DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Michael Ben-Shimon Reg. No. 69,610.
The application has been amended as follows: 

1. (Currently Amended) A method for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic, comprising:
receiving samples of at least rate-based features, wherein the rate-based features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity;
setting a first Infinite impulse response (IIR) low pass filter (LPF) to compute the short-term baseline;
setting a second IIR LPF to compute the long-term baseline;
computing [[a]] the short-term baseline and [[a]] the long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic;
computing at least one short-term threshold based on the short-term baseline and at least one long-term threshold based on the long-term baseline;
evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether behavior of the HTTPS traffic is anomalous; and
generating an alarm when anomaly is detected.

3. (Cancelled) 

4. (Currently Amended) The method of claim [[3]] 1, wherein each of the first IIR LPF and the second IIR LPF includes:
an input circular buffer to buffer the received samples; and
an output circular buffer to buffer outputs of the IIR LPF.

5. (Currently Amended) The method of claim [[3]] 1, wherein each of the first and second IIR LPF filter is set as follows:
            
                
                    
                        Y
                    
                    
                        n
                    
                
                =
                
                    
                        ∑
                        
                            i
                            =
                            0
                        
                        
                            
                                
                                    N
                                
                                
                                    b
                                
                            
                            -
                            1
                        
                    
                    
                        
                            
                                b
                            
                            
                                i
                            
                        
                        
                            
                                X
                            
                            
                                n
                                -
                                i
                            
                        
                    
                
                -
                
                    
                        ∑
                        
                            i
                            =
                            1
                        
                        
                            
                                
                                    N
                                
                                
                                    a
                                
                            
                            -
                            1
                        
                    
                    
                        
                            
                                a
                            
                            
                                i
                            
                        
                        
                            
                                Y
                            
                            
                                n
                                -
                                i
                            
                        
                    
                
            
        
where bi and ai are the coefficients.

19. (Currently Amended) A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic, the process comprising:
 receiving samples of at least rate-based features, wherein the rate-based features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity;
setting a first Infinite impulse response (IIR) low pass filter (LPF) to compute the short-term baseline;
setting a second IIR LPF to compute the long-term baseline;
computing [[a]] the short-term baseline and [[a]] the long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term short-term baseline is adapted to relatively slow changes in the HTTPS traffic;
computing at least one short-term threshold based on the short-term baseline and at least one long-term threshold based on the long-term baseline;
evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether the behavior of the HTTPS traffic is anomalous; and
generating an alarm when anomaly is detected.

20. (Currently Amended) A system for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic comprising:
a processing circuitry; and
a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:
receive samples of at least rate-based features, wherein the rate-based features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity;
set a first Infinite impulse response (IIR) low pass filter (LPF) to compute the short-term baseline;
set a second IIR LPF to compute the long-term baseline;
compute [[a]] the short-term baseline and [[a]] the long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term short-term baseline is adapted to relatively slow changes in the HTTPS traffic;
compute at least one short-term threshold based on the short-term baseline and at least one long-term threshold based on the long-term baseline;
evaluate each of the at least one threshold against real-time samples of HTTPS traffic to determine whether the behavior of the HTTPS traffic is anomalous; and
generate an alarm when anomaly is detected.

Allowable Subject Matter
Claims 1-2 and 4-20 are allowed as amended.
The following is an examiner’s statement of reasons for allowance: 
The closest prior art being “Chesla” (US 2008/0086434 A1), “Anderson” (US 2019/0245866 A1), and newly cited “Vaystikh” (US 9154516 B1). Chesla discloses a system and method to detect and mitigate denial of service and distributed denial of service HTTP "page" flood attacks. Detection of attack/anomaly is made according to multiple traffic parameters including rate-based and rate-invariant parameters in both traffic directions. Prevention is done according to HTTP traffic parameters that are analyzed once a traffic anomaly is detected. Anderson discloses a traffic analysis service which receives captured traffic data regarding a Transport Layer Security (TLS) connection between a client and a server. The traffic analysis service applies a first machine learning-based classifier to TLS records from the traffic data, to identify a set of the TLS records that include Hypertext Transfer Protocol (HTTP) header information. The traffic analysis service estimates one or more HTTP transaction labels for the connection by applying a second machine learning-based classifier to the identified set of TLS records that include HTTP header information. Vaystikh teaches a technique to detect riskiness of a communication in a network based on behavior profiling. The technique involves generating a network history baseline (e.g., normal and abnormal behavior profiles) from prior network communications occurring in the network. The technique further involves, for a new network communication, assigning the new network communication a risk score based on a comparison of the new network communication to the network history baseline. 
What is missing from the prior art is a system, a method and a non-transitory computer readable medium that receives rate-based features which demonstrate a normal behavior of HTTPS traffic directed to a protected entity, and compute a short-term baseline by setting a first Infinite Impulse Response (IIR) low pass filter(LPF), and a long-term baseline by setting a second IIR LPF, the short-term baseline is adapted to relatively rapid changes, and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic, and based on the short-term baseline and the long-term baseline computing a short-term threshold and a long-term threshold, respectively. Evaluating the thresholds against samples of HTTPS traffic and determine if the HTTPS traffic is anomalous, and generate an alarm if detected. 
Thus, the prior art of record, when considered individually and in combination, does not teach or suggest the subject matter recited by claims 1, 19 and 20 as a whole, therefore claims 1, 19 and 20 are deemed allowable over the prior art of record. The dependent claims which further limit claim 1 are also deemed allowable by virtue of their dependency.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.” 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491 

/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491