DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office Action is in response to Application filed on August 26, 2020 in which claims 1-18 are presented for examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on August 26, 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-18 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Fenoglio et al. US Publication No. 2019/0306011.

Regarding claim 1, Fenoglio et al. disclose “a method comprising: monitoring, by a network traffic correlation engine, network communications information aggregated from a plurality of hosts on an enterprise network” by providing a service that monitors a network using deep fusion reasoning engine (See Title; Abstract; Figure 4, Paragraphs 0070-0080); identifying, by the network traffic correlation engine, whether a correlation exists between a first communication sent from a first host device (service 302) and a second communication received by a second host device (data collection platform 304); “determining, based on whether a correlation exists between the first communication and the second communication, whether an anomalous communication condition exists” (Figure 8, Paragraphs 0121-125 describing the network monitoring service may detect a plurality of anomalies in the network); and “triggering, based on the correlation, an alert identifying that an anomalous communication condition is present between the first host device and the second host device” (Figure 8, Paragraph 0125 describing at step 830, the service may send an alert for a particular one of the detected anomalies to a user interface).

As per claim 2, Fenoglio et al. disclose “aggregating information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the first host device and the second host device” (Paragraphs 0039, 0086 describing clustering techniques that the network monitoring process 248 can employ for aggregating information from a plurality of network communication services and data logs).

As per claim 3, Fenoglio et al. disclose “matching messages received by the first host device to messages sent by the second host device based on the aggregated information to detect the anomalous communication on the network” (Paragraphs 0014, 0047-0048, 0067-0068, 0092 describing a data mapper and normalizer 314 that receives the collected and/or anonymized data 336 from network data collection platform 304 for matching messages).

As per claim 4, Fenoglio et al. disclose “wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the network” (Paragraph 0125 describing at step 830, the service sends an alert for a particular one of the detected anomalies to a user interface).

As per claim 5, Fenoglio et al. disclose “wherein the anomalous condition comprises an indication that logging of sent messages was disabled” (Paragraph 0004 describing disabling certain alerting functions).

As per claim 6, Fenoglio et al. disclose “wherein the monitoring of network communications information aggregated from a plurality of hosts on an enterprise network comprises aggregating information received from a plurality of host intrusion detection systems each associated with a different host device” (Paragraphs 0039, 0086 describing clustering techniques that the network monitoring process 248 can employ for aggregating information from a plurality of network communication services and data logs).

Regarding claim 7, Fenoglio et al. disclose “a computing device (Figures 2-3; Paragraphs 0007-0008, 0032-0069), comprising: a processor; and memory storing instructions that, when executed by the processor, cause the computing device to: “monitor, by a network traffic correlation engine, network communications information aggregated from a plurality of hosts on an enterprise network” by providing a service that monitors a network using deep fusion reasoning engine (See Title; Abstract; Figure 4, Paragraphs 0070-0080); identify, by the network traffic correlation engine, whether a correlation exists between a first communication sent from a first host device (service 302) and a second communication received by a second host device (data collection platform 304); “determine, based on whether a correlation exists between the first communication and the second communication, whether an anomalous communication condition exists” (Figure 8, Paragraphs 0121-125 describing the network monitoring service may detect a plurality of anomalies in the network); and “trigger, based on the correlation, an alert identifying that an anomalous communication condition is present between the first host device and the second host device” (Figure 8, Paragraph 0125 describing at step 830, the service may send an alert for a particular one of the detected anomalies to a user interface).



As per claim 8, Fenoglio et al. disclose “aggregating information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the first host device and the second host device” (Paragraphs 0039, 0086 describing clustering techniques that the network monitoring process 248 can employ for aggregating information from a plurality of network communication services and data logs).

As per claim 9, Fenoglio et al. disclose “matching messages received by the first host device to messages sent by the second host device based on the aggregated information to detect the anomalous communication on the network” (Paragraphs 0014, 0047-0048, 0067-0068, 0092 describing a data mapper and normalizer 314 that receives the collected and/or anonymized data 336 from network data collection platform 304 for matching messages).

As per claim 10, Fenoglio et al. disclose “wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the network” (Paragraph 0125 describing at step 830, the service sends an alert for a particular one of the detected anomalies to a user interface).

As per claim 11, Fenoglio et al. disclose “wherein the anomalous condition comprises an indication that logging of sent messages was disabled” (Paragraph 0004 describing disabling certain alerting functions).

As per claim 12, Fenoglio et al. disclose “wherein the monitoring of network communications information aggregated from a plurality of hosts on an enterprise network comprises aggregating information received from a plurality of host intrusion detection systems each associated with a different host device” (Paragraphs 0039, 0086 describing clustering techniques that the network monitoring process 248 can employ for aggregating information from a plurality of network communication services and data logs).

Regarding claim 13, Fenoglio et al. disclose “one or more non-transitory computer-readable media storing instructions (Figures 2-3; Paragraphs 0007-0008, 0032-0069) that, when executed by a host computing device comprising a processor, memory, and a communication interface, cause the host computing device to: “monitor, by a network traffic correlation engine, network communications information aggregated from a plurality of hosts on an enterprise network” by providing a service that monitors a network using deep fusion reasoning engine (See Title; Abstract; Figure 4, Paragraphs 0070-0080); identify, by the network traffic correlation engine, whether a correlation exists between a first communication sent from a first host device (service 302) and a second communication received by a second host device (data collection platform 304); “determine, based on whether a correlation exists between the first communication and the second communication, whether an anomalous communication condition exists” (Figure 8, Paragraphs 0121-125 describing the network monitoring service may detect a plurality of anomalies in the network); and “trigger, based on the correlation, an alert identifying that an anomalous communication condition is present between the first host device and the second host device” (Figure 8, Paragraph 0125 describing at step 830, the service may send an alert for a particular one of the detected anomalies to a user interface).

As per claim 14, Fenoglio et al. disclose “aggregating information from a plurality of network communication services and data logs, wherein the information corresponds to a plurality of network communication connections to and from the first host device and the second host device” (Paragraphs 0039, 0086 describing clustering techniques that the network monitoring process 248 can employ for aggregating information from a plurality of network communication services and data logs).

As per claim 15, Fenoglio et al. disclose “matching messages received by the first host device to messages sent by the second host device based on the aggregated information to detect the anomalous communication on the network” (Paragraphs 0014, 0047-0048, 0067-0068, 0092 describing a data mapper and normalizer 314 that receives the collected and/or anonymized data 336 from network data collection platform 304 for matching messages).

As per claim 16, Fenoglio et al. disclose “wherein triggering the alert comprises providing an indication of the alert on a user interface device at a central location on the network” (Paragraph 0125 describing at step 830, the service sends an alert for a particular one of the detected anomalies to a user interface).

As per claim 17, Fenoglio et al. disclose “wherein the anomalous condition comprises an indication that logging of sent messages was disabled” (Paragraph 0004 describing disabling certain alerting functions).

As per claim 18, Fenoglio et al. disclose “wherein the monitoring of network communications information aggregated from a plurality of hosts on an enterprise network comprises aggregating information received from a plurality of host intrusion detection systems each associated with a different host device” (Paragraphs 0039, 0086 describing clustering techniques that the network monitoring process 248 can employ for aggregating information from a plurality of network communication services and data logs).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANTZ COBY whose telephone number is (571)272-4017. The examiner can normally be reached Monday-Thursday 7AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571 270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FRANTZ COBY/Primary Examiner, Art Unit 2456                                                                                                                                                                                                        
June 4, 2022