DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent provisions.
This action is response to communication: the amendment/remarks filed on 07/15/2022.
Claims 19, 22-26, 29-33 and 36-41 are currently pending in this application. Claims 19, 22-26, 29, 31-33, 36 and 38-41 have been amended.
No new IDS has been filed.

Response to Arguments
The previous objections to claims 22-25, 40 and 41 have been withdrawn in response to the applicants’ amendments/remarks.
The previous 112(b) rejections to claims 19, 22-26, 29-33 and 36-41 have been withdrawn in response to the applicants’ amendments/remarks.
The previous 102 rejections to claims 19, 22-26, 29-33 and 36-41 have been withdrawn in response to the applicants’ amendments/remarks.

Allowable Subject Matter
Claims 19, 22-26, 29-33 and 36-41 are allowed.

Examiner’s Statement for Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Regarding independent claims 19, 26 and 33,
Porras et al. (US 7,594,260 B2) teaches a method of network surveillance includes receiving network packets handled by a network entity and building at least one long-term and a least one short-term statistical profile from a measure of the network packets that monitors data transfers, errors, or network connections. A comparison of the statistical profiles is used to determine whether the difference between the statistical profiles indicates suspicious network activity. Selection of packets can be based on different criteria. Streams of event records can be derived from discarded traffic, pass-through traffic, packets having a common protocol packs, packets involving network connection management and packets targeting ports to which an administrator has not assigned any network service and that also remain unblocked by the firewall. A signature engine of the monitor maps an event stream against abstract representations of event sequences that are known to indicate undesirable activity – see abstract, figs. 1-3 and columns 5, 6, 7 of Porras.

Bauch et al. (US 2004/0177158 A1) teaches a facility for diverting a network packet to a diverted destination. The facility selects for diversion a network packet that has been submitted for delivery and whose delivery is not yet complete. The network packet has a destination address, a destination port, a source address, and a source port, all with initial values. In the network packet, the facility: substitutes the initial value of the destination port in the source port; substitutes an address for the diverted destination in the destination address; and substitutes a port for the diverted destination in the destination port. After the substitution, the facility releases the network packet for delivery to the diverted destination – see abstract, figs. 4, 5 and par. [0047] of Bauch.
Baker (US 6,775,657 B1) discloses a multilayered intrusion detection system and method, which includes monitoring activity on a network and maintaining a registry of each host node address associated with a host node operable to perform host-based intrusion detection services. The method further includes comparing a destination address of the monitored network activity with at least one host node address in the registry. If an address of the network activity matches an address of a registered host node, the network activity is dismissed and allowed to proceed unencumbered to the registered host node. The network activity not destined for a registered host node has intrusion detection services performed on it. The network activity dismissed to the host node has intrusion detection services performed on it at the receiving host node – see abstract, figs. 1, 4 and column 5 of Baker.

Krishnamurthi et al. (US 2004/0114558 A1) teaches a method and system for routing messages between hosts while maintaining end-to-end location privacy. Packets are routed to a receiving host by an access router corresponding to the receiving host. When the access router receives a packet having a source address of a sending host or the access router of the sending host and a destination address corresponding to the receiving host or the access router of the receiving host, the access router perform certain header stripping and address swapping functions based on the received information and sends the packet to the receiving host - see fig. 2 and par. [0013] of Krishnamurthi.

However, the prior art of record does not teach or render obvious the limitations in independent claims 19, 26 and 33, for an apparatus, a method and a medium to process, specific to the other limitations with the combination of –
receiving, from a traffic filter at a boundary of a network, a network communication; and determining which the network communication is, from among being a first anomalous communication associated with a service that does not exist within the network, using a non-readable character set, or includes including a malicious payload;
defining a fingerprint, based on an order of a plurality of tokens of a network protocol included in the first anomalous communication; and at least partially based on the determining, generating a first rule, at least partially based on an analysis of the fingerprint; and
communicating, to the traffic filter, the first rule for the traffic filter for filtering, from network communications external to the network, a second anomalous communication.

Dependent claims 22-25, 29-32 and 36-41are allowed as they depend from allowable independent claim 19, 26 or 33.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845.  The examiner can normally be reached on Monday - Friday 10:00 am - 6:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MAUNG T LWIN/Primary Examiner, Art Unit 2495