DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Response to Amendment
The amendment filed 2022-06-17 has been entered and fully considered.

In light of applicant’s amendment, filed 2022-06-17, the claim objections have been withdrawn.

In light of applicant’s amendment, filed 2022-06-17, the 35 U.S.C. § 112(b) rejections have been withdrawn.


Response to Arguments
Applicant’s arguments, see pages 14-16, filed 2022-06-17, with respect to the rejection of claims 1-20 under 35 U.S.C. § 101 have been fully considered but they are not persuasive.
Applicant argues that the independent claims as currently recited are not directed to a mental process abstract idea; however, the Examiner respectfully disagrees.
Applicant first argues that a human is simply not capable of “capturing [and analyzing] network traffic associated with the plurality of network servers” so as to then generate and display “a graph representative of the one or more clusters of network servers [and the one or more sub-group clusters of network servers]” on a user’s GUI, and that because a human is allegedly not capable of such, the claims “could not, as a practical matter, be performed entirely in a human’s mind”.  The Examiner notes that applicant’s assertion that the capture and analysis of network traffic cannot be performed in the human mind is on the basis that the October 2019 PEG Update specifically mentions “…using network monitors and analyzing network packets” cannot “practically be performed in the human mind”.
The Examiner respectfully submits, however, that applicant’s interpretation of the 2019 PEG is a mischaracterization.  That is, the example relied upon by applicant does not indicate that the usage of network monitors and analysis of network data cannot be performed in the human mind, but that “detecting suspicious activity by using network monitors and analyzing network packets” cannot be performed in the human mind.  Further, the 2019 PEG then provides a counter example by reciting that a claim to “collecting information, analyzing it, and displaying certain results of the collection and analysis,” where the data analysis steps are recited at a high level of generality such that they could practically be performed in the human mind is a mental process.  That is, the collection, analysis, and display of information is not per se sufficient to preclude performance of the steps in a human mind.
Applicant further argues that the claims are integrated in a practical application and that the features are clearly an improvement to a DoS network traffic monitoring system, as a user is readily presented with graphical indications regarding grouping of servers that may by subject to a DoS attack enabling the user the deploy DoS mitigation techniques tailored to a sub-group clustering of network servers.  The Examiner acknowledges that if the claims meaningfully limited the grouping or sub-grouping of network servers in such a particular manner that specifically enabled mitigation of Denial of Services (DoS) attacks, such would indeed be a practical application and necessarily limit the claim to statutory subject matter.  However, the Examiner respectfully submits that the claims as currently filed merely cluster network servers in an arbitrary fashion and do not utilize the clustering in any meaningful manner that would necessarily result in the intended usage of DoS mitigation.  The Examiner recognizes that the claims do recite that the sub-grouping is based on “determined network service tags and the determined meta data”; however, the determination of the service tags and metadata (as well as their basis in the sub-group determination) is arbitrary and does not confer any DoS protection per se, hence the Examiner’s finding that the claims cluster network servers in an arbitrary fashion.
Based on the above, the Examiner respectfully submits that if the claims meaningfully limited the sub-grouping and application of DoS mitigation techniques to the sub-groups in such a fashion that necessarily improved existing DoS mitigation techniques, thereby improving the functioning of computing technology, such would be sufficient to limit the claim to statutory subject matter and traverse the §101 rejection.  However, because the claims as currently filed may be performed in the human mind, are not integrated into a practical application, and do not recite anything significantly more than the abstract idea, the Examiner respectfully submits that the rejection is proper.

Applicant’s arguments, see pages 11-13, filed 2022-06-17, with respect to the claim amendments overcoming the cited prior art references of the rejection of claims 1-8, 12-15, and 17-19 under 35 U.S.C. § 102(a)(1) and of claims 9-11, 16, and 20 under 35 U.S.C. § 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of newly cited prior art.


Claim Objections
Claims 1 and 13 are objected to because of the following informalities:
Claims 1 & 13 – Inconsistent spelling of “metadata” as both one word and two words (“metadata” and “meta data”).
Appropriate correction is required.


Double Patenting
The rejection on the ground of nonstatutory double patenting over U.S. Patent No. 11343228 (previously provisional nonstatutory double patenting over copending application number 15931018 in the Office action mailed 2022-03-17) is maintained but held in abeyance until the claims are otherwise in condition for allowance as requested by Applicant in the remarks filed 2022-06-17.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.


Claims 1-20 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.  The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor at the time the application was filed, had possession of the claimed invention.  In particular, claim 1 recites “clustering the plurality of network servers into one or more clusters responsive to the tagging of the plurality of network servers” and “determining sub-group clustering of one or more clusters of the plurality of network servers contingent upon the one or more determined network service tags and the determined meta data associated with each of the plurality of network servers”, and the Specification does not appear to adequately support these limitations.
The Examiner recognizes that the Specification recites determining “one or more clusters of network servers” (e.g. p. 7, ll. 7-12 and p. 12, ll. 5-8) and sub-grouping (e.g. p. 12, ll. 5-8); however, the Specification appears to conflate clustering and sub-grouping as the same act.  For example, the Specification recites “sub-group clustering of one or more of the plurality of network servers 160a-160d is determined by the protection device 150 utilizing the one or more determined network service tags (step 240) and the determined meta data (step 260)” (p. 12, ll. 5-8).  That is, whereas the claims recite clustering and then sub-group clustering of the determined clusters, the Specification appears to use the terminology interchangeably to refer to the same singular act and without defining the “sub-group” as part of a cluster (i.e. the Specification suggests that a sub-group is a cluster).  Thus, the claims do not appear to be adequately supported by the Specification as filed.
Claims 13 and 17 are rejected under a similar rationale.  The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea (35 U.S.C. 101 Judicial Exception) without significantly more.  The claims recite analysis of traffic to group or cluster network servers, which is a form of observation, evaluation, and judgment, which is a concept performed in the human mind and thus grouped as Mental processes.  This judicial exception is not integrated into a practical application because the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer.  The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements, when considered separately and in combination, do not add significantly more to the abstract idea, as they are well-understood, routine, conventional computer functions as recognized by the courts.
Based upon consideration of all the relevant factors with respect to the claimed invention as a whole, the claims are determined to be directed to an abstract idea without significantly more.  The rationale for this determination is explained infra:
The following are Principles of Law:
A patent may be obtained for “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof”; 35 U.S.C. § 101.  The Supreme Court has consistently held that this provision contains an important implicit exception: laws of nature, natural phenomena, and abstract ideas are not patentable; See Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 2347, 2354 (2014); Gottschalk v. Benson, 409 U.S. 63, 67 (1972) (“Phenomena of nature, though just discovered, mental processes, and abstract intellectual concepts are not patentable, as they are the basic tools of scientific and technological work.”).  Notwithstanding that a law of nature or an abstract idea, by itself, is not patentable, an application of these concepts may be deserving of patent protection; See Mayo Collaborative Servs. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1293–94 (2012).  In Mayo, the Court stated that “to transform an unpatentable law of nature into a patent-eligible application of such a law, one must do more than simply state the law of nature while adding the words ‘apply it.’” Mayo, 132 S. Ct. at 1294 (citation omitted).
In Alice, the Court reaffirmed the framework set forth previously in Mayo “for distinguishing patents that claim laws of nature, natural phenomena, and abstract ideas from those that claim patent-eligible applications of these concepts.” Alice, 134 S. Ct. at 2355.  The test for determining subject matter eligibility requires a first step of determining whether the claims are directed to a process, machine, manufacture, or composition of matter.  If the claims are directed to one of the four patent-eligible subject matter categories, then the Examiner must perform a two-part analysis to determine whether a claim that is directed to a judicial exception recites additional elements that amount to significantly more than the exception.  The first part of the second step in the analysis is to “determine whether the claims at issue are directed to one of those patent-ineligible concepts.” Id.  If the claims are directed to a patent-ineligible concept, then the second part of the second step in the analysis is to consider the elements of the claims “individually and ‘as an ordered combination”’ to determine whether there are additional elements that “‘transform the nature of the claim’ into a patent-eligible application.” Id. (quoting Mayo, 132 S. Ct. at 1298, 1297).  In other words, the second step in the analysis is to “search for an ‘inventive concept’‒ i.e., an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent on the [ineligible concept] itself.’” Id. (brackets in original) (quoting Mayo, 132 S. Ct. at 1294).  The prohibition against patenting an abstract idea “cannot be circumvented by attempting to limit the use of the formula to a particular technological environment or adding insignificant post-solution activity.”  Bilski v. Kappos, 561 U.S. 593, 610–11 (2010) (citation and internal quotation marks omitted).  The Court in Alice noted that “[s]imply appending conventional steps, specified at a high level of generality,” was not “enough” [in Mayo] to supply an “‘inventive concept.’” Alice, 134 S. Ct. at 2357 (quoting Mayo, 132 S. Ct. at 1300, 1297, 1294).
In the “2019 Revised Patent Subject Matter Eligibility Guidance” (2019 PEG), the USPTO has prepared revised guidance for use by USPTO personnel in evaluating subject matter eligibility based upon rulings by the courts.
The Examiner is bound by and applies the framework as set forth by the Court in Mayo and reaffirmed by the Court in Alice and follows the 2019 PEG for determining whether the claims are directed to patent-eligible subject matter.
Step 1: Are the claims at issue directed to a process, machine, manufacture, or composition of matter?
The Examiner finds that the claims are directed to one of the four statutory categories.
Step 2A – Prong One: Does the claim recite an abstract idea, law of nature, or natural phenomenon?
The Examiner finds that the claims are directed to the abstract idea of analysis of traffic to group or cluster network servers, which is a form of observation, evaluation, and judgment, which is a concept performed in the human mind and thus grouped as Mental processes.
Step 2A – Prong Two: Does the claim recite additional elements that integrate the Judicial Exception into a practical application?
The abstract idea is not integrated into a practical application because the generically recited computer elements do not add a meaningful limitation to the abstract idea because they amount to simply implementing the abstract idea on a computer.
In determining whether the abstract idea was integrated into a practical application, the Examiner has considered whether there were any limitations indicative of integration into a practical application, such as:
(1) Improvements to the functioning of a computer, or to any other technology or technical field; See MPEP § 2106.05(a) 
(2) Applying or using a judicial exception to effect a particular treatment or prophylaxis for a disease or medical condition; See Vanda Memo (Recent Subject Matter Eligibility Decision: Vanda Pharmaceuticals Inc. v. West-Ward Pharmaceuticals)
(3) Applying the judicial exception with, or by use of, a particular machine; See MPEP § 2106.05(b) 
(4) Effecting a transformation or reduction of a particular article to a different state or thing; See MPEP § 2106.05(c)  
(5) Applying or using the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception; See MPEP § 2106.05(e) and Vanda Memo
The Examiner notes that clam features of: capturing, collating, and analyzing traffic to profile services and then tag them to cluster network servers corresponding to the traffic, and displaying the clusters do not improve the functioning of a computer or technical field, do not effect a particular treatment or prophylaxis for a disease or medical condition, do not apply or use a particular machine, do not effect a transformation or reduction of a particular article to a different state or thing, and do not apply or use the judicial exception in some other meaningful way beyond generally linking the use of the judicial exception to a particular technological environment, such that the claim as a whole is more than a drafting effort designed to monopolize the exception.  Note that although the claim recites an intended benefit of grouping for receiving common filters for mitigating DoS attacks, practicing the claims as-is, merely results in an organization of data that does not improve the functioning of a computer or technical field, or even be in a form that necessarily even meets the intended benefit of use with common network filter settings.
Instead, the claim features of capturing, collating, and analyzing traffic to profile services and then tag them to cluster network servers corresponding to the traffic merely use a general-purpose computer as a tool to perform the abstract idea (See MPEP § 2106.05(f)) and merely generally link the use of the abstract idea to a field of use (See MPEP § 2106.05(h)).  Thus, the Examiner finds that the claimed invention does not recite additional elements that integrate the Judicial Exception into a practical application.
Step 2B: Is there something else in the claims that ensures that they are directed to significantly more than a patent-ineligible concept?
The claims, as a whole, require nothing significantly more than generic computer implementation or can be performed entirely by a human.  The additional element(s) or combination of element(s) in the claims other than the abstract idea per se amount to no more than recitation of generic computer structure (e.g. processor and databases) that serves to perform generic computer functions (e.g. capturing, collating, and analyzing traffic to profile services and then tag them to cluster network servers corresponding to the traffic) that are well-understood, routine, and conventional activities previously known to the pertinent industry.  The claimed network traffic, profile, tags, metadata, and clusters are all numbers, data structures, or datum.  Each of these elements are individually dispositive of patent eligibility because of the following legal holdings:
“Data in its ethereal, non-physical form is simply information that does not fall under any of the categories of eligible subject matter under section 101.” Digitech Image Techs., LLC v. Electronics for Imaging, Inc., 758 F.3d 1344, 1350 (Fed. Cir. 2014).
The Supreme Court has also explained that “[a]bstract software code is an idea without physical embodiment,” i.e., an abstraction. Microsoft Corp. v. AT&T Corp., 550 U.S. 437, 449 (2007). 
A claim that recites no more than software, logic, or a data structure (i.e., an abstract idea) – with no structural tie or functional interrelationship to an article of manufacture, machine, process or composition of matter does not fall within any statutory category and is not patentable subject matter; data structures in ethereal, non-physical form are non-statutory subject matter. In re Warmerdam, 33 F.3d 1354, 1361 (Fed. Cir. 1994); see Nuijten, 500 F.3d at 1357.
Furthermore, the claimed invention does not have a specific asserted improvement in computer capabilities, nor is it a specific implementation of a solution to a problem in the software arts; See Enfish, LLC v. Microsoft Corp., 822 F.3d 1327 (Fed. Cir. 2016).  Rather, the claims are merely directed towards analysis of traffic to group or cluster network servers, which is similar to ideas that the courts have found to be abstract, as noted supra, and the claims are without a “practical application” or anything “significantly more”.
Considering each of the claim elements in turn, the function performed by the computer system at each step of the process does no more than require a generic computer to perform a well-understood, routine, and conventional activity at a high level of generality.  For example, capturing traffic is merely receiving or transmitting data over a network, which has been found by the courts to be a well-understood, routine, conventional activity in computers; See e.g. Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362 (utilizing an intermediary computer to forward information); TLI Communications LLC v. AV Auto. LLC, 823 F.3d 607, 610, 118 USPQ2d 1744, 1745 (Fed. Cir. 2016) (using a telephone for image transmission); OIP Techs., Inc., v. Amazon.com, Inc., 788 F.3d 1359, 1363, 115 USPQ2d 1090, 1093 (Fed. Cir. 2015) (sending messages over a network); buySAFE, Inc. v. Google, Inc., 765 F.3d 1350, 1355, 112 USPQ2d 1093, 1096 (Fed. Cir. 2014) (computer receives and sends information over a network).  The clustering of network servers based on traffic is merely record keeping, which has also been found by the courts to be a well-understood, routine, conventional activity in computers; See e.g. Alice Corp. Pty. Ltd. v. CLS Bank Int'l, 573 U.S. 208, 225, 110 USPQ2d 1984 (2014) (creating and maintaining "shadow accounts"); Ultramercial, 772 F.3d at 716, 112 USPQ2d at 1755 (updating an activity log).  Further note that the abstract idea of analysis of traffic to group or cluster network servers to which the claimed invention is directed has a prior art basis outside of a computing environment, e.g. mail carriers looking at delivery statistics to determine which areas to deploy resources.
The prohibition against patenting an abstract idea “cannot be circumvented by attempting to limit the use of the formula to a particular technological environment or adding insignificant post-solution activity.”  Bilski v. Kappos, 561 U.S. 593, 610–11 (2010) (citation and internal quotation marks omitted).  The Court in Alice noted that “[s]imply appending conventional steps, specified at a high level of generality,” was not “enough” [in Mayo] to supply an “‘inventive concept.’”  Alice, 134 S. Ct. at 2357 (quoting Mayo, 132 S. Ct. at 1300, 1297, 1294).
Viewed as a whole, the claims simply recite the steps of using generic computer components.  The claims do not purport, for example, to improve the functioning of the computer system itself.  Nor does it effect an improvement in any other technology or technical field.  Instead, the claims amount to nothing significantly more than an instruction to implement the abstract idea using generic computer components.  This is insufficient to transform an abstract idea into a patent-eligible invention.
The dependent claims likewise incorporate the deficiencies of a claim upon which they ultimately depend and are also directed to non-patent-eligible subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-8, 12-15, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Rao in view of Verma et al. (EP-3477906-A1, hereinafter “Verma”).

With respect to independent claim 1, Rao discloses a method performed by a computer system having one or more processors and memory storing one or more programs for execution by the one or more processors for monitoring network traffic associated with a plurality of protected network servers to determine one or more sub-groups of protected network servers for receiving common network filter settings for mitigating Denial of Services (DoS) attacks {para. 0050 & Abstract: “Systems, methods, and computer-readable media for correlating gathered network traffic data and analytics with external data for purposes of managing a cluster of nodes in a network” that can protect against a “distributed denial of service (DDoS) attack”}, comprising the steps:
capturing network traffic associated with the plurality of network servers {para. 0030: “sensors 104 on multiple nodes and within multiple partitions of some nodes of the network can provide for robust capture of network traffic and corresponding data from each hop of data transmission”}.
collating the captured network traffic for each of the plurality of network servers {paras. 0019 & 0030: “the system can collect network traffic data for the cluster of nodes including host and endpoint data for the cluster of nodes based on network traffic flowing through the cluster of nodes using a group of sensors implemented in the network”}.
analyzing the collated network traffic to determine a profile of one or more network services provided by each of the plurality of network servers {paras. 0024-0025: “feature vectors of each node comprise the union of individual feature vectors across multiple domains”, wherein “a feature vector can include a packet header-based feature (e.g., destination network address for a flow, port, etc.)” – ports are representative of a particular network service}.
tagging each of the plurality of network servers with one or more network services determined provided by each network server based upon the analyzing of the collated network traffic {paras. 0024-0025: “feature vectors of each node comprise the union of individual feature vectors across multiple domains”}.
clustering the plurality of network servers into one or more clusters responsive to the tagging of the plurality of network servers {para. 0026: “a cluster can be a set of nodes whose similarity (and/or distance measures) across different domains, satisfy specified similarity (and/or distance) conditions for each domain”}.
determining from the collated network traffic metadata associated with each of the plurality of network servers {para. 0031: “network traffic data can include metadata relating to a packet, a collection of packets, a flow, a bidirectional flow, a group of flows, a session, or a network communication of another granularity”}.
determining sub-group clustering of one or more clusters of the plurality of network servers contingent upon the one or more determined network service tags and the determined meta data associated with each of the plurality of network servers {para. 0026: “a cluster can be a set of nodes whose similarity (and/or distance measures) across different domains, satisfy specified similarity (and/or distance) conditions for each domain”}.
Although Rao teaches clustering nodes of similarity, Rao does not explicitly disclose that sub-groups of clusters are determined, nor that such clustering is displayed; however, Verma discloses:
clustering the plurality of network servers into one or more clusters responsive to the [identified network activity] {para. 0069: “analyze connections between the plurality of nodes and to identify a plurality of subgroups within the plurality of nodes”}.
displaying, on a user display associated with the computer system, a graph representative of the one or more clusters of network servers {paras. 0105 & 0123: “one or more of the nodes displayed in the interactive network model 410”, wherein “a filter may be applied to the map view to limit the displayed nodes to a particular community”}.
determining sub-group clustering of one or more clusters of the plurality of network servers contingent upon the [network activity] {para. 0069: “analyze connections between the plurality of nodes and to identify a plurality of subgroups within the plurality of nodes”}.
displaying, on the user display associated with the computer system, a graph representative of the one or more sub-group clusters of network servers {paras. 0105 & 0123: “one or more of the nodes displayed in the interactive network model 410”, wherein “a filter may be applied to the map view to limit the displayed nodes to a particular community”}.

Rao and Verma are analogous art because they are from the same field of endeavor or problem-solving area of network node clustering in service of mitigation of malicious network activity.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Rao and Verma before him or her, to modify/develop the analytics system of Rao’s system to utilize sub-grouping and display of the subgroups.  The suggestion and/or motivation for doing so would have been because it is merely combining prior art elements according to known methods to yield predictable results, i.e. enabling an end user to receive visual displays for assisting in determination of network decisions; See Verma [0105]-[0106].  Therefore, it would have been obvious to combine the analytics system in Rao’s system with sub-grouping and display of the subgroups to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.

With respect to dependent claim 2, Rao discloses prescribing common DoS mitigation actions for each of the determined sub-group cluster of network servers {paras. 0087 & 0108: “a customer can develop an appliance to mitigate an impact of or warn of a DDoS attack. In another example, using network traffic flow data correlated with vendor data, a company can develop an application to rank groups within the company based on bandwidth usage, malware attack susceptibility, and security threat vulnerability”}.

With respect to dependent claim 3, Rao discloses wherein capturing network traffic includes capturing network traffic flowing to and from the plurality of network servers {para. 0032: “sensors 104 can also determine additional data, included as part of gathered network traffic data, for each session, bidirectional flow, flow, packet, or other more granular or less granular network communication”}.

With respect to dependent claim 4, Rao discloses wherein capturing network traffic includes capturing a sample of network traffic associated with each of the plurality of network servers {para. 0033: “the sensors 104 can be configured to capture only a representative sample of packets (e.g., every 1,000th packet or other suitable sample rate) and corresponding data”}.

With respect to dependent claim 5, Rao discloses wherein determining a profile of one or more network services includes selecting from a predefined list of one or more network services {para. 0053: “ADM module 140 can analyze the input data to determine that there is first traffic flowing between external endpoints on port 80 of the first endpoints corresponding to Hypertext Transfer Protocol (HTTP) requests and responses”}.

With respect to dependent claim 6, Rao discloses wherein the predefined list of one or more network services consists of: HyperText Transfer Protocol (HTTP); Hypertext Transfer Protocol Secure (HTTPS); Simple Mail Transfer Protocol (SMTP); and Voice over Internet Protocol (VoIP) {para. 0053: “ADM module 140 can analyze the input data to determine that there is first traffic flowing between external endpoints on port 80 of the first endpoints corresponding to Hypertext Transfer Protocol (HTTP) requests and responses”}.

With respect to dependent claim 7, Rao discloses wherein analyzing the collated network traffic includes determining an identity of a port of a network server associated with the collated network traffic for each of the plurality of network servers {paras. 0024-0025: “feature vectors of each node comprise the union of individual feature vectors across multiple domains”, wherein “a feature vector can include a packet header-based feature (e.g., destination network address for a flow, port, etc.)”}.

With respect to dependent claim 8, Rao discloses wherein determining the metadata associated with each of the plurality of network servers includes one or more of determining: a domain name; network traffic speed; network packet route information; and network packet latency associated with each of the plurality of network servers {para. 0031: “the network traffic data can also include summaries of network activity or other network statistics such as number of packets, number of bytes, number of flows, bandwidth usage, response time, latency, packet loss, jitter, and other network statistics”}.

With respect to dependent claim 12, Rao discloses wherein prescribing common DoS mitigation actions includes one or more of: limiting bandwidth associated with suspected attack traffic; altering traffic routes for suspected attack traffic; and filtering out suspected attack traffic destined for the determined sub-group cluster of network servers {para. 0108: “applicable mitigation steps include sending an alert to an administrator, enforcing a policy to stop sending traffic to a server, and sending an alert to a DDoS mitigation appliance or service provider”}.

With respect to claim 13, a corresponding reasoning as given earlier in this section with respect to claim 3 applies, mutatis mutandis, to the subject matter of claim 13; therefore, claim 13 is rejected, for similar reasons, under the grounds as set forth for claim 3.

With respect to claim 14, a corresponding reasoning as given earlier in this section with respect to claim 6 applies, mutatis mutandis, to the subject matter of claim 14; therefore, claim 14 is rejected, for similar reasons, under the grounds as set forth for claim 6.

With respect to claim 15, a corresponding reasoning as given earlier in this section with respect to claims 7-8 applies, mutatis mutandis, to the subject matter of claim 15; therefore, claim 15 is rejected, for similar reasons, under the grounds as set forth for claims 7-8.

With respect to claims 17-19, a corresponding reasoning as given earlier in this section with respect to claims 13-15 applies, mutatis mutandis, to the subject matter of claims 17-19; therefore, claims 17-19 are rejected, for similar reasons, under the grounds as set forth for claims 13-15.


Claims 9-11, 16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Rao in view of Verma and Parandehgheibi et al. (US Patent No. 10177998-B2, hereinafter “Parandehgheibi”).

With respect to dependent claim 9, although Rao teaches creating feature vectors for servers and clustering vectors based on similarity, Rao does not explicitly disclose that the vectors are normalized; however, Parandehgheibi discloses wherein determining sub-group clustering of one or more of the plurality of network servers includes normalizing the tag information and metadata associated with each of the plurality of network servers {col. 16, ll. 6-9: “the raw data may be processed or normalized to a suitable form to populate a vector or other appropriate data structure for representing a flow”}.

Rao-Verma and Parandehgheibi are analogous art because they are from the same field of endeavor or problem-solving area of network monitoring and flow augmentation.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Rao-Verma and Parandehgheibi before him or her, to modify/develop the analytics engine of Rao-Verma’s system to utilize various flow features such as normalization.  The suggestion and/or motivation for doing so would have been because it is merely combining prior art elements according to known methods to yield predictable results, i.e. normalization of data to create more accurate clustering of servers.  Therefore, it would have been obvious to combine the analytics engine in Rao-Verma’s system with various flow features such as normalization to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.

With respect to dependent claim 10, Parandehgheibi discloses including using one or more machine learning techniques on the normalized tag information and metadata associated with each of the plurality of network servers {col. 20, ll. 5-26: “respective feature vectors of nodes are evaluated using machine learning to identify an optimal clustering for a selected set of nodes”}.

With respect to dependent claim 11, Parandehgheibi discloses wherein the one or machine learning techniques includes a k-means algorithm {col. 19, ll. 41-60: an “example of clustering is the k-means algorithm”}.

With respect to claim 16, a corresponding reasoning as given earlier in this section with respect to claims 9-10 applies, mutatis mutandis, to the subject matter of claim 16; therefore, claim 16 is rejected, for similar reasons, under the grounds as set forth for claims 9-10.

With respect to claim 20, a corresponding reasoning as given earlier in this section with respect to claim 16 applies, mutatis mutandis, to the subject matter of claim 20; therefore, claim 20 is rejected, for similar reasons, under the grounds as set forth for claim 16.


Conclusion
Applicant’s amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin Bechtel whose telephone number is (571)270-5436. The examiner can normally be reached Monday - Friday, 09:00 - 17:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Kevin Bechtel/Primary Examiner, Art Unit 2491