DETAILED ACTION
This action is in response the Pre-Appeal conference request filed on 10/27/2021 in which.
In view of the Pre-Appeal conference request filed on 10/27/2021, the finality of the previous action is withdrawn, and new grounds of rejection are set forth below. This action is made NONFINAL.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 08/13/2021, 10/18/2021 and 01/21/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Objections
Claims 1, 10, 11 and 20 are objected to because of the following informalities:
In claims 1 and 11, line 11, “associating each of the plurality of network addresses with a set of traffic patterns” should be “associating each of the plurality of network addresses with the set of traffic patterns.” The element “a set of traffic patterns” is first seen in line 9 in claim 1.
In claims 1 and 11, line 16, “security policies” should be “the security policies.” The element “security policies” is first seen in line 1 in claim 1.
In claims 10 and 20, line 1, “groupings of network addresses” should be “the groupings of network addresses.” The element “groupings of network addresses” is first seen in line 14 claim 1. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1, 4-5, 11 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Hamou (US 20170374106 A1) in view of Lee (US 20160219068 A1).

In regards to claims 1 and 11, Hamou teaches: A method of specifying security policies for applications executing on computers in a datacenter comprising a network and associated with network addresses, the method comprising: (Hamou, [0053] "Referring now to 360 in FIG. 3, security policies are determined for the detected micro-segments based on application implementation information associated with each micro-segment...In one example, based on the network flow information flow_sd=(IP_s, PN_s, IP_d, PN_d, Protocol), a firewall rule may be recommended to allow or deny packets from a source (s) to a destination (d) based on their past communication behavior."; IP_s and IP_d are network addresses.)
identifying flows associated with a plurality of network addresses, and (Hamou, [0038] "At 310 in FIG. 3, management entity 160 obtains network flow information ... in FIG. 1, N=8 and a particular network flow from a source virtual machine (s) to a destination virtual machine (d) may be denoted as flow_sd. In one example, flow_sd=(IPs, PNs, IPd, PNd, Protocol) may be a 5-tuple that includes source IP address IPs, source port number PNs, destination IP address IPd, destination port number PNd and the protocol (e.g., TCP) used.") statistics associated with the identified flows, said statistics including probabilistic values specifying a frequency for occurrence of the flow; (Hamou, [0041]-[0046] "At 320 in FIG. 3, a transition probability matrix is generated based on the network flow information... Value pij [statistics / probabilistic values / frequency] at the ith column and jth row (i,j=1, . . . , N) represents the probability that an ith source (e.g., “VM1” 131 when i=1) communicates with a jth destination (e.g., “VM4” 134 when j=4). The total probability of each column is one, i.e., Σj=1 N pij=1. If the ith source does not communicate with a particular jth destination, corresponding pij may be set to zero...")
… defining security policies for a set of applications associated with a set of network addresses based on a set of groupings generated for the set of network addresses. (Hamou, [0008], [0047]-[0051], [0054]-[0066] Figs. 4-5 "FIG. 5 is a schematic diagram illustrating example security policies for micro-segments [groupings] that are detected in the virtualized computing environment in FIG. 1", "(a) 'MS1' 712 includes virtual machines 721-723... "; app1, app2, app3 are applications associated with a set of network addresses, MS1, MS2 and MS3 are examples of groupings)

    PNG
    media_image1.png
    362
    553
    media_image1.png
    Greyscale


Hamou does not teach, but Lee teaches: identifying a set of traffic patterns through the network based on the identified statistics associated with the plurality of flows; (Lee, Fig. 2, see 'substring frequency' in [0089]-[0098],  'signature extraction unit' and 'a discovery frequency' in [0116]-[0120], [0063] "At step 230, the generation unit 130 may generate the signature [traffic patterns] of a detection rule by applying latent Dirichlet allocation to the one or more network flows. "; see [0009] signature is also viewed as signature pattern in the art, and the signature pattern is generated based on the frequency/statistics/probability of the flow, and further the LDA is a statistical model.)
associating each of the plurality of network addresses with a set of traffic patterns, each traffic pattern associated with a particular network address with a particular probability; (Lee, [0027] [0113] "The Dirichlet distribution may enable modeling of a probability [a particular probability] that, for the one or more network flows, each network flow will contain at least one certain topic."; [0023] "Generating the signature of the detection rule may include classifying the one or more network flows into clusters; extracting a substring that satisfies a predetermined condition from the one or more network flows... setting the extracted substring as the signature of the detection rule..."; [0145]-[0149]; each signature/pattern is associated with a network flow, which is associated with a particular network address (IP_s or IP_d), as taught by Hamou)
generating groupings of network addresses with similar distributions of traffic pattern probabilities for display in a user interface; and (Lee, [0013] [0147] "… for automatically identifying the signature of malicious traffic using the distribution information of keywords for respective clusters [groupings with similar distribution], with respect to network traffic classified by clustering."; [0136]-[0139] "the statistical data output unit 1010 may output statistical data for latent Dirichlet allocation... may output the set signature.", [0142] "The signature identification apparatus 100 may be implemented... may include ... a UI output device 1227 [displaying in a user interface]")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the analysis the network flow information of Hamou to include a signature identification apparatus using the LDA, as taught by Lee. Doing so would make the system to automatically identify the signature of malicious traffic. (Lee, [0052] "FIG. 1 is a configuration diagram showing a signature identification apparatus for automatically identifying the signature of malicious traffic using latent Dirichlet allocation according to an embodiment.")

Claim 11 recites substantially the same limitation as claim 1, therefore the rejection applied to claim 1 also apply to claim 11. In addition, Hamou teaches: A non-transitory machine readable medium storing a program for execution by at least one processing unit, the program for generating groupings of network addresses, the program comprising sets of instructions for: (Hamou, [0081]-[0088] "Example computer system or computing device 900 may include processor 910, computer-readable storage medium 920, network interface…"; [0008], [0047]-[0051], [0054]-[0066] Figs. 4-5 "(a) 'MS1' 712 includes virtual machines 721-723... "; app1, app2, app3 are applications associated with a set of network addresses, MS1, MS2 and MS3 are examples of groupings)

In regards to claims 4 and 14, reference is made to the rejection of claims 1 and 11 respectively, and further, Lee teaches: wherein identifying the set of traffic pattern comprises using probabilistic topic modeling to identify the set of traffic patterns. (Lee, [0063] "At step 230, the generation unit 130 may generate the signature [traffic patterns] of a detection rule by applying latent Dirichlet allocation [probabilistic topic modeling] to the one or more network flows. "; also see [0027] [0113], see [0009] signature is also viewed as signature pattern in the art)
The rationale for combining the teachings of Hamou and Lee is the same as set forth in the rejection of claims 1 and 11 respectively.

In regards to claims 5 and 15, reference is made to the rejection of claims 4 and 14 respectively, and further, Lee teaches: wherein the probabilistic topic modeling is latent Dirichlet allocation (LDA). (Lee, [0063] "At step 230, the generation unit 130 may generate the signature of a detection rule by applying latent Dirichlet allocation [probabilistic topic modeling] to the one or more network flows. "; also see [0027] [0113])
The rationale for combining the teachings of Hamou and Lee is the same as set forth in the rejection of claims 4 and 14 respectively.

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Hamou in view of Lee in further view of Rieke (US 20160205002 A1).
In regards to claims 3 and 13, reference is made to the rejection of claims 1 and 11 respectively, and further, Hamou and Lee does not teach, but Rieke teaches: wherein the identified statistics comprise at least one of internet protocol flow information export (IPFIX) data and tcpdump data. (Rieke, [0116] "Many conventional systems for network monitoring, network control, and network security typically use network flow data from routers, switches, or other hardware configured to collect network traffic statistics using a standard known as 'IP Flow Information Export' (IPFIX), which is also known as 'Netflow.'")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the analysis the network flow information of Hamou to include IPFIX format, as taught by Rieke. Doing so would make the system to qualify information exchanges based on network connection attributes. (Rieke, [0116] "IPFIX allows for the monitoring (e.g., auditing) of network exchanges between assets and, to some degree, qualifies information exchanges based on network connection attributes, such as IP address, source and destination port numbers, as well as byte count and other packet or connection attributes defined in the IPFIX protocol and implemented by the IPFIX sending device or software.")

Claims 6-10 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Hamou in view of Lee in further view of Niu ("Network Steganography based on Traffic Behavior in Dynamically Changing Wireless Sensor Networks").

In regards to claims 6 and 16, reference is made to the rejection of claims 5 and 15 respectively, and further, Hamou and Lee does not teach, but Niu teaches an analogous LDA model, wherein the LDA uses network addresses of computers in networks as the documents for its analysis. (Niu, p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document [documents] that the authors write about."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses of computers] are included in the packet header. In this paper, we utilize this feature to achieve accurate inference by applying both word topic and author-topic probability to infer the network flow.")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the LDA model of Lee with the network addresses disclosed by Niu . The modification would be obvious because doing so would help the system of Lee find out the most dominant sequences of packets forming some behavior. (Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node or group of nodes. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)...")

In regards to claims 7 and 17, reference is made to the rejection of claims 6 and 16 respectively, and further, Hamou and Lee does not teach, but Niu teaches: wherein the LDA uses a particular plurality of statistics associated with a particular network address as a plurality of flows associated with a particular document defined by the particular network address. (Niu p.2 "We use protocol, message type, packet length, and time interval in a day [e.g. statistics], to construct words for ATM"; p. 3 "p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document that the authors write about [a particular document defined by the particular author/address]."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses] are included in the packet header...") (More details in Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node [statistics associated with particular network address]or group of nodes. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)..."; IV. PROPOSED SCHEME "... We mainly use ATM to discover the traffic behavior in terms of which packets are usually sent together in the flow (traffic pattern) [statistics viewed as flows], what are the active/inactive times of nodes (business pattern), what traffic patterns and business patterns a given source node is likely to follow and which nodes act similarly."; also see p. 4-5 D. Network Behavior Discovered with ATM)
The rationale for combining the teachings of Hamou and Lee is the same as set forth in the rejection of claims 6 and 16 respectively.

In regards to claims 8 and 18, reference is made to the rejection of claims 7 and 17 respectively, and further, Hamou teaches: wherein the statistics that are associated with a particular flow comprise at least one of a flow direction, a source port, and a destination port. (Hamou, [0038] "At 310 in FIG. 3, management entity 160 obtains network flow information ... in FIG. 1, N=8 and a particular network flow from a source virtual machine (s) to a destination virtual machine (d) [a flow direction] may be denoted as flow_sd. In one example, flow_sd=(IP_s, PN_s , IP_d, PN_d, Protocol) may be a 5-tuple that includes source IP address IPs, source port number PNs [a source port], destination IP address IPd, destination port number PNd [a destination port] and the protocol (e.g., TCP) used.")

In regards to claims 9 and 19, reference is made to the rejection of claims 7 and 17 respectively, and further, Hamou teaches: wherein the statistics that are associated with a particular flow comprise at least one of a number of bytes exchanged, a number of packets exchanged, and a duration of the flow. (Hamou, [0039] "The network flow information may also include accounting information, such as number of network flows between a pair of virtual machines, frequency of packets transmitted, number of bytes transferred, duration of each network flow, packet timestamps, egress/ingress interfaces, traffic type, etc.")

In regards to claims 10 and 20, reference is made to the rejection of claims 6 and 16 respectively, and further, Hamou teaches: wherein generating groupings of network addresses comprises using k-means clustering. (Hamou, [0031] "Clustering refers generally to a technique for partitioning a set of objects (e.g., virtual machines) into various clusters... such as graph clustering (e.g., Markov clustering), k-means clustering, hierarchical clustering...", also see Fig. 4)

Response to Arguments
Applicant's amendments with respect to claim objections have been fully considered. Claims 10 and 20 have not been amended, therefore the objections to the claims 10 and 20 are maintained.
 
Applicant's arguments with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but they are moot:
(a) Applicant argues: (see p. 2 bottom): “A. Generating Groupings of Network Addresses to Define Security Policies… Niu does not disclose that these three IP addresses are grouped. There is no comparison between a grouping operation that generates groupings of network addresses and IP addresses that are merely displayed in a table… Hence, the IP addresses in table II of Niu are not even displayed because of similar distributions of traffic pattern probabilities and are not an example of generated groupings of network addresses with similar distributions of traffic pattern probabilities.” 
(b) Examiner answers: the arguments do not apply to the references (Hamou) being used in the current rejection.

(a) Applicant argues: (see p. 3 middle): “A. Generating Groupings of Network Addresses to Define Security Policies… Second… However, the cited portions of Kirner clearly state using segmentation with access control policies to define groups of managed servers 130 that are subject to particular policies. Kirner merely defines groups of managed servers based on similar policies. Kirner does not disclose defining security policies based on a set of groupings of network addresses… Third… and certainly does not disclose grouping network addresses for the purpose of defining something based on the generated groupings.” 
(b) Examiner answers: the arguments do not apply to the references (Hamou) being used in the current rejection.

(a) Applicant argues: (see p. 3 bottom): “B. Identifying Traffic Patterns Based on IPFIX Data and tcpdump Data… the cited references do not disclose or suggest identifying a set of traffic patterns based on at least one of IPFIX data and tcpdump data…The cited portion of Niu does not disclose using identified statistics associated with multiple flows to identify traffic patterns. Moreover, no portion of Niu discloses IPFIX data or tcpdump data in any context, or any other statistics associated with flows. Hence, Niu does not disclose or suggest any kind of statistics associated with flows used to identify a set of traffic patterns.” 
(b) Examiner answers: the arguments do not apply to the references (Lee and Rieke) being used in the current rejection.

(a) Applicant argues: (see p. 4 middle): “C. Statistics that Include Flow Direction, Source Port, and Destination Port, or Number of Bytes Exchanged, Number of Packets Exchanged, and Duration of the Flow… Nothing in this table describes a particular flow direction of the packet, a source port of the packet, or a destination port of the packet.” 
(b) Examiner answers: the arguments do not apply to the references (Hamou) being used in the current rejection.

(a) Applicant argues: (see p. 4 middle): “C. Statistics that Include Flow Direction, Source Port, and Destination Port, or Number of Bytes Exchanged, Number of Packets Exchanged, and Duration of the Flow… This has nothing to do with identifying traffic patterns, let alone using the information in this table to do so. Regardless, this number of bytes cited in table I refers to the number of bytes of a single packet. It has nothing to do with a number of bytes exchanged for a particular flow and has nothing to do with statistics that are used to identify traffic patterns.” 
(b) Examiner answers: the arguments do not apply to the references (Hamou) being used in the current rejection.

(a) Applicant argues: (see p. 4 middle): “D. Generating Groupings of Network Addresses Using K-Means Clustering… it is impossible for Kirner to then disclose that generating groupings of network
addresses includes using k-means clustering. No portion of Kirner discloses or suggests using k-means clustering in order to generate groupings of network addresses...” 
(b) Examiner answers: the arguments do not apply to the references (Hamou) being used in the current rejection.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Munz ("Traffic anomaly detection using k-means clustering") teaches network monitors using Cisco Netflow or the IPFIX protocol.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SU-TING CHUANG whose telephone number is (408)918-7519.  The examiner can normally be reached on Monday - Thursday 8-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571)272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/S.C./Examiner, Art Unit 2122

/KAKALI CHAKI/Supervisory Patent Examiner, Art Unit 2122