DETAILED ACTION
This office action is in response to the application filed on 09/11/2020. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 1-4, 6, 8-11, 13 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Caldejon et al. (U.S Patent No. 9,876,701 B1, referred to as Caldejon), in view of Mushtaq et al. (U.S Patent No. 9,430,646 B1, referred to as Mushtaq).
Regarding claims 1, 8 and 15, Caldejon teaches:
	A computer-implemented method for automated monitoring of data packets for potential security risks in a public cloud computing environment (Caldejon: Fig. 1; Col 3, ln 29-64, Fig. 3; Col 5, ln 59-67 and Col 6, ln 1-23), comprising: 
generating, by a server of the public cloud computing environment, flow log records of network traffic, the flow log records comprising metadata identifiers descriptive of data packets processed by the public cloud computing environment (Caldejon: Fig. 2; Col 3, ln 65-67 and Col 4, ln 1-68; Col 5, ln 1-56, “illustratively, the processing technique extends the capabilities of BPF and PCAP by (i) encapsulating network flow metadata within PCAP metadata records that are derived from the packets captured and stored on the data repository, and (ii) using the BPF engine 270 for filtering operations on the PCAP metadata records.”; Fig. 3, Col 5, ln 59-67 and Col 6, ln 1-23); 
identifying, by the server, a data packet that presents a potential security risk based on the metadata identifiers (Caldejon: Col 10, ln 10-21, “For example, a malware detection appliance coupled to network 130 may issue an alert to the PCR node 200, which may invoke the processing technique 300 to rapidly retrieve all requested packets. As noted, the multi-stage indexing arrangement of the processing technique 300 facilitates capture of packets (and writing to disk) while simultaneously serving queries (retrieving from disk). The malware detection appliance may issue an alert in terms of a BPF expression or query and the PCR node may retrieve all matching packets and return them to the detection appliance, which may perform an analysis on the packet traffic.”); 
retrieving, by the server, a captured data packet (PCAP) record from a PCAP record repository, the PCAP record corresponding to the identified data packet based on the metadata identifiers descriptive of the data packet (Caldejon: Col 10, ln 10-21, “For example, a malware detection appliance coupled to network 130 may issue an alert to the PCR node 200, which may invoke the processing technique 300 to rapidly retrieve all requested packets. As noted, the multi-stage indexing arrangement of the processing technique 300 facilitates capture of packets (and writing to disk) while simultaneously serving queries (retrieving from disk). The malware detection appliance may issue an alert in terms of a BPF expression or query and the PCR node may retrieve all matching packets and return them to the detection appliance, which may perform an analysis on the packet traffic.”); and 
Caldejon does not explicitly disclose, however Mushtaq teaches:
transmitting, from the server, the PCAP record to a computing device for network traffic analysis (Mushtaq: Fig. 4; Col 16, ln 18-53; Fig. 5, Step 522; Col 17, ln 3-11, “Next, in step 522, logic checks with the central analyzer. In so doing, the local analyzer makes the entry in the event/anomaly database available to the central analyzer. The local analyzer may do this by sending the event to the central analyzer (EN: a computing device for network traffic analysis) or by waiting for the central analyzer to request newly added events (the “deltas”) depending on whether the embodiment uses a respective “push” or “pull” technique.”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Caldejon by Mushtaq and have a central analyzer in a cloud environment capable of distributing results of the central analyzer to the local analyzer in order to enhance local analyses and first stage filtering of future traffic. (Mushtaq: Col 7, ln 30-40).

Regarding claim 8, Caldejon further teaches: 
A database system of a public cloud computing environment, the database system comprising: a server; and at least one memory device coupled to the server, the at least one memory device having instructions stored thereon. (Caldejon: Fig. 2, Item 220; Col 3, ln 65-67)

Regarding claim 15, Caldejon further teaches: 
A non-transitory computer-readable storage medium having instructions encoded thereon which, when executed by a server (Caldejon: Col 10, ln 59-64, “For instance, it is expressly contemplated that the components and/or elements described herein can be implemented as software encoded on a tangible (non-transitory) computer-readable medium (e.g., disks and/or CDs) having program instructions executing on a computer, hardware, firmware, or a combination thereof.”).

Regarding claims 2, 9 and 16, the combination of Caldejon by Mushtaq teaches all the features of claims 1, 8 and 15, as outlined above.
 Mushtaq teaches:
wherein generating the log flow records comprises: for each data packet processed by the public cloud computing environment, storing in a corresponding flow log record metadata identifiers comprising an address of a corresponding PCAP record of the data packet within the PCAP record repository, wherein the PCAP record is identified within the PCAP record repository based on the address (Caldejon: Fig. 3, Items 320, 400; Col 5, ln 59-67 and Col 6, ln 1-23; Fig. 4; Fig. 5; Col 6, ln 24-67 and Col 7, ln 1-62).

Regarding claims 3, 10 and 17, the combination of Caldejon by Mushtaq teaches all the features of claims 1, 8 and 15, as outlined above.
 Caldejon does not explicitly disclose, however Mushtaq teaches:
	wherein generating the flow log records comprises: for each data packet processed by the public cloud computing environment, storing in a corresponding flow log record metadata identifiers comprising a fingerprint identifier or an internet protocol (IP) address, wherein identifying a data packet that presents a potential security risk comprises determining that the fingerprint identifier or IP address corresponds to a suspected or previously detected security risk (Mushtaq: Fig. 2, Items 264, 268; Col 12, ln 12-19, “The persistent storage 230 also includes a TLD black list repository 264, a TLD white list repository 266, an IP blacklist repository 268 (EN: IP address corresponds to a suspected or previously detected security risk), a cache 270 and an event/anomaly database 280. In some embodiments, the cache 270 may be integrated with the event/anomaly database 280 and both may be stored in memory or mass storage.”; Col 14; Fig. 3A, Step 340; Col 15, ln 34-42).
	It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Caldejon by Mushtaq to monitor the behavior of content during execution to detect anomalies and other activity that may signal the presence of malware. (Mushtaq: Col 2, ln 1-5).

Regarding claims 4, 11 and 18, the combination of Caldejon by Mushtaq teaches all the features of claims 3, 10 and 17, as outlined above.
  Mushtaq teaches:
	The computer-implemented method of claim 3, further comprising: 31Attorney Docket No. 30442.0040 (4867US) retrieving, from the PCAP record repository, a plurality of PCAP records associated with the fingerprint identifier or the IP address based on flow log records that comprise the fingerprint identifier or the IP address in their respective metadata identifiers; and transmitting (Caldejon: Fig. 3, Items 320, 400; Col 5, ln 59-67 and Col 6, ln 1-23; Fig. 4; Fig. 5; Col 6, ln 24-67 and Col 7, ln 1-62).
Caldejon does not explicitly disclose, however Mushtaq teaches:
 from the server, the plurality of PCAP records to the computing device transmitting, from the server, the PCAP record to a computing device for network traffic analysis (Mushtaq: Fig. 4; Col 16, ln 18-53; Fig. 5, Step 522; Col 17, ln 3-11, “Next, in step 522, logic checks with the central analyzer. In so doing, the local analyzer makes the entry in the event/anomaly database available to the central analyzer. The local analyzer may do this by sending the event to the central analyzer (EN: a computing device for network traffic analysis) or by waiting for the central analyzer to request newly added events (the “deltas”) depending on whether the embodiment uses a respective “push” or “pull” technique.”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Caldejon by Mushtaq and have a central analyzer in a cloud environment capable of distributing results of the central analyzer to the local analyzer in order to enhance local analyses and first stage filtering of future traffic. (Mushtaq: Col 7, ln 30-40).


Regarding claims 6 and 13, the combination of Caldejon by Mushtaq teaches all the features of claims 1 and 8, as outlined above.
 Caldejon does not explicitly disclose, however Mushtaq teaches:
aggregating, based on the metadata identifiers, PCAP records from each virtual machine instance of the public cloud computing environment onto one or more hard disks (Mushtaq: Fig. 7, Item 780; Col 19, ln 16-67 and Col 20, ln 1-55, “The scheduler 770 may then load and configure a virtual machine from the virtual machine pool 780 in an order related to the priority level, and dispatch the virtual machine to the analysis engine 782 to process the suspicious network content.”).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Caldejon by Mushtaq and a virtual machine pool and an analysis engine to flag the suspicious network content as malicious network content according to the observed behavior of the virtual machine. (Mushtaq: Col 20, ln 51-55).

Allowable Subject Matter
Claims 5, 7, 12, 14 and 19-20 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for identifying allowable subject matter.	

The closest prior arts made of records are, Caldejon et al. (U.S Patent No. 9,876,701 B1, referred to as Caldejon) and Mushtaq et al. (U.S Patent No. 9,430,646 B1, referred to as Mushtaq).

Caldejon discloses an indexing arrangement enables efficient search and retrieval of indexes persistently stored in a metadata repository and used to locate packets captured from a network and persistently stored in a data repository. The packets are captured at a packet capture and retrieval system having persistent storage devices organized as files of the metadata and data repositories. Search and retrieval of the indexes within the files of the metadata repository occur at substantially a same time as one or more other captured packets is written to one or more files of the data repository to realize a substantially high sustained packet transfer rate of the network.

Mushtaq discloses techniques which may automatically detect bots or botnets running in a computer or other digital device by detecting command and control communications, called “call-backs,” from malicious code that has previously gained entry into the digital device. Callbacks are detected using a distributed approach employing one or more local analyzers and a central analyzer. The local analyzers capture packets of outbound communications, generate header signatures, and analyze the captured packets using various techniques.

Regarding claims 5, 12 and 19, the prior art of Caldejon and Mushtaq when taken in the context of the claim as a whole do not disclose nor suggest, “wherein the fingerprint identifier comprises a JA3 SSL fingerprint.”.

Regarding claims 7 and 14, the prior art of Caldejon and Mushtaq when taken in the context of the claim as a whole do not disclose nor suggest, “wherein the PCAP record transmitted to the computing device corresponds to less than 1% of all PCAP record data stored in the PCAP record repository.”.

Regarding claim 20, the prior art of Caldejon and Mushtaq when taken in the context of the claim as a whole do not disclose nor suggest, “wherein the server is to further: aggregate, based on the metadata identifiers, PCAP records from each virtual machine instance of the public cloud computing environment onto one or more hard disks, wherein the aggregated PCAP records correspond to less than 1% of all PCAP record data stored in the PCAP record repository.”.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HASSAN SAADOUN/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435