Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8-25-2020 and 7-26-2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claim 5 is objected to because of the following informalities:  the claim does not end with a period.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1, 2, 4 – 6, 14, 15, 17, 18, 31, 32, 34, 38 – 41 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zambon (US 20170195197), hereafter Zam and McDaid et al (US 20160006753), Hereafter Daid.
Claim 1: Zam teaches a method of detecting anomalous behaviour in data traffic on a data communication network, a first host and a second host being connected to the data communication network, the data traffic on the data communication network providing a link forming a network communication between the first host and the second host, the method comprising (Fig. 5): a) parsing the data traffic to extract protocol field values of a protocol message of the data traffic; ([011] parsing the data traffic to extract at least one protocol field of a protocol message of the data traffic);
c) selecting from a set of models, a model relating to the one of the first host, the second host, and the link, wherein the selected model comprises a plurality of attributes to describe the one of the first host, the second host, and the link, wherein at least one of the attributes is a semantic attribute, the semantic attribute expressing a semantic meaning for the one of the first host, the second host, and the link, ([012]  the model being selected from a set of models. [016] A network protocol comprises a definition of protocol messages, Protocol Data Units (PDUs), which in turn comprise one or more fields, [063] a protocol message is intended as the specification of an operation to be performed on the receiving host(s) and the sending host; [019] the set of models comprises a respective model for each protocol field of a set of protocol fields, [059] semantic is assigned to the parsed protocol field);
d) updating the selected model with the derived attribute values, if the derived attribute values are not featured in the selected model relating to the one of the first host, the second host and the link; ([025-26] updating the model for the extracted protocol field using a contents of the extracted protocol field, if no association can be made between the extracted protocol field and one of the models, a new model may be created for the extracted protocol field and added to the set of models);
e) assessing if the updated, selected model complies with a set of attribute based policies, each attribute based policy of the set of attribute based policies defining a security constraint of the data communication network based on at least one of the attributes of the first host, the second host or the link, ([013] assessing if a contents of the extracted protocol field is in a safe region as defined by the model; [020] a specific one of the two models for the one protocol field being chosen based on the value of another field, so as to possibly further increase a precision of the models, [031] and then adapting the learned model(s) based on knowledge of a known behaviour and consequential occurrence and/or contents of protocol messages, their fields and/or the values of the fields);
and f) generating an alert signal in case the attribute based policies indicate that the updated selected model violates at least one of the attribute based policies. ([035-38] the software is able to process protocol messages that are not in accordance with the communication protocol. In response to generating the intrusion detection signal, further comprises at least one of: removing the protocol field or a data packet containing the protocol field; and raising and outputting an intrusion alert message. Any other intrusion detection action shall be applied, such as isolating the protocol field or a data packet containing the protocol field, etc.);
Zam is silent on b) deriving, from the extracted protocol field values, attribute values of attributes of one of the first host, the second host, and the link; 
But analogous art Daid teaches b) deriving, from the extracted protocol field values, attribute values of attributes of one of the first host, the second host, and the link; ([025] wherein these features describe the behavioural patterns of individual devices on the network, the features extracted from the feature extraction means are stored defined by their data traffic characteristics numerically derived from the captured data traffic and descriptive of the device behaviour);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zam to include the idea of extracting protocol features as taught by Daid so that advantageously enables such patterns to be used as control signature patterns for detecting other M2M devices behaving abnormally (086).
Claim 2: the combination of Zam and Daid teaches the method according to claim 1, comprising at least one of: wherein the attribute values derived from the extracted protocol field values describe protocol generic features of the one of the first host, the second host and the link, and wherein the attribute based policies comprise declarative policies. (Daid: [025] wherein these features describe the behavioural patterns of individual devices on the network, the features extracted from the feature extraction means are stored defined by their data traffic characteristics numerically derived from the captured data traffic and descriptive of the device behaviour, [037] means for extracting, for each cluster, a general characterisation of the patterns that the devices in it share, [091] a Network Protection and Policy System such as that provided for example by the Adaptive Mobile Security (AMS) Network Protection Platform (NPP)).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zam to include the idea of extracting protocol features as taught by Daid so that advantageously enables such patterns to be used as control signature patterns for detecting other M2M devices behaving abnormally (086).
Claim 4: the combination of Zam and Daid teaches the method according to claim 1, wherein the set of models comprises a model for the first host, a model for the second host and a model for the link, wherein each of the models comprises at least one semantic attribute. (Zam: [149] associating the extracted protocol field with a model for that protocol field, the model being selected from a set of models. The set of models comprises different model types. The different model types include a numeric range model, a numeric set (enumeration) model, a numeric distribution model, an ASCII string model, an Unicode string model, a Boolean model, an n-gram-based binary model, a network emulator, a set of intrusion detection signatures, etc).
Claim 5: the combination of Zam and Daid teaches the method according to claim 1, wherein the policies each define an outcome in case a condition is met, the condition being defined in terms of a respective at least one of the attributes having a defined attribute value, the outcome of the attribute based policies indicating if the selected model is allowable or not allowable. (Zam: [093] handler makes an assessment whether or not the extracted protocol field conforms to the model, so as to asses if the contents of the extracted protocol field is to be considered an intrusion or not, [015] the protocol field is then assessed using the model in order to establish if the contents of the protocol field is in a normal, safe, acceptable range or not).
Claim 6: the combination of Zam and Daid teaches the method according to claim 1, wherein the condition of each policy comprises at least one semantic attribute value. (Zam: [052] the selection of the model type is performed using the data type of the protocol field value(s), and/or the semantic of the parsed protocol field(s)).
Claim 14: the combination of Zam and Daid teaches the method according to claim 1, wherein steps b), c), d) and e) are performed for the first host, for the second host and for the link, the set of models comprising a model relating to the first host, a model relating to the second host and a model relating to the link, the attribute based policies of the set of attribute based policies defining conditions in terms of the attributes of the first host, the attributes of the second host and the attributes of the link. (Zam: [149] associating the extracted protocol field with a model for that protocol field, the model being selected from a set of models. The set of models comprises different model types. The different model types include a numeric range model, a numeric set (enumeration) model, a numeric distribution model, an ASCII string model, an Unicode string model, a Boolean model, an n-gram-based binary model, a network emulator, a set of intrusion detection signatures, etc).
Claim 15: the combination of Zam and Daid teaches the method according to claim 1, wherein the set of attribute based policies comprises whitelist policies, the outcome of the whitelist policies indicating if the selected model is allowable. (Zam: [143] In case the model is build manually, the set of allowed messages is built according to specific security policies. A security policy imposes that only read operations are performed on a certain host. In this case the set of allowed messages would contain only read messages, [0145] in case of a numeric field that represents the length of a security-related field, a model of numeric distribution type is used).
Claim 17: the combination of Zam and Daid teaches the method according to claim 1, further comprising providing a consistency rule, the consistency rule defining consistent combinations of at least two attribute values of attributes of the model relating to the one of first host, the second host and the link, comprising - verifying, on the basis of the values of the attributes derived from the monitored data traffic, if the monitored data traffic complies to the consistency rule, - storing the data traffic relating to the one of the first host, the second host and the link in a quarantine in case the data traffic relating to the one of the first host, the second host and the link does not comply to the consistency rule. (Zam: [015] parser makes use of a predefined protocol specification. Also, in case the protocol is unknown, the protocol is learnt by monitoring the data traffic on the network and deriving a protocol specification therefrom. [031] first learning the model(s) in a learning phase, and then adapting the learned model(s) based on knowledge of a known behaviour and consequential occurrence and/or contents of protocol messages, their fields and/or the values of the fields. [036-38] in response to generating the intrusion detection signal, comprises at least one of: removing the protocol field or a data packet containing the protocol field; and raising and outputting an intrusion alert message. Any other intrusion detection action is applied, such as isolating the protocol field or a data packet containing the protocol field, etc).
Claim 18: the combination of Zam and Daid teaches the method according to claim 17, wherein the quarantine stores a list of hosts, links or combinations of hosts and links for which no judgement has been made regarding the host respectively link being legit or malicious. (Daid: [0306] communicating with one or more network elements (either with or without a Network Protection and Policy System (or equivalent or similar) such as that provided by the AMS NPP (or equivalent or similar) being required) such as an operator's EIR (Equipment Identity Register) or a CEIR (Central Equipment Identity Register) to put an M2M device's IMEI (International Mobile Equipment Identity) on an EIR or CEIR greylist (for device quarantine) or blacklist (for device revocation), etc. denying service by the network (or all networks using the CEIR) to the M2M device. Advantageously the M2M device's SIM is moved to another clean device in such an instance, [040] pseudo labelling M2M devices from suspected stored patterns of devices in the device information store which are suspected to be M2M devices (i.e., quarantine), then their patterns are used to predict whether other devices are M2Ms).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zam to include the idea of quarantining with grey and black lists as taught by Daid so that advantageously enables such patterns to be used as control signature patterns for detecting other M2M devices behaving abnormally (086).
Claim 31: the combination of Zam and Daid teaches the method according to claim 1, wherein the set of attribute based policies comprises the whitelist policies, the outcome of the whitelist policies indicating if the selected model is allowable, and wherein, in case the model relating to the first host, the second host or the link cannot be matched to any of the whitelist policies, the data communication relating to the respective one of the first host, the second host or link is listed in a quarantine. (Zam: [033] the intrusion detection signal is further generated when the extracted field cannot be associated with any of the models of the set of models, so that an action is performed also in case the extracted field possibly complies with the protocol, but for which no suitable model is provided. Often, only a subset of the possible protocol fields are used, for example in control applications, allowing to raise an alert when a protocol field which complies with the protocol but which is normally not applied, has been retrieved, [0143] If the model is build manually, the set of allowed messages is built (i.e., whitelist) according to specific security policies. A security policy imposes that only read operations are performed on a certain host. In this case the set of allowed messages would contain only read messages).
Claim 32: the combination of Zam and Daid teaches the method according to claim 1, wherein, in case the protocol message carries information about a host or link for which no model is available, the respective host or link is listed in a quarantine; and wherein the quarantine stores a list of hosts, links or combinations of hosts and links for which no judgement has been made regarding the host respectively link being legit or malicious. (Daid: [0306] communicating with one or more network elements (either with or without a Network Protection and Policy System (or equivalent or similar) such as that provided by the AMS NPP (or equivalent or similar) being required) such as an operator's EIR (Equipment Identity Register) or a CEIR (Central Equipment Identity Register) to put an M2M device's IMEI (International Mobile Equipment Identity) on an EIR or CEIR greylist (for device quarantine) or blacklist (for device revocation), etc. denying service by the network (or all networks using the CEIR) to the M2M device. Advantageously the M2M device's SIM is moved to another clean device in such an instance, [040] pseudo labelling M2M devices from suspected stored patterns of devices in the device information store which are suspected to be M2M devices (i.e., quarantine), then their patterns are used to predict whether other devices are M2M).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zam to include the idea of unknown classification and quarantining with grey and black lists as taught by Daid so that advantageously enables such patterns to be used as control signature patterns for detecting other M2M devices behaving abnormally (086).
Claim 34: the combination of Zam and Daid teaches the method according to claim 32, further comprising: deriving attribute values relating to the host or link listed in the quarantine. (Daid: [025] the features extracted from the feature extraction means are stored defined by their data traffic characteristics numerically derived from the captured data traffic and descriptive of the device behaviour).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zam to include the idea of deriving features from traffic as taught by Daid so that advantageously enables such patterns to be used as control signature patterns for detecting other M2M devices behaving abnormally (086).
Claim 38: the combination of Zam and Daid teaches the method according to claim 34, wherein the method further comprises: checking using the consistency rules, the attribute values of the host or link in quarantine for consistency. (Zam: [017] model is understood so as to comprise a rule or set of rules that apply to a protocol field, in order to assess that protocol field. The model describes normal, legitimate or non-intrusive protocol messages).
Claim 39: the combination of Zam and Daid teaches the method according to claim 34, wherein the method further comprises: assessing, using the attribute based policies, if the attribute values of the host or link in quarantine comply with the set of attribute-based policies. (Zam: [032-33] the intrusion detection signal is generated when the parsing cannot establish the field as complying to the protocol, so that an action is performed in case a field which is incompliant with the protocol is detected… only a subset of the possible protocol fields are used, in control applications, allowing to raise an alert when a protocol field which complies with the protocol but which is normally not applied, has been retrieved).
Claim 40: the combination of Zam and Daid teaches the method according to claim 34, further comprising: deriving attribute based policies from the attributes of the host or link listed in the quarantine. ([025] wherein these features describe the behavioural patterns of individual devices on the network, the features extracted from the feature extraction means are stored defined by their data traffic characteristics numerically derived from the captured data traffic and descriptive of the device behaviour);
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Zam to include the idea of extracting protocol features as taught by Daid so that advantageously enables such patterns to be used as control signature patterns for detecting other M2M devices behaving abnormally (086).
Claim 41: the combination of Zam and Daid teaches the method according to claim 40, wherein a new whitelist policy is derived from attribute values derived from protocol messages relating to the host or link in quarantine, wherein a frequency of occurrence of the protocol messages relating to the host or link in quarantine exceeds a whitelisting threshold. (Zam: [070] a model for composite protocol fields comprises of a counter of the instances of the protocol field observed in a learning phase. In case the field was observed less than a given number of times (threshold), observing the composite protocol field during the detection phase causes the generation of an intrusion detection signal. According to the semantic of a composite protocol field, its importance with regards to security may vary. The semantic is used to specify a different model type or a different sensitivity of the model according to for example the importance of a field with regards to security. In case of a composite field, which is not relevant for security, the threshold of observed instances is changed to limit the amount of irrelevant intrusion detection signals generated).

Allowable Subject Matter
Claims 25-27, 35, 36, 42, 44 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /P'Examiner, Art Unit 2496.