned histogram per cluster that represents behavior of the cluster with regard to learning response times over time; and determining a percentile for at least one statistical value in each histogram.
Nonetheless, Bingham further teaches and suggest wherein the characteristic return time is based on a statistical function determined using the response times associated with the cluster, the method further comprising: in the learning phase: generating a learned histogram per cluster that represents behavior of the cluster with regard to learning response times over time; and determining a percentile for at least one statistical value in each histogram ([0234]; “…The service 102 can be monitored using one or more KPIs 106 for the service…KPI 106C may be a measurement of request response time for the service 102…”; [0533]; [0538]).

Regarding claims 7, 15, and 19, Di Pietro, as modified by Karasaridis and Bingham, further teaches and suggests wherein the supportive handling includes dropping or redirecting network service requests, and adjusting the supportive handling includes deciding whether to drop or redirect the network service request based on the score ([0046]; teaches redirecting traffic). 



Claims 8, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Di Pietro et al. (hereinafter Di Pietro) (U.S. Patent Application Publication # 2016/0028762 A1) in view of Karasaridis et al. (hereinafter Karasaridis) (U.S. Patent Application Publication # 2020/0195669 A1) and Bingham et al. (hereinafter Bingham) (U.S. Patent Application Publication # 2017/0339029 A1), and further in view of Yadav et al. (hereinafter Yadav) (U.S. Patent Application Publication # 2020/0313986 A1).
Regarding claims 8, 16, and 20, Di Pietro, as modified by Karasaridis and Bingham, discloses the claimed invention, but may not expressly disclose wherein the supportive handling includes applying policy or charges, and adjusting the supportive handling includes selecting application of policy or charges based on the score. 
Nonetheless, in the same field of endeavor, Yadav teaches and suggests wherein the supportive handling includes applying policy or charges, and adjusting the supportive handling includes selecting application of policy or charges based on the score ([0031]; “…Analytics module 110 can use the reputation score of a component to selectively enforce policies…”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to incorporate enforcing policy based on the determined score as taught by Yadav with the method and apparatus as disclosed by Di Pietro, as modified by Karasaridis and Bingham, for the purpose of determining anomalies in a network and enforcing network policy, as suggested by Yadav.


Response to Arguments
Applicant's arguments with respect to claims 1-20 have been considered but are moot in view of the new ground(s) of rejection as necessitated by Applicant’s amendment. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any response to this Office Action should be faxed to (571) 273-8300 or mailed to:
Commissioner for Patents
P.O. Box 1450
Alexandria, VA 22313-1450
Hand-delivered responses should be brought to 
Customer Service Window
Randolph Building
401 Dulany Street
Alexandria, VA 22314
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUK JIN KANG whose telephone number is (571)270-1771.  The examiner can normally be reached on Monday-Friday 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Gregory Sefcheck can be reached on (571) 272-3098.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist/customer service whose telephone number is (571) 272-2600.

/Suk Jin Kang/
Examiner, Art Unit 2477
May 4, 2022


                                                                                                                                                                                            /GREGORY B SEFCHECK/Primary Examiner, Art Unit 2477