Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 4/27/2022. Claim 5 has been canceled.  Claims 9-14 have been added as New. Claims 1-4 and 6-14 are pending. This Office Action is Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 4/27/2022, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.


Response to Arguments
	A) Applicant’s amendments and arguments with regards to 35 USC 112 for a Trademark, has been considered and deemed persuasive as claim 5 has been canceled.  As a result, this rejection has been withdrawn. 

	B) Applicant’s amendments and arguments with regards to Claim interpretation of claim 1 under 112(f), has been considered and deemed persuasive.  As a result, this interpretation has been withdrawn. 


	Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 3, 4, 6, 8, 9, 11 and 12  is/are rejected under 35 U.S.C. 103 as being unpatentable over Jung et al. (US 2013/0167219) in view of Chua et al. (US 2016/0217056).


	 As per claim 1, Jung discloses a network anomaly detection apparatus configured to detect an anomaly of a network to be monitored based on received flow statistical information, the network anomaly detection apparatus comprising: a processor; and a memory storing at least one program which, when executed by the processor, configure the processor (Jung, Paragraph 0035 recites “ Referring to FIG. 1, the terminal apparatus 100 includes a packet processor 110, an interrupt analyzer 120, an anomalous traffic detecting unit 130, a traffic block request unit 140, and a user matching unit 150.” And Jung, Paragraph 0090 recites “The present invention can be implemented as computer-readable code in a computer-readable recording medium.”);
	receive flow statistical information aggregated from header information of packets in the network and collect the flow statistical information in a flow statistical information storage unit (Jung, Paragraph 0043 recites “For creating the high security mode signal, the anomalous traffic detecting unit 130 may monitor the excessive traffic detection signal for the first time period to determine whether the excessive traffic generated in the terminal is momentary or continuous traffic. Also, the anomalous traffic detecting unit 130 compares transmission packet headers in units of a predetermined time to determine whether the generation count of the same kind of transmission packets exceeds a threshold value for a second time period, and determines, if the generation count of the same kind of transmission packets exceeds the threshold value for the second time period, that the corresponding traffic has been generated by malicious code such as Botnet, not by the user, thereby generating an anomalous traffic detection signal.);
	and acquire flow statistical information in a predetermined period from the flow statistical information storage unit and determine whether any anomaly exists in the network based on whether any flow statistical information matching the events in the scenario of the scenario information exists (Jung, Paragraph 0072-077 recites “The anomalous packet detector 420 may include a packet header buffer 422, a packet header comparer 424, a packet header counter 426, and a packet header period setting unit 428. The packet header buffer 422 receives headers of transmission packets, and transfers the header of a current transmission packet and the header of the previous transmission packet to the packet header comparer 424. The packet header comparer 424 compares the header of the current transmission packet to the header of the previous transmission packet, and transfers the result of the comparison to the packet header counter 426. The packet header counter 426 counts packets having the same header for a predetermined packet header period set in the packet header period setting unit 428, and generates a packet header alert signal if the count value exceeds a threshold value set in the packet header counter 426, and transfers the packet header alert signal to the anomalous traffic determiner 430. If the count value does not exceed the threshold value for the predetermined packet header period set in the packet header period setting unit 428, the packet header counter 426 transfers a packet header count period initializing signal to the packet header period setting unit 460 and initializes the packet header period. As such, according to the configuration of the packet header buffer 422, the packet header comparer 424, the packet header counter 426, and the packet header period setting unit 428, by comparing the header of a current transmission packet to the header of the previous transmission packet based on header information of transmission packets, it is possible to determine whether a large amount of the same kind of transmission packets is transmitted in a short time.”).
	But fails to teach retrieve scenario information including a scenario in which a time-series sequential relation of events concerning a plurality of flows is defined, the plurality of flows including at least a first flow and a second flow, which is different from the first flow, and the time-series sequential relation including at least a time-series sequential relationship between events occurring in the first flow and events occurring in the second flow.
	However, in an analogous art Chua teaches retrieve scenario information including a scenario in which a time-series sequential relation of events concerning a plurality of flows is defined, the plurality of flows including at least a first flow and a second flow, which is different from the first flow, and the time-series sequential relation including at least a time-series sequential relationship between events occurring in the first flow and events occurring in the second flow (Chua, Paragraph 0018 recites “The anomaly detection system 10 can also include a statistically deviated flow component 24 that can, for each flow in the data, discover a number of statistically deviated flows from the plurality of flows connected to the flow. The determination can be based on a time and a location related to each statistically deviated flow. The statistically deviated flow component 24 can address the insufficiency of statistical deviations as sole indicators of anomalies by finding relations between flows (e.g., by examining flows connected to a flow). In other words, in addition to the statistical deviation of each flow, for each flow a number of statistically deviated flows connected to the flow can be derived. The derivation depends on the context and nature of the distributed system. For example, the relation can be defined in terms of the time and the physical location of the flow. An indication of whether the flow is an anomaly can be obtained by positively correlating to the number of statistically deviated flows that are related to the flow. Using the end (source and destination) points of an anomalous flow, the physical location of the anomaly within the distributed system can be isolated.” Chua is describes multiple flows being analyzed under defined terms.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

	As per claim 3, Jung discloses the network anomaly detection apparatus according to claim 1, Jung further teaches wherein the anomaly detection unit provides a user interface to configure the scenario information (Jung, Paragraph 0011 recites “The user matching unit may process a transmission packet that generated the anomalous traffic, and provide a user interface screen for providing detailed information about the transmission packet.”).

	As per claim 4, Jung discloses the network anomaly detection apparatus according to claim 1, Jung further teaches wherein the anomaly detection unit is configured to output information on flow statistical information matching the events in the scenario as log information indicating occurrence of an anomaly if such flow statistical information matching the events exists (Jung, Paragraph 0056 recites “The excessive traffic detector 230 compares the number of packets counted for the packet count period to a predetermined packet count threshold value which is a criterion for determining occurrence of excessive traffic, to detect excessive traffic. That is, the excessive traffic detector 230 compares a packet count value received from the packet counter 220 to a predetermined packet count threshold value, and generates, if the packet count value is greater than the predetermined packet count threshold value, an excessive traffic detection signal.”).
	
	As per claim 6, Jung discloses a network anomaly detection system comprising: a network to be monitored; a relay apparatus in the network (Jung, Paragraph 0049 recites “if a transmission packet that generated anomalous traffic is buffered in the packet processor 110, a traffic block request signal may be transferred to the packet processor 110. Also, the traffic block request unit 140 may transfer a security monitoring request signal, together with the traffic block request signal, to the packet processor 110. When it receives the security monitoring request signal, the packet processor 110 may transmit the corresponding transmission packet as a security monitored packet to a security monitoring system in order to report a packet that might possibly include Botnet to the security monitoring system.”);
	and a network anomaly detection apparatus including a processor and a memory (Jung, Paragraph 0035 recites “Referring to FIG. 1, the terminal apparatus 100 includes a packet processor 110, an interrupt analyzer 120, an anomalous traffic detecting unit 130, a traffic block request unit 140, and a user matching unit 150.” and Paragraph 0090 recites “The present invention can be implemented as computer-readable code in a computer-readable recording medium.”);
	wherein the relay apparatus is configured to generate flow statistical information from header information of packets in the network and send the generated flow statistical information to the network anomaly detection apparatus, wherein network anomaly detection apparatus is configured to detect an anomaly in the network based on flow statistical information received from the relay apparatus, and wherein the memory stores at least one program which, when executed by the processor, configures the processor to: receive flow statistical information aggregated from header information of packets in the network and collect the flow statistical information in a flow statistical information storage unit (Jung, Paragraph 0043 recites “For creating the high security mode signal, the anomalous traffic detecting unit 130 may monitor the excessive traffic detection signal for the first time period to determine whether the excessive traffic generated in the terminal is momentary or continuous traffic. Also, the anomalous traffic detecting unit 130 compares transmission packet headers in units of a predetermined time to determine whether the generation count of the same kind of transmission packets exceeds a threshold value for a second time period, and determines, if the generation count of the same kind of transmission packets exceeds the threshold value for the second time period, that the corresponding traffic has been generated by malicious code such as Botnet, not by the user, thereby generating an anomalous traffic detection signal.);
	and acquire flow statistical information in a predetermined period from the flow statistical information storage unit and determine whether any anomaly exists in the network based on whether any flow statistical information matching the events in the scenario of the scenario information exists  (Jung, Paragraph 0072-077 recites “The anomalous packet detector 420 may include a packet header buffer 422, a packet header comparer 424, a packet header counter 426, and a packet header period setting unit 428. The packet header buffer 422 receives headers of transmission packets, and transfers the header of a current transmission packet and the header of the previous transmission packet to the packet header comparer 424. The packet header comparer 424 compares the header of the current transmission packet to the header of the previous transmission packet, and transfers the result of the comparison to the packet header counter 426. The packet header counter 426 counts packets having the same header for a predetermined packet header period set in the packet header period setting unit 428, and generates a packet header alert signal if the count value exceeds a threshold value set in the packet header counter 426, and transfers the packet header alert signal to the anomalous traffic determiner 430. If the count value does not exceed the threshold value for the predetermined packet header period set in the packet header period setting unit 428, the packet header counter 426 transfers a packet header count period initializing signal to the packet header period setting unit 460 and initializes the packet header period. As such, according to the configuration of the packet header buffer 422, the packet header comparer 424, the packet header counter 426, and the packet header period setting unit 428, by comparing the header of a current transmission packet to the header of the previous transmission packet based on header information of transmission packets, it is possible to determine whether a large amount of the same kind of transmission packets is transmitted in a short time.”).
	But fails to teach retrieve scenario information including a scenario in which a time-series sequential relation of events concerning a plurality of flows is defined, the plurality of flows including at least a first flow and a second flow, which is different from the first flow, and the time-series sequential relation including at least a time-series sequential relationship between events occurring in the first flow and events occurring in the second flow.
	However, in an analogous art Chua teaches retrieve scenario information including a scenario in which a time-series sequential relation of events concerning a plurality of flows is defined, the plurality of flows including at least a first flow and a second flow, which is different from the first flow, and the time-series sequential relation including at least a time-series sequential relationship between events occurring in the first flow and events occurring in the second flow (Chua, Paragraph 0018 recites “The anomaly detection system 10 can also include a statistically deviated flow component 24 that can, for each flow in the data, discover a number of statistically deviated flows from the plurality of flows connected to the flow. The determination can be based on a time and a location related to each statistically deviated flow. The statistically deviated flow component 24 can address the insufficiency of statistical deviations as sole indicators of anomalies by finding relations between flows (e.g., by examining flows connected to a flow). In other words, in addition to the statistical deviation of each flow, for each flow a number of statistically deviated flows connected to the flow can be derived. The derivation depends on the context and nature of the distributed system. For example, the relation can be defined in terms of the time and the physical location of the flow. An indication of whether the flow is an anomaly can be obtained by positively correlating to the number of statistically deviated flows that are related to the flow. Using the end (source and destination) points of an anomalous flow, the physical location of the anomaly within the distributed system can be isolated.” Chua is describes multiple flows being analyzed under defined terms.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

	As per claim 8, Jung discloses a network anomaly detection method for a computer having a processor and a memory to detect an anomaly in a network to be monitored based on received flow statistical information, the network anomaly detection method comprising: a first step of receiving, by the computer, flow statistical information aggregated from header information of packets in the network and collecting, by the computer, the flow statistical information in a flow statistical information storage unit;  a third step of acquiring, by the computer, flow statistical information in a predetermined period from the flow statistical information storage unit (Jung, Paragraph 0043 recites “For creating the high security mode signal, the anomalous traffic detecting unit 130 may monitor the excessive traffic detection signal for the first time period to determine whether the excessive traffic generated in the terminal is momentary or continuous traffic. Also, the anomalous traffic detecting unit 130 compares transmission packet headers in units of a predetermined time to determine whether the generation count of the same kind of transmission packets exceeds a threshold value for a second time period, and determines, if the generation count of the same kind of transmission packets exceeds the threshold value for the second time period, that the corresponding traffic has been generated by malicious code such as Botnet, not by the user, thereby generating an anomalous traffic detection signal.);
	and a fourth step of determining, by the computer, whether any anomaly exists in the network based on whether any flow statistical information matching events in the scenario of scenario information exists (Jung, Paragraph 0072-077 recites “The anomalous packet detector 420 may include a packet header buffer 422, a packet header comparer 424, a packet header counter 426, and a packet header period setting unit 428. The packet header buffer 422 receives headers of transmission packets, and transfers the header of a current transmission packet and the header of the previous transmission packet to the packet header comparer 424. The packet header comparer 424 compares the header of the current transmission packet to the header of the previous transmission packet, and transfers the result of the comparison to the packet header counter 426. The packet header counter 426 counts packets having the same header for a predetermined packet header period set in the packet header period setting unit 428, and generates a packet header alert signal if the count value exceeds a threshold value set in the packet header counter 426, and transfers the packet header alert signal to the anomalous traffic determiner 430. If the count value does not exceed the threshold value for the predetermined packet header period set in the packet header period setting unit 428, the packet header counter 426 transfers a packet header count period initializing signal to the packet header period setting unit 460 and initializes the packet header period. As such, according to the configuration of the packet header buffer 422, the packet header comparer 424, the packet header counter 426, and the packet header period setting unit 428, by comparing the header of a current transmission packet to the header of the previous transmission packet based on header information of transmission packets, it is possible to determine whether a large amount of the same kind of transmission packets is transmitted in a short time.”).
	But fails to teach a second step of retrieving scenario information including a scenario in which a time-series sequential relation of events concerning a plurality of flows is defined, the plurality of flows including at least a first flow and a second flow, which is different from the first flow, and the time-series sequential relation including at least a time- series sequential relationship between events occurring in the first flow and events occurring in the second flow.
	However, in an analogous art Chua teaches a second step of retrieving scenario information including a scenario in which a time-series sequential relation of events concerning a plurality of flows is defined, the plurality of flows including at least a first flow and a second flow, which is different from the first flow, and the time-series sequential relation including at least a time- series sequential relationship between events occurring in the first flow and events occurring in the second flow (Chua, Paragraph 0018 recites “The anomaly detection system 10 can also include a statistically deviated flow component 24 that can, for each flow in the data, discover a number of statistically deviated flows from the plurality of flows connected to the flow. The determination can be based on a time and a location related to each statistically deviated flow. The statistically deviated flow component 24 can address the insufficiency of statistical deviations as sole indicators of anomalies by finding relations between flows (e.g., by examining flows connected to a flow). In other words, in addition to the statistical deviation of each flow, for each flow a number of statistically deviated flows connected to the flow can be derived. The derivation depends on the context and nature of the distributed system. For example, the relation can be defined in terms of the time and the physical location of the flow. An indication of whether the flow is an anomaly can be obtained by positively correlating to the number of statistically deviated flows that are related to the flow. Using the end (source and destination) points of an anomalous flow, the physical location of the anomaly within the distributed system can be isolated.” Chua is describes multiple flows being analyzed under defined terms.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

	As per claim 9, Jung in combination with Chua teaches the network anomaly detection apparatus according to claim 1, Chua further teaches wherein the processor is further configured to determine whether any anomaly exists in the network based on whether any flow statistical information matching the events in the scenario satisfy a first condition based on a flow relation between the events of the first flow and the events of the second flow (Chua, Paragraph 0042 recites “At 88, based on the number of statistically deviated flows connected to the flow, it may be determined if the flow is an anomaly in the distributed system (e.g., by statistically deviated flow component 24).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

	As per claim 11, Jung in combination with Chua teaches the network anomaly detection apparatus according to claim 1, Chua further teaches wherein the processor is further configured to determine whether any anomaly exists in the network based on whether any flow statistical information matching the events in the scenario satisfy a second condition based on a time relation between the events of the first flow and the events of the second flow (Chua, Paragraph 0042 recites “At 88, based on the number of statistically deviated flows connected to the flow, it may be determined if the flow is an anomaly in the distributed system (e.g., by statistically deviated flow component 24).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

	As per claim 12, Jung in combination with Chua teaches the network anomaly detection apparatus according to claim 11, Chua further teaches wherein the second condition is that the second flow is executed within a specified time period after the first flow is executed (Chua, Paragraph 0025 recites “A pair of consecutive nodes (e.g., B and C) in the path pr can form a segment sij. The anomaly detection system 10 of FIG. 1 can determine whether the observed amount of time taken for the entity flow in pr deviates significantly from the expected amount of time for the entity flow. For all records r within R with observed time that deviates significantly from the expected time, the segments sij within the path that are likely to be the cause of the deviations. This task can be challenging because of the lack of knowledge of the time it takes for entities to flow through the individual segments of the path pr. The expected time for each segment can be inferred based on the set of available records (e.g., within the received network data).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

Claim 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jung et al. (US 2013/0167219) and Chua et al. (US 2016/0217056) and in further view of La Marca et al. (US 2019/0182280).

	As per claim 2, Jung disclose the network anomaly detection apparatus according to claim 1, Jung further teaches wherein the scenario includes flow conditions for a plurality of events, threshold conditions predetermined for the plurality of events (Jung, Paragraph 0072-077 recites “The anomalous packet detector 420 may include a packet header buffer 422, a packet header comparer 424, a packet header counter 426, and a packet header period setting unit 428. The packet header buffer 422 receives headers of transmission packets, and transfers the header of a current transmission packet and the header of the previous transmission packet to the packet header comparer 424. The packet header comparer 424 compares the header of the current transmission packet to the header of the previous transmission packet, and transfers the result of the comparison to the packet header counter 426. The packet header counter 426 counts packets having the same header for a predetermined packet header period set in the packet header period setting unit 428, and generates a packet header alert signal if the count value exceeds a threshold value set in the packet header counter 426, and transfers the packet header alert signal to the anomalous traffic determiner 430. If the count value does not exceed the threshold value for the predetermined packet header period set in the packet header period setting unit 428, the packet header counter 426 transfers a packet header count period initializing signal to the packet header period setting unit 460 and initializes the packet header period. As such, according to the configuration of the packet header buffer 422, the packet header comparer 424, the packet header counter 426, and the packet header period setting unit 428, by comparing the header of a current transmission packet to the header of the previous transmission packet based on header information of transmission packets, it is possible to determine whether a large amount of the same kind of transmission packets is transmitted in a short time.”).
	But fails to teach a time-series sequential relation of the plurality of events, wherein each of the flow conditions includes information on a source or a destination, wherein each of the threshold conditions includes a threshold related to a quantity when the flow condition occurs, and wherein the sequential relation includes a chronological time relation of the plurality of events.
	However, in an analogous art La Marca teaches a time-series sequential relation of the plurality of events, wherein each of the flow conditions includes information on a source or a destination (La Marca, Paragraph 0040 recites “Data packets P transmitted via communication bus 3 are defined by or include a time stamp, i.e., the point in time from which the relevant data packet P is sent, a data packet type, which is indicated in the present exemplary embodiments as an ID identifier, with which the source or the purpose of the data packet is characterized, and a data segment S.”);
	wherein each of the threshold conditions includes a threshold related to a quantity when the flow condition occurs, and wherein the sequential relation includes a chronological time relation of the plurality of events (La Marca, Paragraph 0020 recites “According to one specific embodiment, the rule for the anomaly recognition may be derived from the ascertained correlation values by creating a rule for those data portions, for which the correlation value is within a particular interval, in particular, has an absolute value that is greater than a predefined correlation threshold, the rule specifying that a chronological change of the values of the related data portions in data packets transmitted consecutively is concurrent or is non-concurrent.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use La Marca’s method for the automated creation of rules for a rule-based anomaly recognition in a data stream with Jung’s apparatus and method for cyber-attack prevention because the use of checking for changes in chronological add another metric to determine network anomalies.
	
Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jung et al. (US 2013/0167219) and Chua et al. (US 2016/0217056) and in further view of Li et al. (US 2012/0082162).

	As per claim 7, Jung discloses the network anomaly detection system according to claim 6, but fails to teach wherein the relay apparatus includes: a mirroring device configured to output mirror packets of packets in the network; and an information collection device configured to receive the mirror packets output from the mirroring device and generate flow statistical information based on header information.
	However, in an analogous art Li teaches wherein the relay apparatus includes: a mirroring device configured to output mirror packets of packets in the network; and an information collection device configured to receive the mirror packets output from the mirroring device and generate flow statistical information based on header information (Li, Paragraph 0111 recites “the first transceiver module 15 is configured to receive the packet and judge whether the state of this packet is normal, and if it is abnormal, discard this packet, and if it is normal, then inquire the port attribute list of the port at which this packet is received in the first storage device 13, and send the received packet and the layer two virtual interface information (for example, it can be the layer two virtual interface identifier) in the first storage device 13 to the access control module 14 after determining that this port is the remote mirroring port; the transceiver module is further configured to send the mirroring data stream filtered by the access control module 14 and the layer two virtual interface information to the first remote mirroring unit 151, and then send the encapsulated mirroring packet returned by the first remote mirroring unit 151 to the network from the physical egress port corresponding to the layer two virtual interface; the first transceiver module 15 is further configured to judge whether the type of the remote mirroring port at which the packet is received is an ingress port or an egress port, and if it is the ingress port, the transceiver module is further configured to transmit the packet back to the ingress port after sending the packet to the first remote mirroring unit 151 to carry out the remote mirroring, and then forward the packet as the common packet; if it is the egress port, the transceiver module is further configured to forward the packet as the common packet before sending the packet to the first remote mirroring unit 151 to carry out the remote mirroring, and sending the packet to the remote mirroring unit 151 after transmitting the packet back to the egress port.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Li’s Method And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use of mirroring places suspected anomalous data away from trusted data, so as to not let the suspected data corrupt the trusted data.

Claims 10, 13 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jung et al. (US 2013/0167219) and Chua et al. (US 2016/0217056) and in further view of Grosso (US 2018/0145902).

	As per claim 10, Jung in combination with Chua teaches the network anomaly detection apparatus according to claim 9, but fails to teach wherein the first condition is that a destination address of the first flow is a same address as a source address of the second flow.
	However, in an analogous art Grosso teaches wherein the first condition is that a destination address of the first flow is a same address as a source address of the second flow (Grosso, Paragraph 0080 recites “As an alternative, the NMS_BP feature can try to identify the particular set of packets that are causing overload, for instance the address sources of packets intended for the overwhelmed address, or more in general the collection of packets from one or more flows that have some property in common: packets having same source address, or same destination address, etc. A further analytic can be based for instance on that packets that looks to be potentially corrupted, e.g. with bad checksum, etc. An aim of this analytical analysis is to identify aggregates of packets that may be responsible for the traffic overload to enable selective control to prevent them getting to the location of the overload, or to the potential victim of a malicious attack.” Grosso is using addresses to determine if an anomaly exists).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Grosso’s reducing traffic overload in software defined network with Jung’s apparatus and method for cyber-attack prevention because the use of checking addresses is an effective way of understanding where data is going to and from and can play an important role in anomaly detection.

	As per claim 13, Jung in combination with Chua and Grosso teaches the network anomaly detection apparatus according to claim 10, Chua further teaches wherein the processor is further configured to determine whether any anomaly exists in the network based on whether any flow statistical information matching the events in the scenario satisfy a second condition based on a time relation between the events of the first flow and the events of the second flow (Chua, Paragraph 0042 recites “At 88, based on the number of statistically deviated flows connected to the flow, it may be determined if the flow is an anomaly in the distributed system (e.g., by statistically deviated flow component 24).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 

	As per claim 14, Jung in combination with Chua and Grosso teaches the network anomaly detection apparatus according to claim 13, Chua further teaches 
wherein the second condition is that the second flow is executed within a specified time period after the first flow is executed (Chua, Paragraph 0025 recites “A pair of consecutive nodes (e.g., B and C) in the path pr can form a segment sij. The anomaly detection system 10 of FIG. 1 can determine whether the observed amount of time taken for the entity flow in pr deviates significantly from the expected amount of time for the entity flow. For all records r within R with observed time that deviates significantly from the expected time, the segments sij within the path that are likely to be the cause of the deviations. This task can be challenging because of the lack of knowledge of the time it takes for entities to flow through the individual segments of the path pr. The expected time for each segment can be inferred based on the set of available records (e.g., within the received network data).”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Chua’s detecting flow anomalies And Router For Implementing Mirroring with Jung’s apparatus and method for cyber-attack prevention because the use having defined parameters for determining anomalies, would help to have baseline and find a standard deviation from the defined to terms to accurately determine an anomaly. 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439

/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439