DETAILED ACTION
Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
Claims 1-20 are provisionally rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims of Patent Nos. 10819728 and 10298605.  Although the conflicting claims are not identical, they are not patentably distinct from each other because 
“A system comprising: a processor; and a first security policy engine (SPE) configured to execute on the processor to: communicate with a plurality of application security modules including a first application security module (ASM), wherein the first ASM is configured to detect abnormalities for a first application, identify a source and a mode of a first abnormality, and determine that the first abnormality is actionable based on a first threshold; receive, from the first ASM, the source and the mode; correlate a plurality of abnormalities including the first abnormality; and adjust a second threshold used by a second ASM associated with a different second application for detecting the mode, such that the second ASM is configured to detect a second abnormality with the mode and prevent the second application from being affected by the second abnormality” (claim 1, instant application) is analogous to 
“A system comprising: a first application associated with a first application security module (ASM) executing in a first virtual machine; and a processor configured to execute the first ASM to: detect abnormalities in network traffic, wherein each of the abnormalities is identifiable with at least a respective threshold of a respective mode; identify a source and a mode of a first abnormality in a request transmitted over a first network to the first application, wherein the mode includes an identifying characteristic with which further abnormalities associated with additional requests are detected; determine that the first abnormality individually does not meet a first threshold for taking an action; and report the source and the mode to a first security policy engine (SPE), wherein the first SPE is configured to correlate a plurality of abnormalities including the first abnormality and adjust a second threshold used by a second ASM associated with a different second application for detecting the mode, allowing the second ASM to detect a second abnormality with the mode, preventing the second application from being affected by the second abnormality” (claim 1, patent 10819728) and analogous to
“A system of security threat detection, the system comprising: a first plurality of virtual machines including at least a first virtual machine, which includes: a plurality of applications including at least a first application and a second application; a plurality of application security modules (ASMs) respectively associated with each of the plurality of applications, including at least a first ASM associated with the first application and a second ASM associated with the second application; and a network interface; a first network controller associated with a first network; one or more processors, in communication with the first network controller; and a first security policy engine (SPE), executing on the one or more processors; wherein the first ASM: detects an abnormality with a request to the first application; identifies a source and a mode of the abnormality, wherein the first ASM is configured to detect a component of the request as the mode, which includes an identifying characteristic used to identify related further abnormalities associated with additional requests; reports the source and the mode to the first SPE, and wherein responsive to receiving a report with the source and the mode from the first ASM, the first SPE: prevents a further abnormality with at least one of the source and the mode from affecting the second application by adjusting a threshold for detecting a mode associated with the second ASM; and commands the first network controller to prevent the source from interacting with the first network” (claim 1, patent 10298605).
This is a provisional obviousness-type double patenting rejection because the conflicting claims of the instant application have not in fact been patented.
The claims of the conflicting patents and/or applications contain every element of claims 1-20 of the instant application and thus anticipate the claims of the instant application. Claims 1-20 of the instant application therefore are not patently distinct from the copending application claims and as such are unpatentable for obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species with that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
“Claim 12 and Claim 13 are generic to the species of invention covered by claim 3 of the patent. Thus, the generic invention is “anticipated” by the species of the patented invention. Cf., Titanium Metals Corp. v. Banner, 778 F.2d 775, 227 USPQ 773 (Fed. Cir. 1985) (holding that an earlier species disclosure in the prior art defeats any generic claim) 4. This court’s predecessor has held that, without a terminal disclaimer, the species claims preclude issuance of the generic claim. In re Van Ornum, 686 F.2d 937, 944, 214 USPQ 761, 767 (CCPA 1982); Schneller, 397 F.2d at 354. Accordingly, absent a terminal disclaimer, claims 12 and 13 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The terms “abnormality”, “actionable” in the claims are relative terms which renders the claims indefinite. The term is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Haugsnes (20160269427), and further in view of Mahaffey (20160099963).
Regarding claims 1, 15, and 20, Haugsnes teaches 1. A system comprising: a processor; and /15. A method comprising: /20. A computer-readable non-transitory storage medium storing executable instructions, which when executed by a computer system, cause the computer system to (abstract, par.82-85): 
a first security policy engine (SPE) configured to execute on the processor to: communicate with a plurality of application security modules including a first application security module (ASM), wherein the first ASM is configured to detect abnormalities for a first application (par.44-45, applications and security services executing in virtual machines), 
identify a source and a mode of a first abnormality (par.36-37, 42, detecting threats and additional information regarding threat, type of threat, source), and 
determine that the first abnormality is actionable based on a first threshold (par.50-55, based on pattern of threat determine potential effects, affected nodes); 
receive, from the first ASM, the source and the mode; correlate a plurality of abnormalities including the first abnormality (par.37-38, 50-51, 70-75, passing event information to other vms to dynamically update policies, configuration, etc, for reactive measures, modify policies, take corrective action responsive to detected threat, par.74-80, reconfigure additional machines, based on different thresholds).
Haugsnes teaches multiple “security modules” and different modules protecting from specific threats (par.70-80), but does not expressly disclose, however 
Mahaffey teaches adjust a second threshold used by a second ASM associated with a different second application for detecting the mode, such that the second ASM is configured to detect a second abnormality with the mode and prevent the second application from being affected by the second abnormality (pay. 36-40, 144-146, 371-376).
Therefore, one of ordinary skill in the art would have found it obvious before the effective fling cate of the claimed invention to modify Haugsnes io incorporate a system to further share and apply risk information based on particular applications as taught by Mahaffey.
One of ordinary skill in the art would have been motivated to perform such a modification to combine the systems for further threat detection (Mahaffey, abstract, par. 36-40, 46-56).
Regarding claim 2, Haugsnes/ Mahaffey teaches wherein the mode includes an identifying characteristic, which enables additional abnormalities associated with additional requests to be detected, the identifying characteristic including at least one of an IP address, a MAC address, a physical location, a phone number, a domain, a subnet, a login credential, a password, a database, a database table, a URL, a command, a query, a unique identifier, a message, contents of a message, a size of request, user identifying information, and a frequency of request (Haugsnes, 43-47, 52-54, Mahaffey, 184-186, 338-345, 426-428, 442-447).
Regarding claims 3 and 16, Haugsnes/ Mahaffey teaches wherein an authentication application is associated with a first plurality of virtual machines, and the first SPE disables a login credential for authenticating with applications executing on the first plurality of virtual machines in response to receiving a report with the source and the mode (Haugsnes, 77-79, 141-147, Mahaffey, 171-173).
Regarding claim 4, Haugsnes/ Mahaffey teaches wherein the mode includes at least one of a traffic surge, an invalid login credential, a login from an unknown device, identified malware, a phishing attempt, a password attack, a denial-of-service attack, a cross site scripting attempt, a sql injection attempt, a local file inclusion attempt, and a remote file inclusion attempt (Haugsnes, 42-47, 52-54, Mahaffey, 20-22, 176-190, 228-230, 262-276).
Regarding claim 5, Haugsnes/ Mahaffey teaches wherein the second application is dynamically launched after the first SPE receives the source and the mode from the first ASM (Haugsnes, 35-40, 56-58, Mahaffey, 247-252).
Regarding claim 6, Haugsnes/ Mahaffey teaches wherein the first ASM identifies the first abnormality based on a frequency of requests from a requester, and notifies the first SPE of an identifying feature of the requester (Haugsnes, 42-47, 52-54, Mahaffey, 20-22, 176-190, 228-230, 262- 276).
Regarding claim 7, Haugsnes/ Mahaffey teaches a first network controller, wherein a first virtual machine executing the first ASM is connected to a first network, which is managed by the first network controller, and the first SPE is configured to notify the first network controller of at least one of the mode, the source, the identifying characteristic, and an occurrence of the first abnormality (Haugsnes, 40-46, Mahaffey, 152-158).
Regarding claim 8, Haugsnes/ Mahaffey teaches wherein the first ASM determines whether the request has a first status based on other requests from a requester of the request, the first status being mutually exclusive from a second status, and wherein requests detected as having the first status and having the second status are indistinguishable to the first network controller (Haugsnes, 42-47, 52-54, Mahaffey, 20-22, 176-190, 228-230, 262-276).
Regarding claim 9, Haugsnes/ Mahaffey teaches wherein the first network controller is associated with a first plurality of virtual machines, and the first network controller notifies a second SPE associated with a different second plurality of virtual machines of at least one of the mode, the source, the identifying characteristic, and the occurrence of the first abnormality; and the second SPE configures a third ASM to detect a third abnormality with the mode, preventing a third application from being affected by the third abnormality (Haugsnes, 50-55, Mahaffey, 228-230, 262-276).
Regarding claim 10, Haugsnes/ Mahaffey teaches plurality of SPEs, the plurality of SPEs including the second SPE, wherein the first SPE is utilized by a first tenant to protect the first tenant's applications, and the second SPE is utilized by a second tenant to protect the second tenant's applications (Haugsnes, 42-47, 52-54, 70-80, Mahaffey, 20-22, 176-190, 228-230, 262-276).
Regarding claim 11, Haugsnes/ Mahaffey teaches a second network controller associated with a different second network, wherein the first SPE commands the second network controller to prevent the source from interacting with the second network (Haugsnes, 40-46, Mahaffey, 152-158).
Regarding claim 12, Haugsnes/ Mahaffey teaches wherein the first network controller accepts commands via a first application programming interface and the second network controller accepts commands via a different second application programming interface (Haugsnes, 50-55, Mahaffey, 228-230, 262-276).
Regarding claim 13, Haugsnes/ Mahaffey teaches wherein the first network controller blocks communication between the source and at least one of a first plurality of virtual machines associated with a first tenant, a second plurality of virtual machines associated with a second tenant, and all virtual machines connected to the first network (Haugsnes, 50-55, Mahaffey, 228-230, 262-276).
Regarding claim 14, Haugsnes/ Mahaffey teaches further comprising the second SPE (Haugsnes, 50-55, 70-80, Mahaffey, 228-230, 262-276).
Regarding claim 17, Haugsnes/ Mahaffey teaches receiving a notification of an identifying feature of the requester from the first ASM after the first abnormality is identified based on a frequency of requests from a requester (Haugsnes, 45-55, 70-80, Mahaffey, 140-150, 262-276, 355-370).
Regarding claim 18, Haugsnes/ Mahaffey teaches wherein a first virtual machine configured to execute the first ASM is connected to a network, which is managed by a network controller, the method further comprising: notifying the network controller of at least one of the mode, the source, the identifying characteristic, and an occurrence of the first abnormality (Haugsnes, 42-47, 52-54, Mahaffey, 20-22, 176-190, 228-230, 262- 276).
Regarding claim 19, Haugsnes/ Mahaffey teaches blocking, by the network controller, communication between the source and at least one of a first plurality of virtual machines associated with a first tenant, a second plurality of virtual machines associated with a second tenant, and all virtual machines connected to the network (Haugsnes, 43-47, 52-54, Mahaffey, 184-186, 338-345, 426-428, 442-447).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Aziz (10454950) teaches attack detection and notification on a virtualized environment.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Garcia Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI ARMOUCHE can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/David Garcia Cervetti/Primary Examiner, Art Unit 2419