Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/930,555 filed on 7/16/2020 and Amendments authorized by Applicant’s representative on 1/31/2022. Claims 1-30 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 5/10/2021 and 11/5/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Applicant’s representative Ariela Yevick on 1/31/2022.
The application has been amended as follows: 



1. (Currently Amended) A system for quarantining shadow information technology ("IT") comprising one or more unauthorized applications running on a server and for optimizing network traffic and enhancing data security, the system comprising:
a processor;
a memory; and
a content-filtering web proxy server configured to filter HTTP requests and to store the HTTP requests and associated data in a proxy log; 
a remediation framework configured to extract from the proxy log a group of HTTP requests received by the proxy server, each of the HTTP requests in the group being identified, by the remediation framework as: 
including an IP address listing a predefined term; 
having originated from a production server; 
being associated with an account ID that identifies a service account; 
being associated with either a user agent that identifies a program or not associated with any user name; and
being associated with an identification number that, in a central registry, identifies a production application; 
the remediation framework being further configured to identify an anomalous HTTP request in the group by: querying stored information associated with each of the identification numbers; and 
identifying an IP address associated with one of the HTTP requests in the group that is anomalous based on the stored information associated with the identification number; 
the remediation framework being configured to remove the anomalous HTTP request from the group to perform remedial action for the anomalous HTTP request, the remedial action including: 
accessing the production server from which the anomalous HTTP request originated; 
querying a directory to identify one or more authorized applications running on the production server from which the anomalous HTTP request originated; 
quarantining one or more unauthorized applications running on the production server from which the anomalous HTTP request originated by moving each of the identified authorized applications from the production server to a replacement server, wherein after the quarantining the production server has been altered to be a modified production server; 
creating a shadow account for accumulating third-party data requested by the modified production server and accumulating third-party data pushed to the modified production server; and 
transmitting to the proxy server instructions to take remedial action; 
the remediation framework being further configured to remove redundancies and enhance network performance by: 
extracting from the group a subset of HTTP requests, each of the HTTP requests in the subset calling an IP address including a term, the term not being a term associated with a programming language; 
when the HTTP requests in the subset are determined to be calling more than a threshold number of IP addresses, creating a first group including a predetermined number of IP addresses, the predetermined number being less than the threshold number, and a second group including the IP addresses not included in the first group; and 
instructing the proxy server to intercept HTTP requests calling an IP address included in the second group and for re-directing the intercepted traffic to an IP address included in the first group of IP addresses; and 
the proxy server for intercepting HTTP requests calling an IP address included in the second group and for re-directing the intercepted traffic to an IP address included in the first group of IP addresses.







13 (Currently Amended). A system for quarantining shadow information technology ("IT") comprising one or more unauthorized applications running on a server and for optimizing network traffic and enhancing data security, the system comprising: 
a processor;
a memory; and
	a content-filtering web proxy server configured to filter HTTP requests and to store the HTTP requests and associated data in a proxy log; 
	a remediation framework configured to extract from the proxy log a group of HTTP requests received by the proxy server, each of the HTTP requests in the group being identified, by the remediation framework as: 
	including an IP address listing a predefined term; 
	having originated from a production server; 
	being associated with an account ID that identifies a service account; 
	being associated with either a user agent that identifies a program or not associated with any user name; and 
	being associated with an identification number that, in a central registry, identifies a production application; 
	the remediation framework being further configured to identify an anomalous HTTP request in the group by: 
	querying stored information associated with each of the identification numbers; 	identifying an IP address associated with one of the HTTP requests in the group that is anomalous based on the stored information associated with the identification number; and 
	
 	the remediation framework is further triggered to perform remedial action for the anomalous HTTP request, the remedial action including: 
	determining if the production server from which the anomalous HTTP request originated is assigned to a first tier of importance or a second tier of importance; 
	when the production server is determined to be assigned to a first tier of importance, the remediation framework is configured to: 
	instruct the proxy server to increase monitoring of data being sent to, and received from, the production server; 
	when the production server is determined to be assigned to a second tier of importance, the second tier of importance being less than the first tier of importance, the remediation framework is configured to: 
	access the production server from which the anomalous HTTP request originated; 
	query a directory to identify one or more authorized applications running on the production server; quarantine one or more unauthorized applications running on the production server by moving each of the identified authorized applications from the production server to a replacement server, wherein after the quarantining the production server has been altered to be a modified production server; 
	create a shadow account for accumulating third-party data requested by the modified production server and accumulating third-party data pushed to the modified production server; and instruct the proxy server to take remedial action;
	removing the anomalous HTTP request from the group; 
	the remediation framework being further configured to remove redundancies and enhance network performance by: 
	extracting from the group a subset of HTTP requests, each of the HTTP requests in the subset calling an IP address including a term, the term not being a term associated with a programming language; 
	when the HTTP requests in the subset are determined to be calling four or more different IP addresses, creating a first group including three or less IP addresses and a second group including one or more IP addresses; and 
	instructing the proxy server to: 
	intercept HTTP requests calling an IP address included in the second group and for re-directing the intercepted traffic to an IP address included in the first group of IP addresses; and 
	upon the lapse of a predetermined time period, block all HTTP requests calling an IP address included in the second group; and the proxy server for: 	
	intercepting HTTP requests calling an IP address included in the second group and for re-directing the intercepted traffic to an IP address included in the first group of IP addresses; and 
	the proxy server being configured to block all HTTP requests calling an IP address included in the second group upon the lapse of the predetermined time period.

	14. (Currently Amended) The system of claim 13 wherein, when the remediation framework identifies the anomalous HTTP request, the remedial action by: firing the HTTP request; terminating all third-party data transmission to the modified production server; redirecting to the shadow account all received third-party data directed to the modified production server; in response to receiving a new HTTP request from the modified production server, forwarding a copy of the HTTP request to the shadow account; executing the new HTTP request; and when a response to the new HTTP request is received, linking the response to the new HTTP request and transmitting the response and the new HTTP request to the shadow account; wherein: completion, by the proxy server, of the remedial action truncates functionality of the one or more unauthorized applications running on the modified production server.

Allowable Subject Matter
Claims 1-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: Mongdiguing et al. (US 2016/0094569), Sasturkar et al. (US 20150033086) and Call et al. (US 2014/0283069).
	The prior art of record fails to disclose, teach or even suggest, the claimed limitations of “ a remediation framework configured to extract from the proxy log a group of HTTP requests received by the proxy server, each of the HTTP requests in the group being identified, by the remediation framework as: including an IP address listing a predefined term; having originated from a production server; being associated with an account ID that identifies a service account; being associated with either a user agent that identifies a program or not associated with any user name; and being associated with an identification number that, in a central registry, identifies a production application; the remediation framework being further configured to identify an anomalous HTTP request in the group by: querying stored information associated with each of the identification numbers; and identifying an IP address associated with one of the HTTP requests in the group that is anomalous based on the stored information associated with the identification number; the remediation framework being configured to remove the anomalous HTTP request from the group to perform remedial action for the anomalous HTTP request, the remedial action including: accessing the production server from which the anomalous HTTP request originated; querying a directory to identify one or more authorized applications running on the production server from which the anomalous HTTP request originated; quarantining one or more unauthorized applications running on the production server from which the anomalous HTTP request originated by moving each of the identified authorized applications from the production server to a replacement server, wherein after the quarantining the production server has been altered to be a modified production server; creating a shadow account for accumulating third-party data requested by the modified production server and accumulating third-party data pushed to the modified production server; and transmitting to the proxy server instructions to take remedial action; the remediation framework being further configured to remove redundancies and enhance network performance by: extracting from the group a subset of HTTP requests,” as stated in claim 1 (and similarly in claims 13 and 17). These limitations, in conjunction with other limitations in the independent claim, are not specifically disclosed or remotely suggested in the prior art of record. Conventional means would monitor network requests to determine how to enhance the performance of a network.  However, the limitations in the above claims, disclose more detailed steps of determining network performance by looking at HTTP requests and determining anomalous behavior in order to take remedial action.  As a result the claims are in condition for Allowance.  Amendments made to the claim language was done merely to incorporate the allowable subject matter of claim 1 into, claim 14 and other minor issues.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439