DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 09/18/2019.
Status of claims in the instant application:
Claims 1-74 are pending.
Information Disclosure Statement
No Information Disclosure Statements (IDS) has been filed by the Applicant. Applicant is reminded that per “mpep § 2011: Duty of Disclosure, Candor, and Good Faith” Applicant has the responsibility to disclose information material to patentability. It’s noted that:
(a) A patent by its very nature is affected with a public interest. The public interest is best served, and the most effective patent examination occurs when, at the time an application is being examined, the Office is aware of and evaluates the teachings of all information material to patentability. Each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in this section. The duty to disclose information exists with respect to each pending claim until the claim is cancelled or withdrawn from consideration, or the application becomes abandoned. Information material to the patentability of a claim that is cancelled or withdrawn from consideration need not be submitted if the information is not material to the patentability of any claim remaining under consideration in the application. There is no duty to submit information which is not material to the patentability of any existing claim. The duty to disclose all information known to be material to patentability is deemed to be satisfied if all information known to be material to patentability of any claim issued in a patent was cited by the Office or submitted to the Office in the manner prescribed by §§ 1.97(b) -(d)  and 1.98. However, no patent will be granted on an application in connection with which fraud on the Office was practiced or attempted or the duty of disclosure was violated through bad faith or intentional misconduct. The Office encourages applicants to carefully examine:
(1) Prior art cited in search reports of a foreign patent office in a counterpart application, and
(2) The closest information over which individuals associated with the filing or prosecution of a patent application believe any pending claim patentably defines, to make sure that any material information contained therein is disclosed to the Office.
(c) Individuals associated with the filing or prosecution of a patent application within the meaning of this section are:
(1) Each inventor named in the application;
(2) Each attorney or agent who prepares or prosecutes the application; and
(3) Every other person who is substantively involved in the preparation or prosecution of the application and who is associated with the inventor, the applicant, an assignee, or anyone to whom there is an obligation to assign the application.
(d) Individuals other than the attorney, agent or inventor may comply with this section by disclosing information to the attorney, agent, or inventor.
(e) In any continuation-in-part application, the duty under this section includes the duty to disclose to the Office all information known to the person to be material to patentability, as defined in paragraph (b) of this section, which became available between the filing date of the prior application and the national or PCT international filing date of the continuation-in-part application
Drawings
The drawings are objected to because:
	Fig. 5: Descriptive labels are not legible.
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.
Appropriate correction required.
Claim Objections
Claims 17, 18, 43, 44, 61 and 62 are objected to because of the following informalities:
	Claim 18 recites, “… wherein the first and second protocol categories are 25configurable based on OT traffic and IT traffic “. The abbreviations “OT and IT” have not been used in their full term in any of the previous claim. When using abbreviation of any term, the full recitation of the abbreviated term should be used first, before using the abbreviated term.
	Claims 44 and 62 also have similar issues.
	Similarly claims 17, 43 and 61 use ten abbreviated terms “TCP/UDP” 
 	Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f):
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
Claims 1, 13, 13 21 and 53 recite, “… a traffic aggregator module for …”
Claims 1, 13, 21 and 53 recite, “… a protocol category splitter module for …”
Claims 1 and 53 recite, “… a first and second intrusion detection system (IDS) module for …”
Claims 1, 4, 20, 21 recites, “… a first and second security information and event management (SIEM) module for …”
Claims 6 and 55 recites, “… the first and second IDS module further 15comprises a first and second IDS agent module for …”.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
Examiner has investigated the specification (and the originally filed claims that are also considered part of the specification) of the instant Application and find the following:
“Original claim 13 recites,  “The system of claim 6 wherein the traffic aggregator module, the protocol category splitter module and at least one of the first and second IDS agents exist on an edge Ethernet switch where the network and control elements connect.”
Examiner also finds in the (published, US 20210084058 A1) specification of the instant Application:
“Para [0025]: Yet a further aspect of the invention is directed to the above noted system wherein the traffic aggregator module, the protocol category splitter module and at least one of the first and second IDS agents exist on an edge Ethernet switch where the network and control elements connect”
Para [0032]: Yet a further aspect of the invention is directed to the above noted system wherein at least one of the first or second IDS modules communicates at least one of the first or second protocol category alert to at least one of the first or second SIEM modules and the at least one of the first or second SIEM module displays the at least one of the first or second protocol category alert to the user and facilities the user's interaction with the at least one of the first or second protocol category alert.
Para [0101]: As used herein, an intrusion detection module (“IDS”) will be understood to refer to a device, system, method, apparatus or software application that monitors one or more networks or systems for malicious activity, policy violations, or anomalous activity (e.g. all outside intrusion). Any malicious activity, violation or anomaly is typically reported either to an administrator or collected centrally using a security information and event management (“SIEM”)system. A SIEM system combines outputs from multiple sources, and uses alarm/alert filtering techniques to distinguish malicious activity from false alarms.
Para [0128]: In yet another aspect of this current invention, in a preferred embodiment, for each Protocol Category there may exist one or more SIEMs optimized for the types of alerts and anomalies specific to that Protocol Category. In a preferred embodiment, the SIEM may comprise (a) a user authentication database; (b) a database to store appropriate and applicable Protocol Category alerts, events, incidents, log files, etc.; and (c) a user interface displaying alerts, events, incidents, log files, etc. so as to allow users to interact with the IDS system and configure its components.”
Examiner interprets, based on at-least the above cited portions of the specification that the place holder terms identified previously, for the claims noted as invoking interpretation under 35 USC 112(f), are implemented either as hardware and/or software/applications executing on hardware elements.
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 17-18, 43-44 and 61-62 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 17 recites the limitation, “… wherein the first and second protocol categories are configurable based on the group consisting of traffic type, device type, protocol, device, network address, and TCP/UDP port”.
It’s not clear from the claim language what would be the difference between “device type and device”.
Furthermore, claim 18 that depends on claim 17 also does not clarify the difference between “device type and device”.
It appears that one of the tow term (“device type and device”) identified is redundant, absent any further clarification. Thus the claim language is vague and ambiguous , and hence claims 17-18 are rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 43-44 and 61-62 recite limitations similar to claims 17-18, and hence similarly rejected as claim 17-18.
Appropriate corrections required.
*** Note: For examination purposes the claim limitation is interpreted to read as, “… wherein the first and second protocol categories are configurable based on the group consisting of traffic type, device type, protocol, device identifier or device address, network address, and TCP/UDP port”.
Claim Eligibility
Examiner has investigated the claimed invention for subject matter eligibility and for any recitation of abstract ideas. Examiner considers, based on “2019 Revised Patent Eligibility Guidance”, that claims do recite patent eligible subject matter (i.e. process, machine, manufacture, composition) and/or related improvements, and that the claims do not fall under one of the three abstract idea categories (mental process, mathematical computation and mathematical relations, and organizing human activities). 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-7, 13, 16-21, 26, 29, 31-37, 43-45, 48,53-55, 61-62 and 67 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 10764313 B1 to  Mushtaq (hereinafter “Mushtaq”) in view of  Pub. No.: US 20200186600 A1 to DAWANI et al. (hereinafter “DAWANI”).
Regarding Claim 1. Mushtaq discloses A system for intrusion detection for network and control elements used in a mission critical environment connected to a network (Mushtaq, Abstract, FIG. 2: … An Active Cyber Defense method and system is provided for detecting and stopping malicious cyber activity including for example Drive-By Exploits, Malicious Binaries, Data Exfiltration, Social Engineering and Credential Stealing Attacks. The system disclosed herein can be configured to detect and block multi protocol network-based cyber attacks targeting different platforms or operating systems. The system can also be configured to be scalable. The system as disclosed herein can conduct real time inspection of network traffic and can self-learn and adapt as needed to a changing cyber threat landscape …), the system comprising:
(a) a traffic aggregator module for [mirroring] and aggregating network traffic (Mushtaq; Col.11,ln.43-65; col.12,ln.52-65; Claim 1: …  The system's core functionality can depend on the real time inspection of network traffic. A packet capturing module (101) can capture traffic flowing through a network in a systematic way and forward the traffic to the Analysis Engine for the analysis. Packet acquisition can be achieved through a variety of methods, including software agent, appliance, and direct forwarding. A Software Agent can be installed on all end point devices. This end point agent can sniff traffic from OS TCP/IP drivers and forward it to the Analysis Engine for detailed inspection. Appliances, for example a dedicated hardware appliance or a software appliance running inside off the shelf hardware, can be attached with a network switch, router or firewall for sniffing traffic through the physical mediums …  FIG. 2 shows elements of the protocol analysis engine depicted in FIG. 1 for an exemplary system and method as described herein. The packet capturing module (201) may capture traffic and relay it to the protocol finger printing module (202) … a first module configured to monitor and capture network session activity between one or more client devices and one or more internet servers and to extract a network flow from the network session activity …);
5(b) a protocol category splitter module for receiving the mirrored and aggregated network traffic from the traffic aggregator and for splitting the mirrored and aggregated network traffic into a first and second protocol category (Mushtaq; col.12,ln.52-65; col.13,ln.15-24: FIG. 2 shows elements of the protocol analysis engine depicted in FIG. 1 for an exemplary system and method as described herein. The packet capturing module (201) may capture traffic and relay it to the protocol finger printing module (202), which may separate the types of protocols before sending the protocols to the analysis engine (210). FIG. 2 illustrates exemplary pathways that protocols may follow as they move through the Protocol Finger Printing Module to the protocol analysis engine. For example, the protocol may comprise an HTTP protocol that is transferred from the protocol finger printing module (202) to an HTTP Queue (221) in the analysis engine (210), then to an HTTP handler (222), and finally to an HTTP Categorization Module (223) before entering the protocol analysis engine (240) …  An SSL protocol may move from the protocol finger printing module to the protocol analysis engine (240) where it may enter an SSL Queue (216), through an SSL Handler (217) and an SSL categorization module (218) before entering the protocol analysis. Other protocols, for example Protocol N, may move from the protocol finger printer module (202) to a protocol N queue (211) in the analysis engine (210), then to a protocol N handler (212), and finally a protocol N categorization module (213) before moving into the protocol analysis engine (240) …);
(c) a first and second intrusion detection system (IDS) module for the first and second protocol categories, the first intrusion detection system module for 10analyzing the mirrored and aggregated network traffic from the first protocol category and for transmitting a first IDS associated data and the second intrusion detection system module for analyzing the mirrored and aggregated network traffic from the second protocol category and for transmitting a second IDS associated data (Mushtaq; col.13,ln.25-55; col.14,ln.54-60; col.18,ln.64-67; col.19,ln.1-7; FIG. 2-3; Claim 1: … Once in the protocol analysis engine (240), the protocols may be analyzed using protocol analyzers part of protocol analysis runtime. Protocol Analysis runtime is a collection of protocol analyzers that is configured to inspect and parse a given session using different packet inspection techniques. These protocol analyzers may divide a given session into meaningful artifacts. These artifacts may be handed over to the Protocol Feature Extractor module to create machine learning features that are eventually processed by a set of anomaly detection classifiers. For example, for a given TLS session, protocol analysis runtime; by making use of knowledge acquired through standard TLS RFCSs (protocol specifications) can split a TLS session into different segments TLS Client Hello, TLS Server Hello and the encrypted data payload. Similarly, for a given HTTP session, protocol analysis runtime may generate different segments like HTTP Host, HTTP Method, HTTP Url, HTTP Request Headers, HTTP Response Headers and the payload. For a given IRC session, protocol analysis runtime may generate different segments like IRC User, IRC Nick, IRC Channel Name, IRC Private Message, Topic of joined IRC channel, IRC Server log and the like …  After being analyzed by protocol analyzers in protocol analysis runtime, an HTTP protocol, SSL protocol, Protocol N, or other protocols (like IRC, FTP, SMTP, CUSTOM TCP, CUSTOM UDP etc.) undergo protocol feature extraction specific for each protocol. The extractors may be configured for the specific protocols; for example, HTTP protocol feature extractors (224), SSL protocol feature extractors (219), “protocol N” protocol feature extractors (214), or feature extractors specific for other protocols … Active analysis is a second layer of deep analysis that may be performed on all network flows marked as suspicious by Protocol Analysis Engine (PAE). The purpose of active analysis is to get a single verdict i.e. if the given session is malicious or not (for a given category). Session marked as benign may be discarded and ones marked as malicious may be logged into the database along with appropriate category  …); and 
15(d) a first and second security information and event management (SIEM) module for each of the first and second protocol categories, the first SIEM module for processing the first IDS associated data to make a first protocol category alert available to a user and the second SIEM module for processing the second IDS associated data to make a second protocol category alert 20available to the user (Mushtaq; col.5,ln.21-46; col.12,ln.44-51; col.17,ln.55-67; col.18,ln.64-67; col.19,ln.1-7; FIG. 4: …  An automated incident management engine can be provided that can receive the malicious session and can independently block all subsequent communication associated with the malicious session. The incident management engine can determine an infected machine and user information in response to the malicious session and can add the infected machine and user information to a database. The added infected machine and user information can be marked as an incident. The incident management engine can also send a notification related to the incident … The incident management engine (140) may comprise an incident manager (141) that interacts with a blocking module (150), a notification module (160), a central database (142), and a threat attribution engine (170) that may access databases including the threat name encyclopedia (172), and the hacker groups encyclopedia (174). Information from the incident management engine may be fed into a user interface (180) for displaying the content to the user… The Incident Manager (441) and the Threat Attribution Engine (470) may interact with the Notification Module (460). Once a malicious flow is detected, the incident manager (441) may direct the Notification Module (460) to notify the system administers or Incident response team about the malicious incident via Email Notification, using an Email Notification Module (461), and in another use case system may log the incident information through a SIEM Integration Module (462) or a Syslog Integration Module (463). The Incident Manager (441) may access information stored in the central database (442). The central database may capture and store information related to the suspicious incidents, attacks or events including Malicious Sessions, C&C information … FIG. 9 is a flowchart showing details of the incident management as depicted in FIG. 5. A session that has been marked as malicious is selected (971), and a blocking module is used to stop all subsequent communication (972). The infected machine and user information is located (973), and added to a database where it is marked as an incident (974). The Threat Name and Hacker Group Information are associated with the Logged Incident (976), and email notification of the incident is sent (977), incident information is stored to SIEMs (978), and incident information is sent to the sys log server (979) before the sequence is terminated …; Examiner’s note: Although Mushtaq does not explicitly state first and second SIEM, but it does disclose multiple SIEMs …).
However, Mushtaq does not explicitly teach but DAWANI from same or similar field of endeavor teaches, “mirroring … network traffic (DAWANI, Abstract: … Techniques are described that enable users to configure the mirroring of network traffic sent to or received by computing resources associated with a virtual network of computing resources at a service provider network. The mirrored network traffic can be used for many different purposes including, for example, network traffic content inspection, forensic and threat analysis, network troubleshooting, data loss prevention, and the like …)”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of DAWANI into the teachings of Mushtaq because it discloses that “Users can configure such network traffic mirroring without the need to manually install and manage network capture agents or other such processes on each computing resource for which network traffic mirroring is desired. Users can cause mirrored network traffic to be stored at a storage service in the form of packet capture (or “pcap”) files, which can be used by any number of available out-of-band security and monitoring appliances including other user-specific monitoring tools and/or other services of the service provider network (DAWANI: Abstract)”.
Regarding Claim 6. The combination of Mushtaq-DAWANI discloses the system of claim 1,  Mushtaq further discloses “wherein the first and second IDS module further 15comprises a first and second IDS agent module for analyzing the first and second mirrored and aggregated network traffic from the first and second protocol categories and for transmitting a first and second IDS agent data (Mushtaq, FIG. 2-3: “combination of elements 221 to 225 and 340 to 345” is considered as “first IDS agent module”, and ““combination of elements 216 to 220 and 332 to 337” is considered as “second IDS agent module”)”.
Regarding Claim 7. The combination of Mushtaq-DAWANI discloses the system of claim 6, Mushtaq further discloses “wherein the system further comprises a first and second deep analytics engine (DAE) module for receiving the first and second IDS agent 20data and for transmitting a first and second DAE data (Mushtaq; col.18,ln.64-67; col.19,ln.1-7; FIG. 1, 3: … Active analysis is a second layer of deep analysis that may be performed on all network flows marked as suspicious by Protocol Analysis Engine (PAE). The purpose of active analysis is to get a single verdict i.e. if the given session is malicious or not (for a given category). Session marked as benign may be discarded and ones marked as malicious may be logged into the database along with appropriate category …).”
Regarding Claim 13. The combination of Mushtaq-DAWANI discloses the system of claim 6, Mushtaq further discloses “wherein the traffic aggregator module, the protocol category splitter module and at least one of the first and second IDS agents exist on an edge Ethernet switch where the network and control elements connect (Mushtaq; Col.11,ln.43-65: … The system's core functionality can depend on the real time inspection of network traffic. A packet capturing module (101) can capture traffic flowing through a network in a systematic way and forward the traffic to the Analysis Engine for the analysis. Packet acquisition can be achieved through a variety of methods, including software agent, appliance, and direct forwarding. A Software Agent can be installed on all end point devices. This end point agent can sniff traffic from OS TCP/IP drivers and forward it to the Analysis Engine for detailed inspection. Appliances, for example a dedicated hardware appliance or a software appliance running inside off the shelf hardware, can be attached with a network switch, router or firewall for sniffing traffic through the physical mediums …).”
Regarding Claim 16. The combination of Mushtaq-DAWANI discloses the system of claim 1, Mushtaq further discloses “wherein the first and second protocol categories are 20configurable (Mushtaq, Abstract: … An Active Cyber Defense method and system is provided for detecting and stopping malicious cyber activity including for example Drive-By Exploits, Malicious Binaries, Data Exfiltration, Social Engineering and Credential Stealing Attacks. The system disclosed herein can be configured to detect and block multi protocol network-based cyber attacks targeting different platforms or operating systems …).”
Regarding Claim 17. The combination of Mushtaq-DAWANI discloses the system of claim 16, Mushtaq further discloses “wherein the first and second protocol categories are configurable based on the group consisting of traffic type, device type, protocol, device, network address, and TCP/UDP port (Mushtaq; col.19,ln.27-37; col.21,ln.47-67: … An Active Cyber Defense System user interface may comprise information regarding the identity of infected machines on the network, as well as additional details regarding the location, usage, MAC ID, or other features of the machine, including the type of the machine and the identity of the machine users. Other information may include the IP address of the infected machine e.g. 10.0.0.28, the name or identifier of the machine e.g. DAVE-LAPTOP, the department that uses the machine or that the machine was registered to e.g. Dev, and the operating system e.g. Macintosh  …  At the start of the Active Intelligence gathering process, a number of network variables are extracted from the given session. For example, variables related to the identity of the online server such as its IP/Domain and Port etc … Some examples of intelligence extracted from hosting infrastructure include: the number of opened ports on an online server; the type of software installed on an online server like web server type; the protocols used by an online server such as http, https, irc, ftp, and ssh; and the online server response time ..)”.
Regarding Claim 18. The combination of Mushtaq-DAWANI discloses the system of claim 17, , Mushtaq further discloses “wherein the first and second protocol categories are 25configurable based on OT traffic (Mushtaq; col.20,ln.51-60: ..  In FIG. 18, the Command and Control (C&C) tab has been selected and the user interface provides details regarding the Command and Control center of the attackers that targeted DAVE-LAPTOP. The C&C tab may be identified using the C&C IP address, the C&C Location, the C&C Host and the C&C protocol. Above this information is a map, with a pin showing the location of the C&C; in this example the location is Veraguas, Plaza, Panama. The host page of the C&C, the IP address, the C&C Protocol, as well as the Malware Network Communication are also displayed  …) and IT traffic (Mushtaq; col.19,ln.17-26: … FIG. 18 is a screen capture of an Event Notification and Control and Command page viewed via an interface of Active Cyber Defense System. An Active Cyber Defense System may perform real-time classification of Network Activity. When a computer on a network engages in a malicious activity, the identity of the computer, details regarding the computer and information regarding the malicious activity may be made accessible to a user or system administrator so that the user or system administrator may catalog, record, or take action in response to the information …).”40
Regarding Claim 19. The combination of Mushtaq-DAWANI discloses the system of claim 1, Mushtaq further discloses, “wherein the traffic aggregator module exists at the network edge for allowing access to a copy of all of the network traffic (Mushtaq; col.5,ln.77-63; FIG. 2: … The Active Cyber Defense application can comprise a  packet capturing module, a protocol finger printing module, an analysis engine module, an incident management engine module, and a user interface. The packet capturing module can be configured to monitor and capture network session activity between one or more clients and one or more internet servers and to extract a network flow from the network session activity. …).”
Regarding Claim 20. The combination of Mushtaq-DAWANI discloses the system of claim 1, Mushtaq further discloses, “wherein at least one of the first or second IDS modules communicates at least one of the first or second protocol category alert to at least one of 5the first or second SIEM modules and the at least one of the first or second SIEM module displays the at least one of the first or second protocol category alert to the user and facilities the user's interaction with the at least one of the first or second protocol category alert (Mushtaq; col.19,ln.53-67: … A user or system administrator may log-in to the Active Cyber Defense System from a remote location or when connected to or on the physical network. Upon login and authentication, a user may be presented with screens similar to those depicted in FIGS. 18-20. In some instances, a system administrator may wish to review all the machines that have been infected, without looking at the specifics for the given machine. To accomplish this, the system administrator may select an icon, for example the detail button on the left hand side of the screen (not visible in the screen shot), which may display a full screen mode where the user may be able to view details for infected machines on the network. In other instances, after viewing all the infected machines on a network, a system administrator may select one or more infected systems to investigate the nature or details regarding a specific machine specific attack, specific incident, a compiled set of attacks performed by a particular group, the attacks on a particular day or time, and/or attacks that have occurred from a particular location or region …).”
Regarding Claim 21. The combination of Mushtaq-DAWANI discloses the system of claim 1, Mushtaq further discloses, “wherein at least one of the first and second SIEM 10modules having an interface to facilitate a user configuring at least one of the traffic aggregator module, the protocol category splitter module and at least one of the first and second IDS modules (Mushtaq; col.20,ln.51-67: …  In FIG. 18, the Command and Control (C&C) tab has been selected and the user interface provides details regarding the Command and Control center of the attackers that targeted DAVE-LAPTOP. The C&C tab may be identified using the C&C IP address, the C&C Location, the C&C Host and the C&C protocol …).
Regarding Claim 26. The combination of Mushtaq-DAWANI discloses the system of claim 1, Mushtaq further discloses, “wherein at least one of the first and second IDS 5modules employs machine learning (Mushtaq; col.5,ln.20-46: …  According to one or more embodiments, an Active Cyber Defense System is provided for automatically inspecting network traffic in real time and for detecting and blocking different types of network-based cyber attacks using a series of machine learning classifiers that can self-learn and adapt according to changing cyber threat landscape …).”
Regarding Claim 29. The combination of Mushtaq-DAWANI discloses the system of claim 7, Mushtaq further discloses, “wherein at least one of the first and second DAE modules during the training process utilizes (i) supervised learning techniques with a labeled threat data set (Mushtaq; col.39,ln.25-41: …  FIG. 25 is a flowchart providing further details on the classification process (2500) used in an exemplary method of FIG. 23. The purpose of this classification process may be to find out if a Candidate Page looks similar to a known brand page or not. This classification system may comprise binary classification criterion based on supervised machine learning that has just two outcomes “matched” or “not-matched.”  …); and/or (ii) deep neural networks can be utilized for feature 15extraction.”
Regarding Claim 2031. This is a method claim that contains all the same to similar limitations as claim 1, and hence similarly rejected as claim 1.
Regarding Claim 32. This is a method claim that contains all the same to similar limitations as claim 2, and hence similarly rejected as claim 2.
Regarding Claim 33. The combination of Mushtaq-DAWANI discloses the method of claim 32, Mushtaq further discloses, “wherein the first and second IDS associated data each comprises alerts data and analytics data (Mushtaq; col.6,ln.24-45: … An Active Intelligence method and system is provided for automatically and covertly extracting forensic data and intelligence in real time to determine whether a selected server is part of a cybercrime infrastructure. In some embodiments, a method for detecting an online malicious server using an active intelligence manager comprises: analyzing network traffic between one or more clients and one or more internet servers, the network traffic comprising one or more internet communications between at least one client and at least one server; extracting network variables from the internet communication, wherein the network flow consists of one or more variables related to the internet communication between the client and the server; and constructing a session identity structure from the network flow. An automated active intelligence manager can be provided that receives the session identity structure. The active intelligence manager can independently perform several steps. In particular, the active intelligence manager can process the session identity structure and can collect or gather one or more types of forensic intelligence related to the operation of the server based on the processed session identity structure … Active Analysis engine may comprise a set of modules configured for setting up and initiating active analysis. For instance, to perform a Visual and Natural language analysis on a HTTP Session, this module may load the session's URL into browser memory and extract rendered web page's image, written text and source code from the browser memory. The main reason behind extracting these artifacts from browser memory rather than extracting them directly from the http session is to avoid encryption, obfuscation, and encoding. These extracted artifacts may further be handed over to Active Feature Extractor to extract active features. In another instance, one of the Active Analysis runtime modules may collect real-time intelligence by actively probing a suspicious server through a set of anonymous VPN/Proxy servers. The forensics data collected by real-time inspection of these servers may further be handed over to Active Analysis Feature Extractor to extract active features …)”.
Regarding Claim 34. The combination of Mushtaq-DAWANI discloses the method of claim 33, Mushtaq further discloses, “wherein the analysis of step (d) receives the first and 20second alerts data of the first and second IDS data (Mushtaq; col.7,ln.58-67: … the potentially malicious traffic session is identified by processing at least protocol features of the network flow. In some cases, the protocol features of the network flow are processed by automated self-learning classifiers. In some embodiments, the visual and natural language based features comprise at least two of images, texts and source code. In some embodiments, the features further comprise features extracted from real-time intelligence collected by probing a suspicious server associated with the potentially malicious traffic session …).”
Regarding Claim 35. The combination of Mushtaq-DAWANI discloses the method of claim 33, Mushtaq further discloses, “wherein the analysis of steps (i) and (ii) receives the first and second analytics data of the first and second IDS data (Mushtaq; col.7,ln.58-67: … the potentially malicious traffic session is identified by processing at least protocol features of the network flow. In some cases, the protocol features of the network flow are processed by automated self-learning classifiers. In some embodiments, the visual and natural language based features comprise at least two of images, texts and source code. In some embodiments, the features further comprise features extracted from real-time intelligence collected by probing a suspicious server associated with the potentially malicious traffic session …).”
Regarding Claim 36. The combination of Mushtaq-DAWANI discloses the method of claim 31, Mushtaq further discloses, “wherein the analysis of step (c) further comprises analyzing the first and second mirrored and aggregated network traffic from the first and 25second protocol categories and transmitting a first and second IDS agent data (, Mushtaq; col.14,ln.7-17,ln.46-53: … After feature extraction the HTTP protocol, HTTPS/TLS/SSL protocol, Protocol N or other protocol, can be analyzed using self-learning protocol classifiers; for example, HTTP self-learning protocol classifiers (225), SSL self-learning protocol classifiers (220), protocol N self-learning protocol classifiers (215), or other protocol classifiers specific to other protocols … The main purpose of the Protocol Classifiers is to filter the maximum amount of benign traffic without missing potential malicious traffic. The high efficacy in detecting benign traffic is achieved by choosing a configuration optimized to generate the maximum amount of TN (True—Vs) or correct rejections. Suspicious sessions identified by the self-learning protocol classifiers may then be transferred to the Active Analysis Engine for further analysis …).”
Regarding Claim 37. The combination of Mushtaq-DAWANI discloses the method of claim 36, Mushtaq further discloses, “wherein the method further comprises receiving the first and second IDS agent data and transmitting a first and second DAE data (Mushtaq; col.18,ln.64-67; col.19,ln.1-7; FIG. 1, 3: … Active analysis is a second layer of deep analysis that may be performed on all network flows marked as suspicious by Protocol Analysis Engine (PAE). The purpose of active analysis is to get a single verdict i.e. if the given session is malicious or not (for a given category). Session marked as benign may be discarded and ones marked as malicious may be logged into the database along with appropriate category …).
Regarding Claim 43. The combination of Mushtaq-DAWANI discloses the method of claim 31, , Mushtaq further discloses, “wherein the first and second protocol categories are 20configurable based on any of the group consisting of traffic type, device type, protocol, device, network address, and TCP/IUDP port (Mushtaq; col.19,ln.27-37; col.21,ln.47-67: … An Active Cyber Defense System user interface may comprise information regarding the identity of infected machines on the network, as well as additional details regarding the location, usage, MAC ID, or other features of the machine, including the type of the machine and the identity of the machine users. Other information may include the IP address of the infected machine e.g. 10.0.0.28, the name or identifier of the machine e.g. DAVE-LAPTOP, the department that uses the machine or that the machine was registered to e.g. Dev, and the operating system e.g. Macintosh  …  At the start of the Active Intelligence gathering process, a number of network variables are extracted from the given session. For example, variables related to the identity of the online server such as its IP/Domain and Port etc … Some examples of intelligence extracted from hosting infrastructure include: the number of opened ports on an online server; the type of software installed on an online server like web server type; the protocols used by an online server such as http, https, irc, ftp, and ssh; and the online server response time ..)”.
Regarding Claim 44. The combination of Mushtaq-DAWANI discloses the method of claim 43,  Mushtaq further discloses “wherein the first and second protocol categories are 25configurable based on OT traffic (Mushtaq; col.20,ln.51-67: ..  In FIG. 18, the Command and Control (C&C) tab has been selected and the user interface provides details regarding the Command and Control center of the attackers that targeted DAVE-LAPTOP. The C&C tab may be identified using the C&C IP address, the C&C Location, the C&C Host and the C&C protocol. Above this information is a map, with a pin showing the location of the C&C; in this example the location is Veraguas, Plaza, Panama. The host page of the C&C, the IP address, the C&C Protocol, as well as the Malware Network Communication are also displayed  …) and IT traffic (Mushtaq; col.19,ln.17-27: … FIG. 18 is a screen capture of an Event Notification and Control and Command page viewed via an interface of Active Cyber Defense System. An Active Cyber Defense System may perform real-time classification of Network Activity. When a computer on a network engages in a malicious activity, the identity of the computer, details regarding the computer and information regarding the malicious activity may be made accessible to a user or system administrator so that the user or system administrator may catalog, record, or take action in response to the information …).”
Regarding Claim 45. The combination of Mushtaq-DAWANI discloses the method of claim 31, Mushtaq further discloses, “wherein step (d) further comprises an interface to 25facilitate the user configuring at least one of the steps of the process and interacting with the first and second protocol category alerts (Mushtaq; col.20,ln.51-67: ..  In FIG. 18, the Command and Control (C&C) tab has been selected and the user interface provides details regarding the Command and Control center of the attackers that targeted DAVE-LAPTOP. The C&C tab may be identified using the C&C IP address, the C&C Location, the C&C Host and the C&C protocol. Above this information is a map, with a pin showing the location of the C&C; in this example the location is Veraguas, Plaza, Panama. The host page of the C&C, the IP address, the C&C Protocol, as well as the Malware Network Communication are also displayed  …  FIG. 19 is a screen capture of an Event Notification and Malware Detail page viewed via an interface of an exemplary embodiment. The greyed out network display listing and the details specific to DAVE-LAPTOP are still displayed on the left side of the screen, however the right side of the screen has changed to display details regarding the Malware. In this instance the full name of the Malware is identified e.g. CredStealing:Web/GoogleDrive, the geographic country of origin of the malware, the alias and the affected platforms are listed. Below the affected platform on the Malware tab display are another three tabs for displaying the description, the virulence, and the safety protocols or approaches. In this instance the description is displayed, providing the user or system administrator with a detailed explanation of the type of attack that has occurred and the potential impact of the attack …).”
Regarding Claim 1048. The combination of Mushtaq-DAWANI discloses the method of claim 31, Mushtaq further discloses, “wherein step (c) employs machine learning (Mushtaq; col.5,ln.20-46: …  According to one or more embodiments, an Active Cyber Defense System is provided for automatically inspecting network traffic in real time and for detecting and blocking different types of network-based cyber attacks using a series of machine learning classifiers that can self-learn and adapt according to changing cyber threat landscape).”
Regarding Claim 53. This claim that contains all the same to similar limitations as claim 1, and hence similarly rejected as claim 1.
**** Note: Mushtaq Also discloses a switch (Mushtaq: Col.11,ln.43-65)
Regarding Claim 54. The combination of Mushtaq-DAWANI discloses the device of claim 53, Mushtaq further discloses, “further comprising wherein the first and second IDS associated data each comprises alerts data and analytics data ((Mushtaq; col.6,ln.24-45: … An Active Intelligence method and system is provided for automatically and covertly extracting forensic data and intelligence in real time to determine whether a selected server is part of a cybercrime infrastructure. In some embodiments, a method for detecting an online malicious server using an active intelligence manager comprises: analyzing network traffic between one or more clients and one or more internet servers, the network traffic comprising one or more internet communications between at least one client and at least one server; extracting network variables from the internet communication, wherein the network flow consists of one or more variables related to the internet communication between the client and the server; and constructing a session identity structure from the network flow. An automated active intelligence manager can be provided that receives the session identity structure. The active intelligence manager can independently perform several steps. In particular, the active intelligence manager can process the session identity structure and can collect or gather one or more types of forensic intelligence related to the operation of the server based on the processed session identity structure … Active Analysis engine may comprise a set of modules configured for setting up and initiating active analysis. For instance, to perform a Visual and Natural language analysis on a HTTP Session, this module may load the session's URL into browser memory and extract rendered web page's image, written text and source code from the browser memory. The main reason behind extracting these artifacts from browser memory rather than extracting them directly from the http session is to avoid encryption, obfuscation, and encoding. These extracted artifacts may further be handed over to Active Feature Extractor to extract active features. In another instance, one of the Active Analysis runtime modules may collect real-time intelligence by actively probing a suspicious server through a set of anonymous VPN/Proxy servers. The forensics data collected by real-time inspection of these servers may further be handed over to Active Analysis Feature Extractor to extract active features …)”.
Regarding Claim 55. The combination of Mushtaq-DAWANI discloses the device of claim 54, Mushtaq further discloses, “wherein the first and second IDS module further comprises a first and second IDS agent module for analyzing the first and second 20mirrored and aggregated network traffic from the first and second protocol categories and for transmitting a first and second IDS agent data (Mushtaq, FIG. 2-3: “combination of elements 221 to 225 and 340 to 345” is considered as “first IDS agent module”, and ““combination of elements 216 to 220 and 332 to 337” is considered as “second IDS agent module”)”.
Regarding Claim 61. The combination of Mushtaq-DAWANI discloses the device of claim 53, Mushtaq further discloses “wherein the first and second protocol categories are configurable based on the group consisting of traffic type, device type, protocol, device, network address, and TCP/UDP port (Mushtaq; col.19,ln.27-37; col.21,ln.47-67: … An Active Cyber Defense System user interface may comprise information regarding the identity of infected machines on the network, as well as additional details regarding the location, usage, MAC ID, or other features of the machine, including the type of the machine and the identity of the machine users. Other information may include the IP address of the infected machine e.g. 10.0.0.28, the name or identifier of the machine e.g. DAVE-LAPTOP, the department that uses the machine or that the machine was registered to e.g. Dev, and the operating system e.g. Macintosh  …  At the start of the Active Intelligence gathering process, a number of network variables are extracted from the given session. For example, variables related to the identity of the online server such as its IP/Domain and Port etc … Some examples of intelligence extracted from hosting infrastructure include: the number of opened ports on an online server; the type of software installed on an online server like web server type; the protocols used by an online server such as http, https, irc, ftp, and ssh; and the online server response time ..)”.
Regarding Claim 62. The combination of Mushtaq-DAWANI discloses the device of claim 61, Mushtaq further discloses, “wherein the first and second protocol categories are 25configurable based on OT traffic (Mushtaq; ; col.20,ln.51-67: ..  In FIG. 18, the Command and Control (C&C) tab has been selected and the user interface provides details regarding the Command and Control center of the attackers that targeted DAVE-LAPTOP. The C&C tab may be identified using the C&C IP address, the C&C Location, the C&C Host and the C&C protocol. Above this information is a map, with a pin showing the location of the C&C; in this example the location is Veraguas, Plaza, Panama. The host page of the C&C, the IP address, the C&C Protocol, as well as the Malware Network Communication are also displayed  …) and IT traffic (Mushtaq; col.19,ln.17-27: … FIG. 18 is a screen capture of an Event Notification and Control and Command page viewed via an interface of Active Cyber Defense System. An Active Cyber Defense System may perform real-time classification of Network Activity. When a computer on a network engages in a malicious activity, the identity of the computer, details regarding the computer and information regarding the malicious activity may be made accessible to a user or system administrator so that the user or system administrator may catalog, record, or take action in response to the information …).”

Regarding Claim 1067. The combination of Mushtaq-DAWANI discloses the device of claim 53, Mushtaq further discloses, “wherein at least one of the first and second IDS modules employs machine learning (Mushtaq; col.5,ln.20-46: …  According to one or more embodiments, an Active Cyber Defense System is provided for automatically inspecting network traffic in real time and for detecting and blocking different types of network-based cyber attacks using a series of machine learning classifiers that can self-learn and adapt according to changing cyber threat landscape …).”
Claims 72-73 are rejected under 35 U.S.C. 103 as being unpatentable over Pat. No.: US 10764313 B1 to  Mushtaq (hereinafter “Mushtaq”) in view of  Pub. No.: US 20200186600 A1 to DAWANI et al. (hereinafter “DAWANI”), as applied to claim 53 above, and further in view of Pub. NO.: US 20100094982 A1 to Budhia et al. (hereinafter “Budhia”).
Regarding Claim 72. The combination of Mushtaq-DAWANI discloses the device of claim 53, however it does not explicitly disclose, but Budhia from same or similar field of endeavor teaches, “wherein the Ethernet switch further comprises an Ethernet line card connected to a switch fabric (Budhia, Para [0035-0036]: …  the system 100d may include a first sub-system 112 and a second sub-system 114. In one embodiment, the first sub-system 112 may include the ingress device 102 and the egress device 104. In one embodiment, the second subsystem 114 may include the intermediate device 110 and the offload engine device 108. In one embodiment, the system 100d may include a third sub-system (not shown) that includes the egress device 104 and in which the first sub-system 112 merely includes the ingress device 102. In one embodiment, a sub-system may be or include a plug-in card. In one embodiment, the network switching fabric 108 may include a back-plane …)”.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Budhia into the combined teachings of Mushtaq-DAWANI  because it discloses that “a network switch (or just "switch") may include a device that channels incoming data flow from any of multiple input ports to the output port appropriate for the data flow's destination. Typically network switches play an important or integral role in many networks. Typically, network switches may be capable of inspecting data as it is received, determining the source and destination device of that data, and forwarding it appropriately. Frequently, by delivering each piece of data only to the device it was intended for, a network switch may conserve network bandwidth and offer generally improved performance compared to a network hub (or just "hub") (Budhia: Para [0003])”.
Regarding Claim 73. The combination of Mushtaq-DAWANI discloses the device of claim 72,  Mushtaq further discloses, “wherein the switch fabric further comprises a switch backplane (Budhia, Para [0035-0036]: …  the system 100d may include a first sub-system 112 and a second sub-system 114. In one embodiment, the first sub-system 112 may include the ingress device 102 and the egress device 104. In one embodiment, the second subsystem 114 may include the intermediate device 110 and the offload engine device 108. In one embodiment, the system 100d may include a third sub-system (not shown) that includes the egress device 104 and in which the first sub-system 112 merely includes the ingress device 102. In one embodiment, a sub-system may be or include a plug-in card. In one embodiment, the network switching fabric 108 may include a back-plane …).
	The motivation to further combine Budhia remains same as in claim 72.
Allowable Subject Matter
Claims 2-5, 8-12, 14-15, 22-25, 27-28, 30, 38-42, 46-47, 49-52, 56-60, 63-66, 68-71 and 74 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Reasons for will be furnished upon allowance.
Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. Furthermore, additional prior arts have been provided in the attached PTOL-892 form.
	NPL: A DDoS Attack Detection Mechanism Based on Protocol Specific Traffic Features; Kashyap et al. (CCSEIT-12, October 26-28, 2012, Coimbatore [Tamil Nadu, India]) : Kashyap discloses an architecture of victim end DDoS defense mechanisms for near real time anomaly detection mechanism with high detection accuracy is introduced. The method is evaluated based on two real time and one benchmark dataset. The disclosed architecture starts with mirroring and capturing from a network port the raw network data, and sending it to a pre-processing unit. The basic preprocessing unit extracts all the feature values from the raw packet and then first classify them based on the protocol used. Then by looking at the packet header it sends the packet to TCP module if the traffic instance uses TCP protocol, or similarly to either UDP module or ICMP module based on the protocol type. Each of the protocol (TCP module, UDP module and ICMP) processing module consists of two sub-modules: one feature selection submodule and one detection engine. Features given by the linear correlation based feature selection algorithm separately for different transport protocol types are extracted in respective feature selected modules. For example in the TCP module, a set of features given by LCFS for TCP attacks will be selected and others are filtered out. Classification step is performed in the detection engine of the TCP, UDP and ICMP modules. After selection of the relevant features, a classifier is used to classify the instance into either DDoS attack class or into others including normal. Classifiers in each of these modules are trained with datasets containing a selected set of features given by the LCFS method for that module.
	Kashyap also discloses carrying out classification experimentation with
existing benchmark UCI and intrusion datasets (TUIDS) using a number of popular classifiers like C4.5, Naive Bayes, Bayesian Network, Reduced Error Pruning Tree(REPTree), SVM(2-class) and KNN algorithm. The detection engine
gives output as either a DDoS attack or normal, which is then
sent to the merger.
US 20060095968 A1; Portolani et al.: Portolani discloses an intrusion detection system (IDS) is capable of identifying the source of traffic, filtering the traffic to classify it as either safe or suspect and then applying sophisticated detection techniques such as stateful pattern recognition, protocol parsing, heuristic detection or anomaly detection either singularly or in combination based on the traffic type. In a network environment, each traffic source is provided with at least one IDS sensor that is dedicated to monitoring a specific type of traffic such as RPC, HTTP, SMTP, DNS, or others. Traffic from each traffic source is filtered to remove known safe traffic to improve efficiency and increase accuracy by keeping each IDS sensor focused on a specific traffic type.
	US 20110055921 A1; Narayanaswamy et al.: Narayanaswamy discloses a network security device performs a three-stage analysis of traffic to identify malicious clients. In one example, a device includes an attack detection module to, during a first stage, monitor network connections to a protected network device, during a second stage, to monitor a plurality of types of transactions for the plurality of network sessions when a parameter for the connections exceeds a connection threshold, and during a third stage, to monitor communications associated with network addresses from which transactions of the at least one of type of transactions originate when a parameter associated with the at least one type of transactions exceeds a transaction-type threshold. The device executes a programmed action with respect to at least one of the network addresses when the transactions of the at least one of the plurality of types of transactions originating from the at least one network address exceeds a client-transaction threshold.
This disclosure relates to computer networks and, more particularly, to prevention of attacks in computer networks.
	The intrusion detection and prevention (IDP) device disclosed  integrates pattern matching with application- and protocol-specific anomaly detection to identify sophisticated attack behaviors.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434
/KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434