DETAILED ACTION

The following is a Final office action in response to the Amendments filed on April 11, 2022.

Claim 32 has been amended.
Claim 19 has been cancelled.
Claims 11-18, 20, and 32-41 are pending.

Response to Arguments
 

35 U.S.C. 102 Rejections
	Applicant’s arguments filed in the communications on 04/11/2022 have been fully considered but are not persuasive. Applicant argued in the substance that 
1) Yadab doesn’t teach that the data collection recited in claim 1 is based on network context-related policies. 
Examiner response 
Examiner respectfully disagree and would like to point out that claims are given their broadest reasonable interpretation in light of the specification. Yadav in paragraph [0021] teaches that collectors can also characterize traffic flows going to and from various nodes and also that collectors can match packets based on sequence numbers identifying traffic flows and connection flows. 

2) Applicant also argued that the tag in Yadav doesn’t indicate how to collect data.

Examiner response 
Yadav in paragraph [0022] teaches that collectors can receive data from external data sources such as security reports, white-lists IP watchlists who is data or out-of-band data, such as power status, temperature readings, etc.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 11-18, 20 and 32-41 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Yadav et al. (U.S. PGPub 2016/0359872) hereinafter Yadav.


As per claim 11, Yadav teaches an apparatus comprising: 
at least one processor (Yadav, see paragraph [0053], a processing unit (CPU or processor) 410) and 
at least one memory comprising computer program code (Yadav, see paragraph [0053], including the system memory 415, such as read only memory (ROM) 470)
 the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to
 detect a network context for the apparatus (Yadav, see paragraph [0010], detecting, using sensors, packets throughout a datacenter) 
collect network data for the apparatus based at least in part on policy information associated with the network context, wherein the policy information describes a collection policy for the network data (Yadav, see paragraph [0010], The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. Also see paragraph [0021], Collectors 108 can also characterize the traffic flows going to and from various nodes. In some example embodiments, collectors 108 can match packets based on sequence numbers, thus identifying traffic flows and connection links) and
 transmit at least part of the collected network data and a tag derived from the policy information to a server for data composition (Yadav, see paragraph [0019], Sensors 104 can send network traffic data to one or multiple collectors 108. In some example embodiments, sensors 104 can be assigned to a primary collector and a secondary collector. In other example embodiments, sensors 104 are not assigned a collector. Also see paragraph [0020], Collectors 108 can serve as a repository for the data recorded by sensors 104. In some example embodiments, collectors 108 can be directly connected to a top of rack switch. In other example embodiments, collectors 108 can be located near an end of row switch. Collectors 108 can be located on or off premises. Also see paragraph [0459], The Compute Engine processes the flow data in the HDFS, including annotating each flow with certain metadata based on specified rules in order to classify each flow. This enables the UI to present meaningful views of flows or allows users to search flows based on tags.).

As per claim 12, Yadav teaches the apparatus according to claim 11, wherein the collection policy indicates one or more collection schemes for the network data according to a category of the network data (Yadav, see paragraph [0148], The network data observed by a sensor A inside a VM is a subset of the network data observed by a sensor B inside the hypervisor on which the VM is running. Further, the network data observed by a sensor B running inside a Hypervisor is again a subset of the network data observed by a sensor C running either inside or as part of the networking gear to which the hypervisor or the physical machine is connected to).

	As per claim 13, Yadav teaches the apparatus according to claim 11 wherein the policy information indicates one or more instructions for pre-processing the collected network data to obtain the at least part of the collected network data (Yadav, see paragraph [0018], sensors 104 can preprocess network traffic data before sending to collectors 108. For example, sensors 104 can remove extraneous or duplicative data or they can create a summary of the data (e.g., latency, packets and bytes sent per flow, flagged abnormal activity, etc.)).

	As per claim 14, Yadav teaches the apparatus according to claim 11, wherein the policy information is described in a markup language (Yadav, see paragraph [0464], the Rules module translates the user-defined tags and rules into machine-readable code (e.g., JSON, XML) to integrate the new tags into the HDFS).

	As per claim 15, Yadav teaches the apparatus according to claim 11, wherein the policy information comprises at least one of the following information elements for the network data: a network type; a network protocol; a data location; a data category; a data importance level; a collection priority; a data length; a storage type; a collector identification; and a composition tag (Yadav, see paragraph [0465], custom tags among different tenants, associate tags to a hierarchy (e.g., classify tags as associated with certain organizations, or classify tags as relating to networking, etc.), alias tags (i.e., same rules w/different names).).
	As per claim 16, Yadav teaches the apparatus according to claim 11, wherein the tag indicates one or more data composition algorithms for the at least part of the collected network data. (Yadav, see paragraph [0148], The relationship information about whether sensor B in placed in a hypervisor which contains the VM where sensor A is placed, is very important for a lot of algorithms that do analysis on the captured data).

	As per claim 17, Yadav teaches the apparatus according to claim 11, wherein the tag indicates one or more security threats related to the at least part of the collected network data. (Yadav, see paragraph [0026], analytics module 110 can use machine learning techniques to identify security threats to a network using malware detection module 166. For example, malware detection module 166 can be provided with examples of network states corresponding to an attack and network states corresponding to normal operation. Malware detection module 166 can then analyze network traffic flow data to recognize when the network is under attack).

	As per claim 18, Yadav teaches the apparatus according to claim 11, wherein the tag indicates collection time of the network data. (Yadav, see paragraph [0021], collectors 108 can retain a complete dataset describing one period (e.g., the past minute or other suitable period of time), with a smaller dataset of another period (e.g., the previous 2-10 minutes or other suitable period of time), and progressively consolidate network traffic flow data of other periods of time (e.g., day, week, month, year, etc.)).

	

	As per claim 20, Yadav teaches the apparatus according to claim 11, wherein the tag is attached to the at least part of the collected network data as metadata. (Yadav, see paragraph [0046], the packet log can contain the packet, metadata/header info of the packet (e.g., source address, destination address, size, protocol, sequence number, etc.), a summary of the packet (outgoing, incoming, packet type),).

	As per claim 32, Yadav teaches an apparatus comprising:
 at least one processor (Yadav, see paragraph [0053], a processing unit (CPU or processor) 410) and 
at least one memory comprising computer program code, (Yadav, see paragraph [0053], including the system memory 415, such as read only memory (ROM) 470)
the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to
 receive network data and a tag, wherein the network data are collected for a communication node based at least in part on policy information associated with a network context of the communication node (Yadav, see paragraph [0022], collectors 108 can receive data from external data sources 106, such as security reports, white-lists (106a), IP watchlists (106b), who is data (106c), or out-of-band data, such as power status. Also see paragraph [0455], A flow can be tagged with metadata to provide additional information about the flow such that the flows are searchable based on tags, or flows having common tags can be aggregated to visualize flow data.) and wherein the policy information describes a collection policy for the network data and the tag is derived from the policy information and perform data composition of the network data based at least in part on the tag. (Yadav, see paragraph [0459], The Compute Engine processes the flow data in the HDFS, including annotating each flow with certain metadata based on specified rules in order to classify each flow. This enables the UI to present meaningful views of flows or allows users to search flows based on tags.).

As per claim 33, Yadav teaches the apparatus according to claim 32, wherein the collection policy indicates one or more collection schemes for the network data according to a category of the network data.  (Yadav, see paragraph [0148], The network data observed by a sensor A inside a VM is a subset of the network data observed by a sensor B inside the hypervisor on which the VM is running. Further, the network data observed by a sensor B running inside a Hypervisor is again a subset of the network data observed by a sensor C running either inside or as part of the networking gear to which the hypervisor or the physical machine is connected to).

As per claim 34, Yadav teaches the apparatus according to claim 32, wherein the policy information is described in a markup language.  (Yadav, see paragraph [0464], the Rules module translates the user-defined tags and rules into machine-readable code (e.g., JSON, XML) to integrate the new tags into the HDFS).

As per claim 35, Yadav teaches the apparatus according to claim 32, wherein the policy information comprises at least one of the following information elements for the network data: a network type; a network protocol; a data location; a data category; a data importance level; a collection priority; a data length; a storage type; a collector identification; and a composition tag.  (Yadav, see paragraph [0465], custom tags among different tenants, associate tags to a hierarchy (e.g., classify tags as associated with certain organizations, or classify tags as relating to networking, etc.), alias tags (i.e., same rules w/different names).).

As per claim 36, Yadav teaches the apparatus according to claim 32, wherein the tag indicates one or more data composition algorithms for the network data. (Yadav, see paragraph [0148], The relationship information about whether sensor B in placed in a hypervisor which contains the VM where sensor A is placed, is very important for a lot of algorithms that do analysis on the captured data).
  
As per claim 37, Yadav teaches the apparatus according to claim 32, wherein the tag indicates collection time of the network data.  (Yadav, see paragraph [0021], collectors 108 can retain a complete dataset describing one period (e.g., the past minute or other suitable period of time), with a smaller dataset of another period (e.g., the previous 2-10 minutes or other suitable period of time), and progressively consolidate network traffic flow data of other periods of time (e.g., day, week, month, year, etc.)).

As per claim 38, Yadav teaches the apparatus according to claim 32, wherein the tag indicates one or more security threats related to the network data.  (Yadav, see paragraph [0026], analytics module 110 can use machine learning techniques to identify security threats to a network using malware detection module 166. For example, malware detection module 166 can be provided with examples of network states corresponding to an attack and network states corresponding to normal operation. Malware detection module 166 can then analyze network traffic flow data to recognize when the network is under attack).

As per claim 39, Yadav teaches the apparatus according to claim 32, wherein the tag is attached to the network data as metadata. (Yadav, see paragraph [0046], the packet log can contain the packet, metadata/header info of the packet (e.g., source address, destination address, size, protocol, sequence number, etc.), a summary of the packet (outgoing, incoming, packet type),).

As per claim 40, Yadav teaches the apparatus according to claim 32, wherein the network data comprise security-related data, and wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus further to measure a security level for a network with the network context based at least in part on the security-related data and the tag. (Yadav, see paragraph [0022], collectors 108 can receive data from external data sources 106, such as security reports, white-lists (106a), IP watchlists (106b), who is data (106c), or out-of-band data, such as power status, temperature readings, etc.).

As per claim 41, Yadav teaches the apparatus according to claim 32, wherein the data composition of the network data is performed based at least in part on the tag by: applying one or more processing algorithms indicated by the tag to the network data (Yadav, see paragraph [0147], whether the reported sensor data was from a sensor deployed inside a VM or from a sensor deployed inside Hypervisor or from a sensor deployed inside a networking gear is very important for a number of algorithms that do processing on the gathered data) and aggregating respective outputs of the one or more processing algorithms to obtain a result of the data composition (Yadav, see paragraph [0129], the second layer collector will be set to receive the complete flow from the layer one collectors. The second layer collector can then aggregate the data related to that flow).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HERMON ASRES whose telephone number is (571)272-4257. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HERMON ASRES/Primary Examiner, Art Unit 2449