Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This final action is in response to amendment filed on June 02, 2022. In this amendment, claims 1, 6, 13 and 19-20 have been amended, and claim 10 has canceled. Claims 1-9 and 11-20 are pending, with claims 1, 19 and 20 being independent. 

Response to Arguments
35 U.S.C. § 112 Rejections
	Claim rejections has been withdrawn in view of amended claims.
35 U.S.C. § 103 Rejections
Applicants’ arguments, with regards to claim 1, have been fully considered but they are not persuasive.
In the response, applicant argues in substance that:
A. 	Livingood does not, however, disclose or suggest linking an infected IP address to an infected device (remarks, pg. 8). 
The examiner respectfully disagrees. “[L]inking an infected IP address to an infected device” is not recited in the claim. The claim recites “correlating the address corresponding to the suspect network flow with an identifier of an infected device that is sending the suspect network flow”. Livingood teaches an ISP may be able to identify compromised hosts [infected devices implicitly having IDs] by identifying traffic [suspect network flow] destined to IP addresses associated with the command and control of botnets or destined to the combination of an IP address and control port associated with a command and control network (sometimes command and control traffic comes from a host that has legitimate traffic) (page 11). This citation indicates that an ISP identifies compromised hosts [infected devices implicitly having IDs] by identifying traffic [suspect network flow] sending from a host to IP addresses associated with the command and control of botnets. In other words, the ISP correlates IP addresses associated with the command and control of botnets of the traffic [suspect network flow] with a host [compromised/infected host] sending the traffic.
B. 	Livingood does not disclose or suggest "correlating the address corresponding to the suspect network flow with an identifier of a suspect device that is sending the suspect network flow." 
	The examiner respectfully disagrees. “identifying the host that is generating the attack traffic” is not recited in the claim. See point (A) for details of mapping regarding "correlating the address corresponding to the suspect network flow with an identifier of a suspect device that is sending the suspect network flow."
	 Since the argument of claim 1 is not persuasive, other claims’ arguments that rely on the argument above are also not persuasive.
Applicant’s arguments with respect to claim 6 has been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Objections
Claims 1, 19 and 20 are objected to because of the following informalities: 
For last limitation, “the user identifier” should read “the identifier”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 7-8 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015) and Livingood et al. (NPL: rfc6561, published March 2012).
As per claim 1, Khatri discloses: 
obtaining threat information (Khatri abstract, receive a malicious packet marker), the threat information identifying one or more indicators of compromise (IOC) corresponding to suspected or known malicious network traffic (Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, suspected suspicious port accesses, tags that indicate the presence of malicious code, or the like); 
generating a control list (CL) corresponding to the threat information (Khatri abstract, store the malicious packet marker to the memory), the CL describing rules for identifying network flows to be logged in a network log (Khatri abstract, determine that a packet matches the malicious packet marker, and store log information from the packet to the memory); 
obtaining the network log identifying the network flows (Khatri par. 19, log module 132 operates to receive information from NIC 150 regarding the network traffic flows, and records the information in logs 134 such that MC 180 can retrieve the information and provide it to management system 190). 
Khatri does not explicitly disclose:
identifying a suspect network flow identified by both the threat information and the network log; 
identifying an address corresponding to the suspect network flow; 
correlating the address corresponding to the suspect network flow with an identifier of an infected device that is sending the suspect network flow; and 
issuing a notification to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot.
Livingood teaches:
identifying a suspect network flow identified by both the threat information and the network log (Livingood pg. 11, An ISP may use Netflow [RFC3954] or other similar passive network monitoring to identify network anomalies that may be indicative of botnet attacks or bot communications. For example, an ISP may be able to identify compromised hosts by identifying traffic [suspect network flow] destined to IP addresses associated with the command and control of botnets); 
identifying an address corresponding to the suspect network flow (Livingood pg. 11, an ISP may be able to identify compromised hosts by identifying traffic [suspect network flow] destined to IP addresses associated with the command and control of botnets); 
correlating the address corresponding to the suspect network flow with an identifier of an infected device that is sending the suspect network flow (Livingood pg. 11, an ISP may be able to identify compromised hosts [implicitly have IDs] by identifying traffic [suspect network flow] destined to IP addresses associated with the command and control of botnets or destined to the combination of an IP address and control port associated with a command and control network (sometimes command and control traffic comes from a host that has legitimate traffic)); and 
issuing a notification to a user associated with the user identifier (Livingood pg. 12, Once an ISP has detected a bot, or the strong likelihood of a bot, steps should be undertaken to inform the Internet user that they may have a bot-related problem), the notification indicating a suspected existence of a malicious bot (Livingood pg. 12, Once an ISP has detected a bot, or the strong likelihood of a bot, steps should be undertaken to inform the Internet user that they may have a bot-related problem; Livingood pg. 14, Walled gardens are effective because it is possible to notify the user and simultaneously block all communication between the bot and the command and control channel).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Khatri with the teaching of Livingood for identifying a suspect network flow identified by both the threat information and the network log; identifying an address corresponding to the suspect network flow; correlating the address corresponding to the suspect network flow with an identifier of an infected device that is sending the suspect network flow; and issuing a notification to a user associated with the user identifier, the notification indicating a suspected existence of a malicious bot. One of ordinary skilled in the art would have been motivated because it offers the advantage of mitigating bots in a network.

As per claim 2, Khatri-Livingood discloses the method of claim 1. Khatri also discloses wherein the control list is an access control list (ACL) (Khatri abstract, store the malicious packet marker to the memory… determine that a packet matches the malicious packet marker, and store log information from the packet to the memory).

As per claim 3, Khatri-Livingood discloses the method of claim 1. Khatri does not explicitly disclose further comprising obtaining the threat information from a third-party threat intelligence provider.
Livingood teaches:
obtaining the threat information from a third-party threat intelligence provider (Livingood pg. 11, a well-known list of domains associated with malware. In many cases, such lists are distributed by or shared using third parties, such as threat data clearinghouses).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Khatri with the teaching of Livingood for obtaining the threat information from a third-party threat intelligence provider. One of ordinary skilled in the art would have been motivated because it offers the advantage of mitigating bots in a network.

As per claim 4, Khatri-Livingood discloses the method of claim 1. Khatri also discloses wherein the threat information comprises one or more of an address (Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, suspected suspicious port accesses, tags that indicate the presence of malicious code, or the like), a source or destination port, a protocol, a payload type, a payload size, contents of a payload, identification of a network traffic pattern, a match of the network traffic pattern with known threat signatures, headers or header metadata, a protocol type, a file analysis, frequency of beaconing, and a hash value.

As per claim 5, Khatri-Livingood discloses the method of claim 4. Khatri also discloses wherein the address is one of a destination IP address, a source IP address (Khatri claim 9, the malicious packet marker includes at least one of a source Internet Protocol (IP) address, a destination IP address, a port address, and a protocol), a command and control IP address, an IP address for a phishing website, a domain name, and a packet signature.

As per claim 7, Khatri-Livingood discloses the method of claim 1. Khatri does not explicitly disclose wherein the notification is issued via an email, postal mail, or an in-browser notification.
Livingood teaches:
the notification is issued via an email, postal mail, or an in-browser notification (Livingood section 5.1: Email Notification, 5.3: Postal Mail Notification, 5.7 Web Browser Notification).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Khatri with the teaching of Livingood for the notification is issued via an email, postal mail, or an in-browser notification. One of ordinary skilled in the art would have been motivated because it offers the advantage of informing the user that they may have a bot-related problem.

As per claim 8, Khatri-Livingood discloses the method of claim 1. Khatri also discloses wherein the threat information is a blacklist of IP addresses known or suspected to correspond to malicious network traffic (Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, suspected suspicious port accesses, tags that indicate the presence of malicious code, or the like).

Claim 19 is a computer readable medium claim reciting similar subject matters to those recited in the method claim 1, and is similarly rejected. Khatri also discloses a non-transitory computer readable medium comprising computer executable instructions which when executed by a computer performing electronic design analysis cause the computer to perform a method which improves the performance of the computer (Khatri claim 19, a non-transitory computer-readable medium including code for performing a method).

Claim 20 is a system claim reciting similar subject matters to those recited in the method claim 1, and is similarly rejected. Khatri-Livingood also discloses a system (Khatri Fig. 5, system 500) for botnet detection and mitigation (Livingood section 4: Detection of Bots and section 6: Remediation of Hosts Infected with a Bot) comprising: a memory; and at least one processor, coupled to said memory, and operative to perform operations (Khatri Fig. 5, system 500).

Claim 6 and 12 rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Barth et al. (US 9,100,206, patented Aug. 4, 2015).
As per claim 6, Khatri-Livingood discloses the method of claim 1. Khatri also discloses 
logging metadata associated with the processed network traffic in a log infrastructure comprising an incident and event reporting system (Khatri abstract, store the malicious packet marker to the memory; Khatri par. 19, a list of malicious packet markers, such as malicious IP addresses, malicious MAC addresses, suspected suspicious port accesses, tags that indicate the presence of malicious code, or the like); 
identifying a suspect network flow based on the log infrastructure comprising the incident and event reporting system (Livingood pg. 11, An ISP may use Netflow [RFC3954] or other similar passive network monitoring to identify network anomalies that may be indicative of botnet attacks or bot communications. For example, an ISP may be able to identify compromised hosts by identifying traffic [suspect network flow] destined to IP addresses associated with the command and control of botnets). The same rationale as in claim 1 applies.
Khatri-Livingood does not explicitly disclose:
configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute the suspect network flow to a deep packet inspection device.
Barth teaches:
configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute the network flow to a deep packet inspection device (Barth claim 7, applying the at least one subscriber-specific service to the labeled network packet received from the CMTS includes applying one or more of a deep packet inspection service).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Barth for configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute the suspect network flow to a deep packet inspection device. One of ordinary skilled in the art would have been motivated because it offers the advantage of analyzing packet for filtering traffic.

As per claim 12, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute the suspect network flow to a deep packet inspection device.
Barth teaches:
configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute network flow to a deep packet inspection device (Barth claim 7, applying the at least one subscriber-specific service to the labeled network packet received from the CMTS includes applying one or more of a deep packet inspection service).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Barth for configuring a cable-modem termination system to block the suspect network flow corresponding to malicious network traffic or to reroute network flow to a deep packet inspection device. One of ordinary skilled in the art would have been motivated because it offers the advantage of analyzing packet for filtering traffic.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Turbin (US 2015/0074807, published Mar. 12, 2015).
As per claim 9, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising comparing the threat information and a white list, and removing addresses that are on the white list from the threat information.
Turbin teaches:
comparing the threat information and a white list, and removing addresses that are on the white list from the threat information (Turbin par. 10, comparing the IP addresses in the list with a predefined whitelist of safe IP addresses and removing any that match).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Turbin for comparing the threat information and a white list, and removing addresses that are on the white list from the threat information. One of ordinary skilled in the art would have been motivated because it offers the advantage of improving accuracy of the list.

Claims 11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Mushtaq et al. (US 9,430,646, patented Aug. 30, 2016).
As per claim 11, Khatri-Livingood discloses the method of claim 1. Khatri also discloses further comprising identifying one or more corresponding indicators of compromise (Khatri abstract, determine that a packet matches the malicious packet marker). 
Khatri-Livingood does not explicitly disclose:
performing a deep packet inspection on the suspect network flow, and determining if the suspect network flow matches known threat detection signatures
Mushtaq teaches:
performing a deep packet inspection on network flow (Mushtaq Fig. 3A, perform deep packet inspection and analysis at 332), and determining if network flow matches known threat detection signatures (Mushtaq 3:37-50, a local analyzer performs the following steps: A) forming a first signature based on a preferably partially masked header of a captured network packet… determining, based on a global signature cache lookup and at least in part on results (called anomalies) from the deep packet inspection performed by the local analyzer on the captured network packet, whether the first signature corresponds to a malware callback).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Mushtaq for performing a deep packet inspection on the suspect network flow, and determining if the suspect network flow matches known threat detection signatures. One of ordinary skilled in the art would have been motivated because it offers the advantage of detecting malicious communications.

As per claim 17, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising rerouting a packet to a deep packet inspection device to determine if the packet is malicious.
Mushtaq teaches:
rerouting a packet to a deep packet inspection device to determine if the packet is malicious (Mushtaq Fig. 3A and 4:30-31, FIG. 3A is flow chart of a method for deep packet investigation).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Mushtaq for rerouting a packet to a deep packet inspection device to determine if the packet is malicious. One of ordinary skilled in the art would have been motivated because it offers the advantage of detecting malicious communications.

As per claim 18, Khatri-Livingood-Mushtaq discloses the method of claim 17. Khatri-Livingood-Mushtaq also discloses wherein the deep packet inspection device (Mushtaq Fig. 3A and 4:30-31, FIG. 3A is flow chart of a method for deep packet investigation) blocks the packet in response to determining that the packet is malicious (Livingood pg. 14, Walled gardens are effective because it is possible to notify the user and simultaneously block all communication between the bot and the command and control channel). The same rationale as in claims 1 and 17 applies.

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Doctor et al. (US 2014/0096251, published Apr. 3, 2014).
As per claim 13, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising removing the malicious bot by running anti-virus software, upgrading an operating system (OS) of the infected device, or both.
Doctor teaches: 
removing the malicious bot by running anti-virus software (Doctor par. 24, antivirus and anti-malware producers may use the published information to provide updates for their software to remove the malware utilized by a botnet), upgrading an operating system (OS) of the infected device, or both.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Doctor for removing the malicious bot by running anti-virus software, upgrading an operating system (OS) of a device, or both. One of ordinary skilled in the art would have been motivated because it offers the advantage of mitigating malicious network threats.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Bahl (US 2008/0189788, published Aug. 7, 2008).
As per claim 14, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated.
Bahl teaches:
soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated (Bahl par. 67, the machine may inform the user of the new risk level and ask the user to confirm the triggering of specific mitigating actions).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Bahl for soliciting a user associated with a network device to review and approve a mitigation action before the mitigation action is initiated. One of ordinary skilled in the art would have been motivated because it offers the advantage of allowing user to decide whether to proceed with the mitigating action.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012) and Kallos et al. (US 2018/0375882, published Dec. 27, 2018).
As per claim 15, Khatri-Livingood discloses the method of claim 1. Khatri-Livingood does not explicitly disclose further comprising generating statistical data and metrics related to network traffic that is identified as malicious.
Kallos teaches:
generating statistical data and metrics related to network traffic that is identified as malicious (Kallos par. 7, Traditional malicious traffic detection mechanisms depend on techniques including network traffic interception and analysis or network connection summarization which can determine key characteristics of a network connection such as source and destination addresses, source and destination ports and a protocol).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Kallos for generating statistical data and metrics related to network traffic that is identified as malicious. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing characteristics of known malicious traffic.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Khatri et al. (US 2015/0156212, published Jun. 4, 2015), Livingood et al. (NPL: rfc6561, published March 2012), Kallos et al. (US 2018/0375882, published Dec. 27, 2018) and Takahashi (US 2008/0244703, published Oct. 2, 2008).
As per claim 16, Khatri-Livingood-Kallos discloses the method of claim 15. Khatri-Livingood-Kallos also discloses wherein the generating the statistical data and metrics comprises logging [a time] of an inspection of a packet, a packet type, a source port identifier, a destination port identifier, a destination address, and a source address (Kallos par. 7, Traditional malicious traffic detection mechanisms depend on techniques including network traffic interception and analysis or network connection summarization which can determine key characteristics of a network connection such as source and destination addresses, source and destination ports and a protocol). The same rationale as in claim 15 applies.
Khatri-Livingood-Kallos does not explicitly disclose:
logging a time of an inspection.
Takahashi teaches:
logging a time of an inspection (Takahashi par. 92, stores the date and time in the inspection date and time 1604 when the inspection is executed).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Khatri with the teaching of Takahashi for logging a time of an inspection. One of ordinary skilled in the art would have been motivated because it offers the advantage of providing record of inspection.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20170272452 A1; Multi-host Threat Tracking
A system and method for tracking data security threats within an organization is proposed. A threat aggregator process executing on an analysis computer system within the organization receives events indicating possible threats observed by and sent from different user devices and aggregates related events into threats. This enables the threats to be analyzed and acted upon at a level of the organization (e.g., across user devices) rather than at the level of the individual user devices. An endpoint telemetry system analyzes threats sent from the aggregator and provides security policies for responding to the threats.
US 20160381070 A1; Protocol Based Detection Of Suspicious Network Traffic
Embodiments of the present invention relate to identification of suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on network protocol of such traffic.
US 20080205273 A1; Network Traffic Monitoring
Systems, methods, and devices are described that monitor network traffic. One method includes monitoring a number of packets received by a network device based on a number of criteria to determine a flow of the packets. For each monitored packet for a particular source IP address/destination IP address pair, the method includes hashing a destination TCP/UDP port number into a range [0 . . . N]. The method further includes setting a bit in a bit field that has a width of N+1 bits based on the hashing.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492