DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 1-9 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-36 of U.S. Patent No. 10,931,696.  Although the conflicting claims are not identical, they are not patentably distinct from each other because the pending claims are broader variation of the patented claims.	Claims 1-9 of the instant application is anticipated by patent claims 1-36, in that claims 1-36 of the patent contains all the limitations of claims 1-9 of the instant application. Claims 1-9 of the instant application therefore are not patently distinct from the earlier patent claim and as such are unpatentable for obvious-type double patenting.
The claims are similar except for the patent claims are narrower than the instant application. In the patent claims it talks about a first threat while the instant application recites a first anomaly. In the patented claims, it additionally recites: “…processing at the first node a second set of traffic data including information about system traffic corresponding to a second time period, said second time period following said first time period;
detecting, based on the second set of traffic data, a second set of traffic instances which are found to be a second threat of the first type;
checking a stored set of threat information and action information indicating an automatic action or an operator instructed action to be taken in response to a previous threat of the type;
automatically taking the automatic or operator instructed action, if any, in the stored set of threat information and action information matching the threat of the first type in response to detecting the second threat of the first type;
notifying the operator of the second threat;
monitoring to detect a response from the operator indicating an action to be taken in response to the second threat;
in response to failing to detect an operator indicated action to be taken in response to the second threat in a second predetermined time:
checking to determine if the second threat corresponds to an increased rate of threats of the first type or an increased level of threat; and
if the detected threat corresponds to an increased rate of threats of the first type or an increased level of threat taking an automated action in response to the second threat in the absence of operator input”.
Omission of an element and its function in a combination is an obvious expedient if the remaining elements perform the same functions as before. In re KARLSON (CCPA) 136 USPQ 184 (1963).





Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-4 and 8-9 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Pratt et al. (US Patent 10,673,880).
Regarding claim 1, Pratt discloses a method of operating a communication system, the method comprising: processing at a first node executing an application for anomaly detection and mitigation, a first set of traffic data including information about system traffic corresponding to a first time period, one or more pieces of data in said first set of traffic data being provided by sensors or sensor enforcer nodes monitoring traffic (see abstract; col. 53, lines 47-65); detecting, based on the first set of traffic data, a first set of traffic instances which are found to be a first anomaly of a first type (see abstract; figs. 1a and 24); notifying an operator of the first anomaly; monitoring to detect a response from the operator indicating an action to be taken in the system in response to the first anomaly (col. 22, line 55 – col 23, line 17); in response to detecting an operator indicated action to be taken in response to the first anomaly, implementing said operator indicated action to be taken in response to the first anomaly (col. 22, line 55-col. 23, line 17); in response to failing to detect an operator indicated action to be taken in response to the first anomaly within a predetermined time, continuing system operation without taking an action in response to the first anomaly (col. 9, line 35-65); and storing information about the first anomaly of the first type and any action taken in response to the first anomaly of the first type (col. 22, line 55-col. 23, line 17).
Regarding claim 2, Pratt discloses further comprising: in response to detecting an operator indicated action to be taken in response to the first anomaly determining a policy change to be implemented to enforce the operator indicated action; and communicating the policy change to one or more enforcement nodes or sensor enforcer nodes (col. 22, line 55-col. 23, line 60).
Regarding claim 3, Pratt discloses further comprising: processing at the first node a second set of traffic data including information about system traffic corresponding to a second time period, said second time period following said first time period; detecting, based on the second set of traffic data, a second set of traffic instances which are found to be a second anomaly of the first type; checking a stored set of anomaly and action information for information indicating an automatic action or operator instructed action previously taken in response to a previous anomaly of the first type; and upon identification of an automatic action or operator instructed action previously taken in response to a previous anomaly of the first type, implementing the identified automatic action or operator instructed action in response to the detected second anomaly of the first type (see abstract; figs. 1a and 24 – variety of threats; col. 9, lines 35-65).
Regarding claim 4, Pratt discloses further comprising: after taking an automatic action or operator instructed action matching the anomaly of the first type in response to detecting the second anomaly of the first type, continuously monitoring traffic data from sensor and sensor enforcer nodes for a configurable time period and applying one or more policies by enforcement devices in the network until said monitoring indicates that the system traffic has met or exceeded a first threshold (col. 22, line 55-col. 23, line 60; col. 48, lines 49-59).
Regarding claim 8, Pratt discloses further comprising: detecting, based on the first set of traffic data, a first threat of a first type (see abstract; figs. 1a and 24; col. 53, lines 47-65); notifying an operator of the detection of the first threat (col. 22, line 55 – col 23, line 17); monitoring for a first response period of time to detect a response from the operator indicating an action to be taken in the system in response to the first threat; detecting an operator indicated action to be taken in response to the first threat prior to the expiration of the first response period of time (col. 22, line 55 – col 23, line 17); implementing said detected operator indicated action to be taken in response to the first threat; storing information about the first threat of the first type and the action implemented in response to the first threat of the first type (col. 22, line 55-col. 23, line 17).
Regarding claim 9, Pratt discloses further comprising: detecting a second threat of the first type subsequent to detecting said first threat of the first type (see abstract; figs. 1a and 24; col. 53, lines 47-65); notifying the operator of the detection of the second threat (col. 22, line 55 – col 23, line 17); monitoring for a second response period of time to detect a response from the operator indicating an action to be taken in the system in response to the second threat; and when no response is detected within the second response period of time, automatically implementing the stored action implemented in response to the first threat of the first type (col. 22, line 55-col. 23, line 17).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US Patent 10,673,880) in view of Hamaguchi, Yoshitaka et al. (US Pub 2012/0106379).
Regarding claim 5, Pratt discloses a method of operating a communication system, the method comprising: processing at a first node executing an application for anomaly detection and mitigation, a first set of traffic data including information about system traffic corresponding to a first time period, one or more pieces of data in said first set of traffic data being provided by sensors or sensor enforcer nodes monitoring traffic (see abstract; col. 53, lines 47-65).
Pratt does not disclose wherein the first threshold is one of the following a Quality of Service threshold or a throughput optimization threshold.
Hamaguchi discloses wherein the first threshold is one of the following a Quality of Service threshold or a throughput optimization threshold (para 0103)
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention to modify Pratt with the teachings of Hamaguchi in order to detect anomaly in a network by checking if QoS has reached a threshold (Hamaguchi, para 0103).
Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US Patent 10,673,880) in view of Hamaguchi, Yoshitaka et al. (US Pub 2012/0106379) and in further view of Bucko, Andrew (US Pub 2015/0003600).
Regarding claim 6, Pratt discloses a method of operating a communication system, the method comprising: processing at a first node executing an application for anomaly detection and mitigation, a first set of traffic data including information about system traffic corresponding to a first time period, one or more pieces of data in said first set of traffic data being provided by sensors or sensor enforcer nodes monitoring traffic (see abstract; col. 53, lines 47-65).
Pratt does not disclose determining, if the first set of traffic instances contain a set of patterns that match patterns indicative of a robo-call type of threat; and when the first set of traffic instances are determined to contain a set of patterns that match patterns indicative of a robo-call type of threat communicating instructions to enforcer and sensor enforce nodes to take a robo-call mitigation operation.
Bucko discloses determining, if the first set of traffic instances contain a set of patterns that match patterns indicative of a robo-call type of threat; and when the first set of traffic instances are determined to contain a set of patterns that match patterns indicative of a robo-call type of threat communicating instructions to enforcer and sensor enforce nodes to take a robo-call mitigation operation (see abstract; figs. 4 and 5).
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention to modify Pratt with the teachings of Bucko in order to block telephone number to stop undesired automated calls (Bucko, abstract).
Claim 10, 12, 14-17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US Patent 10,673,880) in view of Mc Bride et al. (US Pub 2016/0239330).
Regarding claim 10, Pratt disclose a closed loop method of operating a Unified Communications system comprising: continuously monitoring, by sensors distributed throughout a network of the Unified Communications system, traffic data over a configurable time period (see abstract; col. 53, lines 47-65), detecting one or more anomalies in the network based on the monitored traffic data type (see abstract; figs. 1a and 24); and applying one or more policies by enforcement devices in the network until said monitoring indicates that Unified Communications system traffic has met or exceeded a threshold (col. 22, line 55-col. 23, line 60; col. 48, lines 49-59).
Pratt does not disclose said traffic data including application level protocol specific information;
Mc Bride discloses said traffic data including application level protocol specific information (para 0017)
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention to modify Pratt with the teachings of Mc Bride in order to detect SIP based attacks in a network.
Regarding claim 12, Mc Bride discloses wherein said application level protocol specific information includes Session Initiation Protocol information (para 0017).
Regarding claim 14, Pratt discloses wherein detecting one or more anomalies in the network based on the monitored traffic data is performed by an anomaly detection and mitigation application (see abstract).
Regarding claim 15, Pratt discloses further comprising: communicating, by the anomaly detection and mitigation application, said one or more policies to be applied to a policy server; communicating from the policy server to the enforcement devices the one or more policies to be applied (col. 22, line 55-col. 23, line 60).
Regarding claim 16, Mc Bride discloses wherein said anomaly detection and mitigation application is implemented on a virtual machine in a cloud (see abstract – VM; para 0016-0017).
Regarding claim 17, see rejection of claim 10.
Regarding claim 19, see rejection of claim 12.

Claims 11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US Patent 10,673,880) in view of Mc Bride et al. (US Pub 2016/0239330) in view of Hamaguchi, Yoshitaka (US Pub 2012/0106379).
Regarding claim 11, Pratt discloses a method of operating a communication system, the method comprising: processing at a first node executing an application for anomaly detection and mitigation, a first set of traffic data including information about system traffic corresponding to a first time period, one or more pieces of data in said first set of traffic data being provided by sensors or sensor enforcer nodes monitoring traffic (see abstract; col. 53, lines 47-65).
Pratt in view of Mc Bride does not disclose wherein the threshold is one of the following: a Quality of Service threshold in compliance with a service contract or a session throughput optimization threshold.
Hamaguchi discloses wherein the threshold is one of the following: a Quality of Service threshold in compliance with a service contract or a session throughput optimization threshold (para 0103)
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention to modify Pratt in view of McBride with the teachings of Hamaguchi in order to detect anomaly in a network by checking if QoS has reached a threshold (Hamaguchi, para 0103).
Regarding claim 18, see rejection of claim 11.

Claims 13 and 20 is rejected under 35 U.S.C. 103 as being unpatentable over Pratt et al. (US Patent 10,673,880) in view of Mc Bride et al. (US Pub 2016/0239330) in view of Magnaghi et al. (US Pub 2006/0047807).
Regarding claim 13, Pratt discloses a method of operating a communication system, the method comprising: processing at a first node executing an application for anomaly detection and mitigation, a first set of traffic data including information about system traffic corresponding to a first time period, one or more pieces of data in said first set of traffic data being provided by sensors or sensor enforcer nodes monitoring traffic (see abstract; col. 53, lines 47-65).
Pratt in view of Mc Bride does not disclose wherein said application level protocol specific information includes one or more of the following: a quality of session metric based on one or more of the following: number of packets exchanged, number of packets lost, rate of packet loss, packet discard rate due to late arrival of packets, burst density gap, gap durations, Mean Opinion Score (MOS), and number of consecutive packet losses for packet loss periods experienced during a session.
Magnaghi discloses wherein said application level protocol specific information includes one or more of the following: a quality of session metric based on one or more of the following: number of packets exchanged, number of packets lost (para 0017, 0020), rate of packet loss, packet discard rate due to late arrival of packets, burst density gap, gap durations, Mean Opinion Score (MOS), and number of consecutive packet losses for packet loss periods experienced during a session. 
Therefore, it would have been obvious to a person of ordinary skilled in the art before the effective filing date of the claimed invention to modify Pratt in view of McBride with the teachings of Magnaghi in order to detect anomaly in a network by detecting packet loss (Magnaghi, para 0017).
Regarding claim 20, see rejection of claim 13.

Allowable Subject Matter
Claim 7 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NAFIZ E HOQUE whose telephone number is (571)270-1811. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ahmad Matar can be reached on (571)272-7488. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NAFIZ E HOQUE/           Primary Examiner, Art Unit 2652