Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “A threat information extraction device comprising: a network information database (DB) configured to store…; and a threat information extraction unit… configured to extract” in claims 1, 2 and “A threat information extraction system comprising: a threat information extraction device and a threat information DB configured to store…, wherein the threat information extraction device comprises: … a threat information extraction unit…, that extracts” in claim 8.
Note: the claims are not rejected under 112(b) because the spec. recites [0034] the threat information extraction device 500 is not limited to the aforementioned hardware configuration, but may also be implemented in any other appropriate hardware configuration. Therefore the claims are considered to have structure.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 2 and 8 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims of U.S. Patent No. 10721244 in view of Chiba et al (US 20160366159), hereafter Chi.
Instant App. 16968974
Patent #: 10721244
1. (Currently Amended) A threat information extraction device comprising: a network information database (DB) configured to store flow information; and a threat information extraction unit, including one or more processors, configured to extract new threat information from acquired threat information using the flow information, wherein the threat information extraction unit is configured to extract[[s]] a first Internet Protocol (IP) address from the acquired threat information, create[[s]] totalization information on the first IP address from the flow information, estimate[[s]] a feature value of communication associated with the first IP address from the totalization information, and extract[[s]] zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates threat information.
2. (Currently Amended) A threat information extraction device comprising: a network information DB configured to store query logs and flow information; and a threat information extraction unit, including one or more processors, configured to extract that extracts new threat information from acquired threat information using the query logs and the flow information, wherein the threat information extraction unit is configured to extract a first IP address and a Fully Qualified Domain Name (FQDN) of a Command and Control (C2) server from the acquired threat information, extract[[s]] a second IP address sent back to the FQDN extracted from the query logs, create[[s]] totalization information on the first IP address and the second IP address from the flow information, estimate[[s]] a feature value of communication associated with the first IP address and the second IP address from the totalization information, and extract[[s]] zero or one or more other IP addresses similar to the first IP address and the second IP address at which communication is in progress based on the estimated feature value and generates threat information.
8. (Currently Amended) A threat information extraction system comprising: [[the]] a threat information extraction device; and a threat information DB configured to store threat information extracted by the threat information extraction device, wherein the threat information extraction device comprises: a network information DB that stores flow information; and a threat information extraction unit, including one or more processors, that extracts new threat information from acquired threat information using the flow information, wherein the threat information extraction unit extracts a first IP address from the acquired threat information, creates totalization information on the first IP address from the flow information, estimates a feature value of communication associated with the first IP address from the totalization information, and extracts zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates the threat information.
1. A traffic feature information extraction method to be executed in a traffic feature information extraction device, the method comprising: a regular expression step of extracting an item set in advance from a traffic log and representing a partial character string included in the item in a regular expression based on a predetermined rule; a clustering step of clustering an entry of the traffic log represented in the regular expression; and a feature information extraction step of extracting, as traffic feature information of each of clusters, an entry having a minimum total sum of distances among entries included in the traffic logs clustered in the clustering step.
7. A traffic feature information extraction device, comprising: a regular expression unit that extracts an item set in advance from a traffic log and represents a partial character string included in the item in a regular expression based on a predetermined rule; a clustering unit that clusters an entry of the traffic log represented in the regular expression; and a feature information extraction unit that extracts, as traffic feature information of each of clusters, an entry having a minimum total sum of distances among entries included in the traffic logs clustered by the clustering unit.
8. A non-transitory computer-readable recording medium having stored therein a traffic feature information extraction program that causes a computer to execute a process comprising: a regular expression procedure of extracting an item set in advance from a traffic log and represents a partial character string included in the item in a regular expression based on a predetermined rule; a clustering procedure of clustering an entry of the traffic log represented in the regular expression; and a feature information extraction procedure of extracting, as traffic feature information of each of clusters, an entry having a minimum total sum of distances among entries included in the traffic logs clustered in the clustering procedure.

 Patent 10721244 is silent on estimate a feature value of communication associated with the first IP address and the second IP address from the totalization information, and extract zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates threat information.
But analogous art Chi teaches estimate a feature value of communication associated with the first IP address and the second IP address from the totalization information, and extract zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates threat information. ([090-91] the feature information extraction unit defines a distance between entries included in the clustered traffic logs using a method specified in advance to extract, as the traffic feature information of each of clusters and refinement unit calculates a statistic value within the traffic logs using these traffic logs... [060] for source and destination IP addresses; [007] in regard to the discovered attack, an IP address added to a black list and set as the feature information for determining communication in contact with this IP address as an attack, [0127-132] regarding the traffic logs generated by similar types of malware, the regular expression unit extracts a certain character string included in the header information or the data information having the statistic value for a specific item, [094] and antivirus software generates a signature).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pie to include the idea of extracting similar IP addresses based on extracted information as taught by Chi so that an effect that enables the extraction of accurate feature information of attacks at low cost is achieved (019).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1 – 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pierce; John Clifton (US 20180219879), hereafter Pie and Chiba et al (US 20160366159), hereafter Chi.
Claim 1: Pie teaches a threat information extraction device comprising (Fig. 2): a network information database (DB) configured to store flow information; ([088-90] pre-specified data items (system logs, network packet data, … , virtualization data) are... stored in a database);
and a threat information extraction unit, including one or more processors, configured to extract new threat information from acquired threat information using the flow information, ([0172] performs monitoring operation and includes analytics to facilitate identifying both known and unknown security threats based on large volumes of data stored by the enterprise system, provides visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring and reporting on data);
wherein the threat information extraction unit is configured to extract a first Internet Protocol (IP) address from the acquired threat information, ([0176] the security-related information includes network-related information, such as IP addresses);
create totalization information on the first IP address from the flow information, estimate a feature value of communication associated with the first IP address from the totalization information, ([149, 150, Figs. 6A, 6B] search screen displays a “data summary” dialog that enables to select different sources for the event data, such as by selecting specific hosts and log files and [0209-210] provide meaningful aggregate Key Performance Indicators (KPI's) a weighting value is assigned to each KPI for the machine data of events);
Pie is silent on and extract zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates threat information.
But analogous art Chi teaches and extract zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates threat information. ([007] in regard to the discovered attack, an IP address added to a black list and set as the feature information for determining communication in contact with this IP address as an attack, [0127-132] regarding the traffic logs generated by similar types of malware, the regular expression unit extracts a certain character string included in the header information or the data information having the statistic value for a specific item, [094] and antivirus software generates a signature).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pie to include the idea of extracting similar IP addresses based on extracted information as taught by Chi so that an effect that enables the extraction of accurate feature information of attacks at low cost is achieved (019).
Claim 2: Pie teaches a threat information extraction device comprising (Fig. 2): a network information DB configured to store query logs and flow information; and a threat information extraction unit, including one or more processors, configured to extract new threat information from acquired threat information using the query logs and the flow information ([088-90] pre-specified data items (system logs, network packet data, … , virtualization data) are... stored in a database);
wherein the threat information extraction unit is configured to extract a first IP address and a [Fully Qualified Domain Name (FQDN)] of a Command and Control (C2) server from the acquired threat information, ([0172] performs monitoring operation and includes analytics to facilitate identifying both known and unknown security threats based on large volumes of data stored by the enterprise system, provides visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring and reporting on data including [0176] the security-related information such as IP addresses, domain names etc.);
extract a second IP address sent back to the FQDN extracted from the query logs, ([0240] receive and analyze second network traffic data representing subsequent or additional network traffic exchanged over the connection [0244] the network traffic data includes a network addresses communicating devices);
create totalization information on the first IP address and the second IP address from the flow information, ([149, 150, Figs. 6A, 6B] search screen displays a “data summary” dialog that enables to select different sources for the event data, such as by selecting specific hosts and log files and [0209-210] provide meaningful aggregate Key Performance Indicators (KPI's) a weighting value is assigned to each KPI for the machine data of events);
Pie is silent on estimate a feature value of communication associated with the first IP address and the second IP address from the totalization information, and extract zero or one or more other IP addresses similar to the first IP address and the second IP address at which communication is in progress based on the estimated feature value and generates threat information.
But analogous art Chi teaches estimate a feature value of communication associated with the first IP address and the second IP address from the totalization information, ([090-91] the feature information extraction unit defines a distance between entries included in the clustered traffic logs using a method specified in advance to extract, as the traffic feature information of each of clusters and refinement unit calculates a statistic value within the traffic logs using these traffic logs... [060] for source and destination IP addresses).
and extract zero or one or more other IP addresses similar to the first IP address and the second IP address at which communication is in progress based on the estimated feature value and generates threat information. ([007] in regard to the discovered attack, an IP address added to a black list and set as the feature information for determining communication in contact with this IP address as an attack, [0127-132] regarding the traffic logs generated by similar types of malware, the regular expression unit extracts a certain character string included in the header information or the data information having the statistic value for a specific item, [094] and antivirus software generates a signature).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pie to include the idea of extracting similar IP addresses based on extracted information as taught by Chi so that an effect that enables the extraction of accurate feature information of attacks at low cost is achieved (019).
Claim 3: the combination of Pie and Chi teaches the threat information extraction device according to claim 2, wherein the flow information comprises at least a protocol of each flow, a source IP address, a source port, a destination IP address, a destination port and a communication amount. (Pie: [0125, 176] separate fields specifying each of a host, a source, and a source type. A host field contains an IP address,... a protocol and port related to received network data, the security-related information includes IP addresses, domain names, asset identifiers, network traffic volume and source addresses).
Claim 4: the combination of Pie and Chi teaches the threat information extraction device according to claim 2, wherein the query logs at least comprise a request source IP address, an FQDN and an IP address of a return destination. (Chi: [0104] a case where the communication source IP address, the communication destination IP address, the URL [0117] and ... the number of communication destination FQDNs).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pie to include request source related information as taught by Chi so that an effect that enables the extraction of accurate feature information of attacks at low cost is achieved (019).
Claim 5: the combination of Pie and Chi teaches the threat information extraction device according to claim 2, wherein the totalization information comprises at least the number of communication destinations of the first IP address or the second IP address. (Pie: [0176, 242-270] such as IP addresses... and source addresses, symmetry metric indicates the ratio of bytes transmitted in one direction via the connection versus the total number of bytes exchanged via the connection and also indicates the byte ratio of the number of bytes transmitted in one direction via the connection versus the number of bytes transmitted in the opposite direction via the connection (i.e., totalization)).
Claim 6: the combination of Pie and Chi teaches the threat information extraction device according to claim 2, wherein the feature value comprises an average bit rate and an average communication time of communication associated with the first IP address or the second IP address. (Pie: [0251-333] metrics such as a total number of bytes exchanged via the connection..., a duration of the connection..., the number of packets exchanged per second (PPS) via the connection..., where more data is transmitted in one direction than in the opposite direction).
Claim 7: the combination of Pie and Chi teaches the threat information extraction device according to claim 2, wherein of the first IP address, the second IP address and the other IP addresses, communication at the IP address including a botnet of a predetermined threshold or higher is monitored and an abnormality is detected based on the flow information at the IP address being monitored. (Pie: [0318] the security monitoring program detects a potential security threat resembling data exfiltration when the connection has an efficiency metric or average packet size over a certain threshold, a very large asymmetry, such as a magnitude of a symmetry metric over a certain threshold and a short duration).
Claim 8: Pie teaches a threat information extraction system comprising (Fig. 2): a threat information extraction device and a threat information DB configured to store threat information extracted by the threat information extraction device, wherein the threat information extraction device comprises: a network information DB that stores flow information; and a threat information extraction unit, including one or more processors, that extracts new threat information from acquired threat information using the flow information, wherein the threat information extraction unit extracts a first IP address from the acquired threat information, creates totalization information on the first IP address from the flow information, ([088-90] pre-specified data items (system logs, network packet data, … , virtualization data) are... stored in a database; [0172] performs monitoring operation and includes analytics to facilitate identifying both known and unknown security threats based on large volumes of data stored by the enterprise system, provides visibility into security-relevant threats found in the enterprise infrastructure by capturing, monitoring and reporting on data including [0176] the security-related information such as IP addresses, domain names etc.; [0240] receive and analyze second network traffic data representing subsequent or additional network traffic exchanged over the connection [0244] the network traffic data includes a network addresses communicating devices; [149, 150, Figs. 6A, 6B] search screen displays a “data summary” dialog that enables to select different sources for the event data, such as by selecting specific hosts and log files and [0209-210] provide meaningful aggregate Key Performance Indicators (KPI's) a weighting value is assigned to each KPI for the machine data of events);
Pie is silent on estimates a feature value of communication associated with the first IP address from the totalization information, and extracts zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates the threat information.
But analogous art Chi teaches estimates a feature value of communication associated with the first IP address from the totalization information, and extracts zero or one or more other IP addresses similar to the first IP address at which communication is in progress based on the estimated feature value and generates the threat information. ([090-91] the feature information extraction unit defines a distance between entries included in the clustered traffic logs using a method specified in advance to extract, as the traffic feature information of each of clusters and refinement unit calculates a statistic value within the traffic logs using these traffic logs... [060] for source and destination IP addresses; [007] in regard to the discovered attack, an IP address added to a black list and set as the feature information for determining communication in contact with this IP address as an attack, [0127-132] regarding the traffic logs generated by similar types of malware, the regular expression unit extracts a certain character string included in the header information or the data information having the statistic value for a specific item, [094] and antivirus software generates a signature).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Pie to include the idea of extracting similar IP addresses based on extracted information as taught by Chi so that an effect that enables the extraction of accurate feature information of attacks at low cost is achieved (019).
Claim 9: the combination of Pie and Chi teaches the threat information extraction device according to claim 1, wherein the flow information comprises at least a protocol of each flow, a source IP address, a source port, a destination IP address, a destination port and a communication amount. (Pie: [0125, 176] separate fields specifying each of a host, a source, and a source type. A host field contains an IP address,... a protocol and port related to received network data, the security-related information includes IP addresses, domain names, asset identifiers, network traffic volume and source addresses).
Claim 10: the combination of Pie and Chi teaches the threat information extraction device according to claim 1, wherein the totalization information comprises at least the number of communication destinations of the first IP address. (Pie: [0176, 242-270] such as IP addresses... and source addresses, symmetry metric indicates the ratio of bytes transmitted in one direction via the connection versus the total number of bytes exchanged via the connection and also indicates the byte ratio of the number of bytes transmitted in one direction via the connection versus the number of bytes transmitted in the opposite direction via the connection (i.e., totalization)).
Claim 11: the combination of Pie and Chi teaches the threat information extraction device according to claim 1, wherein the feature value comprises an average bit rate and an average communication time of communication associated with the first IP address. (Pie: [0251-333] metrics such as a total number of bytes exchanged via the connection..., a duration of the connection..., the number of packets exchanged per second (PPS) via the connection..., where more data is transmitted in one direction than in the opposite direction).
Claim 12: the combination of Pie and Chi teaches the threat information extraction device according to claim 1, wherein of the first IP address and the other IP addresses, communication at the IP address including a botnet of a predetermined threshold or higher is monitored and an abnormality is detected based on the flow information at the IP address being monitored. (Pie: [0318] the security monitoring program detects a potential security threat resembling data exfiltration when the connection has an efficiency metric or average packet size over a certain threshold, a very large asymmetry, such as a magnitude of a symmetry metric over a certain threshold and a short duration).
Claim 13: the combination of Pie and Chi teaches the threat information extraction system according to claim 8, wherein the flow information comprises at least a protocol of each flow, a source IP address, a source port, a destination IP address, a destination port and a communication amount. (Pie: [0125, 176] separate fields specifying each of a host, a source, and a source type. A host field contains an IP address,... a protocol and port related to received network data, the security-related information includes IP addresses, domain names, asset identifiers, network traffic volume and source addresses).
Claim 14: the combination of Pie and Chi teaches the threat information extraction system according to claim 8, wherein the totalization information comprises at least the number of communication destinations of the first IP address. (Pie: [0176, 242-270] such as IP addresses... and source addresses, symmetry metric indicates the ratio of bytes transmitted in one direction via the connection versus the total number of bytes exchanged via the connection and also indicates the byte ratio of the number of bytes transmitted in one direction via the connection versus the number of bytes transmitted in the opposite direction via the connection (i.e., totalization)).
Claim 15: the combination of Pie and Chi teaches the threat information extraction system according to claim 8, wherein the feature value comprises an average bit rate and an average communication time of communication associated with the first IP address. (Pie: [0251-333] metrics such as a total number of bytes exchanged via the connection..., a duration of the connection..., the number of packets exchanged per second (PPS) via the connection..., where more data is transmitted in one direction than in the opposite direction).
Claim 16: the combination of Pie and Chi teaches the threat information extraction device according to claim 1, wherein of the first IP address and the other IP addresses, communication at the IP address including a botnet of a predetermined threshold or higher is monitored and an abnormality is detected based on the flow information at the IP address being monitored. (Pie: [0318] the security monitoring program detects a potential security threat resembling data exfiltration when the connection has an efficiency metric or average packet size over a certain threshold, a very large asymmetry, such as a magnitude of a symmetry metric over a certain threshold and a short duration).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BADRINARAYANAN /Examiner, Art Unit 2496.