DETAILED ACTION
 	Claims 1-20 are pending. This communication is in response to Applicant’s arguments and amendments filed on May 6, 2022.
 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Matthew Frontz #65,198 on June 17, 2022.

The application has been amended as follows: 

1.         (Currently Amended) A computer-implemented method comprising: 
            detecting, via one or more sensors, a plurality of flows; 
            determining a plurality of entropies associated with the plurality of flows wherein the entropies are associated with header data of packets of the plurality of flows; 
            determining, based on previous flows within a previous time period, an amount of traffic indicating non-malicious traffic in the previous flows; 
determining whether an entropy of the plurality of entropies is greater than the amount of traffic indicating non-malicious traffic; 
            in response to the entropy of the plurality of entropies being greater than the amount of traffic indicating non-malicious traffic, determining an associated flow of the plurality of flows is anomalous; and
in response to the entropy of the plurality of entropies being less than or equal to the amount, determining the associated flow of the plurality of flows is normal.

2. (Original) The computer-implemented method of claim 1, further comprising: provide a buffer when the amount is greater than a second entropy of the plurality of entropies.  

3. (Previously Amended) The computer-implemented method of claim 1, wherein, the plurality of flows includes a portion of flows detected via a first sensor of the one or more sensors installed on a first endpoint, the first endpoint is a destination for the portion of flows, 2Serial No.: 16/846,149 Confirmation No.: 8164 Attorney Docket No.: 654194 (999682-US.18) the detecting of the plurality of flows includes detecting, via a second sensor of the one or more sensors associated with a second endpoint, the portion of flows, and the second endpoint is a source for the portion of flows.  

4. (Original) The computer-implemented method of claim 1, wherein, at least one of the plurality of entropies is associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a packet identification field of Internet Protocol version 4 standard.  

5. (Original) The computer-implemented method of claim 1, wherein at least one of the plurality of entropies includes associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a time to live field and/or a sequence identifier field.  

6. (Original) The computer-implemented method of claim 1, wherein the determining of the plurality of entropies includes determining an expected sequence identifier field.  

7. (Original) The computer-implemented method of claim 6, wherein the determining of the plurality of entropies includes determining a difference between the expected sequence identifier field and a detected sequence identifier field.  

8. (Currently Amended) A non-transitory computer-readable medium having computer readable instructions that, when executed by a processor of a computer, cause the computer to: 
 detect, via one or more sensors, a plurality of flows; 
determine a plurality of entropies associated with the plurality of flows wherein the entropies are associated with header data of packets of the plurality of flows; 
determine, based on previous flows within a previous time period, an amount of traffic indicating non-malicious traffic in the previous flows; 
determine whether an entropy of the plurality of entropies is greater than the amount of traffic indicating non-malicious traffic; 
in response to the entropy of the plurality of entropies being greater than the amount of traffic indicating non-malicious traffic, determine the one of the plurality of flows is anomalous; and 
in response to the entropy of the plurality of entropies is less than or equal to the amount, determine the one of the plurality of flows is normal.  

9. (Original) The non-transitory computer-readable medium of claim 8, wherein the instructions further cause the computer to: provide a buffer when the amount is greater than a second entropy of the plurality of entropies.  

10. (Previously Amended) The non-transitory computer-readable medium of claim 8, wherein, 4Serial No.: 16/846,149 Confirmation No.: 8164 Attorney Docket No.: 654194 (999682-US.18) the plurality of flows includes a portion of flows detected via a first sensor of the one or more sensors installed on a first endpoint, the first endpoint is a destination for the portion of flows, detecting the plurality of flows includes detecting, via a second sensor of the one or more sensors associated with a second endpoint, the portion of flows, and the second endpoint is a source for the portion of flows.  

11. (Original) The non-transitory computer-readable medium of claim 8, wherein, at least one of the plurality of entropies is associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a packet identification field of Internet Protocol version 4 standard.  

12. (Original) The non-transitory computer-readable medium of claim 8, wherein, at least one of the plurality of entropies is associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a time to live field and/or a sequence identifier field.  

13. (Original) The non-transitory computer-readable medium of claim 8, wherein determining the plurality of entropies includes determining an expected sequence identifier field.  

14. (Original) The non-transitory computer-readable medium of claim 13, wherein determining the plurality of entropies includes determining a difference between the expected sequence identifier field and a detected sequence identifier field.
  
15. (Currently Amended) A system comprising: 
a processor; a memory including instructions that when executed by the processor, cause the system to: 
detect, via one or more sensors, a plurality of flows; 
determine a plurality of entropies associated with the plurality of flows wherein the entropies are associated with header data of packets of the plurality of flows; 
determine, based on previous flows within a previous time period, an amount of traffic indicating non-malicious traffic in the previous flows;
determine whether an entropy of the plurality of entropies is greater than the amount of traffic indicating non-malicious traffic; 
in response to the entropy of the plurality of entropies is greater than the amount of traffic indicating non-malicious traffic, determine the one of the plurality of flows is anomalous; and 
in response to the entropy of the plurality of entropies is less than or equal to the amount, determine the one of the plurality of flows is normal.  

16. (Original) The system of claim 15, wherein the instructions further cause the system to: 6Serial No.: 16/846,149 Confirmation No.: 8164 Attorney Docket No.: 654194 (999682-US.18) provide a buffer when the amount is greater than a second entropy of the plurality of entropies.  

17. (Previously Amended) The system of claim 15, wherein, the plurality of flows includes a portion of flows detected via a first sensor of the one or more sensors installed on a first endpoint, the first endpoint is a destination for the portion of flows, detecting the plurality of flows includes detecting, via a second sensor of the one or more sensors associated with a second endpoint, the portion of flows, and the second endpoint is a source for the portion of flows.  

18. (Original) The system of claim 15, wherein, at least one of the plurality of entropies is associated with at least one of a plurality of header fields, the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a packet identification field of Internet Protocol version 4 standard.  

19. (Original) The system of claim 15, wherein, at least one of the plurality of entropies is associated with at least one of a plurality of header fields, 7Serial No.: 16/846,149 Confirmation No.: 8164 Attorney Docket No.: 654194 (999682-US.18) the plurality of header fields have various entropy values, and the at least one of the plurality of header fields is a time to live field and/or a sequence identifier field.  

20. (Original) The system of claim 15, wherein, determining the plurality of entropies includes determining an expected sequence identifier field, and determining the plurality of entropies includes determining a difference between the expected sequence identifier field and a detected sequence identifier field.



Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
 	Applicant’s arguments are persuasive that current rejection does not teach the claims as amended. However, for compact prosecution, per interview, Applicant’s agrees to an Examiner amendment since there is no art singly or in combination teach all the features as amended.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
INQUIRY COMMUNICATION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRI M TRAN whose telephone number is (571)270-1994. The examiner can normally be reached Mon-Fri: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/TRI M TRAN/Primary Examiner, Art Unit 2432