DETAILED ACTION
This office action is in response to the application filed on 03/14/2022. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Election/Restrictions
Applicant’s election without traverse of species I, corresponding to claims 1-13 in the reply filed on 03/14/2022 is acknowledged.

Claims 14-20 are withdrawn from further consideration pursuant to 37 CFR 1.142(b) as being drawn to a nonelected species II corresponding to claims 14-20, there being no allowable generic or linking claim. Election was made without traverse in the reply filed on 03/14/2022. Accordingly, claims 1-13 are examined herein.

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1 and 4-6, are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Nanda et al. (U.S Pub No. 2016/0191545 A1, referred to as Nanda).

Regarding claim 1, Nanda teaches:
A method for network threat detection at a threat aware controller (¶ 0025, “The present disclosure is generally directed to systems and methods for monitoring virtual networks. As will be explained in greater detail below, by identifying (via, e.g., a set of OPENFLOW rules) packets having properties indicative of potential security threats”; Fig. 3; Method 300; ¶ 0044- ¶ 0065), comprising:
 initiating a threat detection engine in a virtual network switch (vSwitch) (Fig. 3; steps 302, 304; ¶ 0044- ¶ 0050, “Returning to FIG. 3, at step 304 one or more of the systems described herein may provide, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy (EN: threat detection engine)”; ¶ 0051, “The term “security policy,” as used herein, generally refers to any type or form of rules or restrictions intended to detect and/or prevent security threats or breaches such as malware attacks, data leaks, unauthorized access to classified or sensitive information, etc.”; ¶ 0052- ¶ 0053).
providing a threat feed to the threat detection engine (Fig. 2, Item 214; Fig. 3; steps 306; ¶ 0059- ¶ 0060, “Returning to FIG. 3, at step 306 one or more of the systems described herein may intercept, at the source port, a packet (EN: a threat feed) destined for the destination port. For example, interception module 108 may, as part of virtual switch 202 in FIG. 2, intercept, at source port 210, packet 214 destined for destination port 206.”); 
receiving a request to initiate a threat analysis virtual network function (VNF) from the threat detection engine, wherein the request to initiate a threat analysis VNF is transmitted from the threat detection engine upon detection of a threat anomaly (Fig. 3; steps 308, 310; ¶ 0061- ¶ 0065, “Returning to FIG. 3, at step 310 one or more of the systems described herein may, in response to determining that the characteristic of the packet satisfies at least one of the rules, forward a copy of the packet to a virtual tap port that analyzes the copy of the packet for security threats”(EN: threat analysis VNF is transmitted from the threat detection engine upon detection of a threat anomaly); ¶ 0066, “The term “virtual tap port,” as used herein, generally refers to any type or form of virtual port configured to (or in communication with a server or virtual machine configured to) analyze packets (or copies of packets) for indications of security threats”(EN: threat analysis VNF); and 
initiating a threat analysis VNF (¶ 0072, “in some embodiments, analysis module 114 may analyze packet copy 218 for security threats once packet copy 218 has been forwarded to virtual tap port 208. For example, analysis module 114 may compare the information within the data section of packet copy 218 with a security policy (e.g., a security policy used to generate software-defined network rules 212).”; ¶ 0073).

Regarding claim 4, Nanda teaches all the features of claim 1, as outlined above.
Nanda further teaches:
wherein the threat feed comprises one or more threat properties for network traffic, wherein the threat detection engine on the vSwitch uses the one or more threat properties to inspect network traffic and detect threat anomalies (¶ 0025, “The present disclosure is generally directed to systems and methods for monitoring virtual networks. As will be explained in greater detail below, by identifying (via, e.g., a set of OPENFLOW rules) packets having properties indicative of potential security threats, the systems and methods described herein may forward copies of suspicious packets to a virtual tap port to analyze the packet copies for malware attacks, data leaks, etc.”).

Regarding claim 5, Nanda teaches all the features of claim 1, as outlined above.
Nanda further teaches:
wherein providing the threat feed comprises: transmitting the threat feed to the threat detection engine via a control-plane function, wherein the control-plane function configures the threat detection engine with the one or more threat properties (¶ 0037, “The term “software-defined network,” as used herein, generally refers to any type or form of network that separates and/or decouples the tasks of deciding how to handle network traffic (performed by a control plane) and forwarding network traffic (performed by a data plane). As opposed to a non-software-defined network that simply forwards packet via the data plane based on decisions made by the control plane, a software-defined network may enable a user to re-direct packets based on a set of software-defined network rules.”; ¶ 0038, “The term “software-defined network rules,” as used herein, generally refers to any set of criteria, procedures, or conditions that specify how to handle network traffic within a software-defined network. In some examples, a set of software-defined network rules may determine how to forward network traffic based on characteristics or properties of the network traffic”).

Regarding claim 6, Nanda teaches all the features of claim 1, as outlined above.
Nanda further teaches:
receiving telemetry data for network traffic from the threat detection engine; and detecting, at the threat aware controller, a threat anomaly based on the telemetry data (¶ 0075- ¶ 0076, “in an additional example, providing module 106 may implement criteria that automatically divides packets between two or more virtual tap ports during peak business hours. Additionally, or alternatively, providing module 106 may dynamically update the criteria within software-defined network rules 212 in response to detecting certain types or frequencies of security threats. For example, in response to determining that packet copy 218 contains a malware attack, providing module 106 may update the criteria to include representations of additional wiretaps designed to detect malware attacks.”).

Allowable Subject Matter

Claims 2-3 and 7 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claims 8-13 are allowed.

The following is an examiner’s statement of reasons for allowance:

The closest prior arts made of records are, Nanda et al. (U.S Pub No. 2016/0191545 A1, referred to as Nanda), Singuru (U.S Pub No. 2017/0099313 A1, referred to as Singuru) and Aziz (U.S Patent No. 9,027,135 B1, referred to as Aziz).

Nanda discloses a method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port, (2) providing, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy, (3) intercepting, at the source port, a packet destined for the destination port, (4) determining that at least one characteristic of the packet satisfies at least one of the rules, and (5) in response to determining that the characteristic of the packet satisfies at least one of the rules, forwarding a copy of the packet to a virtual tap port that analyzes the packet for security threats.

Singuru discloses a method for providing computer network security. In one embodiment, a method is provided for providing computer network security. The method comprises gathering threat information from one or more sources, deriving security intelligence based on the threat information, determining a security measure based on the security intelligence, and dynamically applying the security measure to a computer network using a set of virtual appliances and a set of virtual switches.
	Aziz discloses systems and methods for prospective client identification using malware attack detection. A malware device is identified. The entity with the responsibility for the malware device or a potentially compromised device in communication with the malware device is determined. A message is communicated to the entity based on the determination. In various embodiments, the message comprises an offer for security related products and/or services.

However, regarding claim 2, the prior art of Nanda, Singuru and Aziz when taken in the context of the claim as a whole do not disclose nor suggest, “updating the threat detection engine with a threat analysis VNF configuration; redirecting network traffic at the vSwitch to the threat analysis VNF; receiving a threat analysis report from the threat detection engine or the threat analysis VNF; wherein the threat analysis report is generated at the threat detection engine or the threat analysis VNF based on a monitored traffic at the threat analysis VNF; and wherein the threat analysis report comprises a detection of malicious operation at the threat analysis VNF.”.

Regarding claim 7, the prior art of Nanda, Singuru and Aziz when taken in the context of the claim as a whole do not disclose nor suggest, “determining that the vSwitch cannot host the threat analysis VNF; selecting an alternate host for the threat analysis VNF; and initiating the threat analysis VNF at the alternate host.”.

Regarding claim 8, the prior art of Nanda, Singuru and Aziz when taken in the context of the claim as a whole do not disclose nor suggest, “updating the threat detection engine with a threat analysis VNF configuration; redirecting network traffic at the vSwitch to the threat analysis VNF; and receiving a threat analysis report from the threat detection engine or the threat analysis VNF.”.

Claim 3 depends on claim 2 and is of consequence identified as allowable

Claims 9-13 depend on claim 8, and are of consequence allowed.


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HASSAN SAADOUN/Examiner, Art Unit 2435

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435