DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments filed on 03/23/2022 with respect to independent claim(s) have been fully considered but are moot based upon the new ground of rejection.

Applicant argues the none of the prior art of record discloses the new amended feature which recites, “ identifying a set of Top-N fields of packets that correspond to a detected change in a traffic pattern and a set of values associated with the identified Top-N fields; and analyzing the identified fields and values to generate a policy used to allow or drop subsequent packets.

4.Examiner would like to point out that the new secondary reference Jain (2017/0250953) in Para:0028-0029 and Para:0064-0065 teaches the above claimed limitation (see, the rejection below).

Claim Rejections - 35 USC § 103
5. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

6. Claims 1-6 and 8-18 are rejected under 35 U.S.C. 103 as being unpatentable over Parandehgheibi (US Pub.No.2016/0359705) in view of Jain (US Pub.No.2017/0250953).

7. Regarding  claim 1 Parandehgheibi teaches a method of dynamically specifying policies in response to changes in traffic processed by elements in a network, the method comprising:
sending packets received by the network elements to a learning manager to detect a change in pattern of the traffic processed by the network elements; in response to the learning manager detecting the change in the traffic pattern, performing at each network element an analysis to identify a set of analysis fields of the received packets that corresponds to the detected change in the traffic pattern (Para: 0029, Para:0037 and Para: 0046 teaches analyzing the network traffic data (including packet data) for identifying malicious traffic patterns. The network traffic data can include source/destination MAC address, source/destination IP address, protocol, port number, etc. The network traffic data can also include summaries of network activity or other network statistics such as number of packets, number of bytes, number of flows, bandwidth usage, response time, latency, packet loss, jitter, and other network statistics [these are the analysis fields herein]. The analytics engine 310 can then analyze network traffic and corresponding data to recognize when the network is under attack. The network will operate within a trusted environment for a period of time so that the analytics engine 310 can establish a baseline of normal operation. Since malware is constantly evolving and changing, machine learning will be used to dynamically update models for identifying malicious. Patra:084 and Para:0087 teaches the machine learning can be includes supervised training. In supervised learning, the training data examples contain labels for the outcome variable of interest. There are example inputs and the values of the outcome variable of interest are known in the training data. The goal of supervised learning is to learn a method for mapping inputs to the outcome of interest. The supervised models then make predictions about the values of the outcome variable for new observations. Supervised learning methods include boosting, neural networks, and random forests, among others. Para: 0046 teaches since malware is constantly evolving and changing, machine learning may be used to dynamically update models for identifying malicious traffic patterns);

Parandehgheibi teaches all the above claimed limitations but does not expressly teach performing at each network element an analysis to identify a set of Top-N analysis fields of the received packets.

Jain teaches performing at each network element an analysis to identify a set of Top-N analysis fields of the received packets that corresponds to the detected change in the traffic and a set of values associated with the identified Top-N fields (Para:0028-0029 teaches the host's packets 106 are inspected to identify 130 packet features from headers and/or payloads of the packets 106. Packet features include, for example, source and destination network addresses, hashes of payload contents, protocols, ports, payload sizes, packet counts etc. Various top-N packet features may be tracked at each host. Locally derived statistics of packet features are then collectively used to identify 134 the top packet features occurring among participating hosts 100 across the network 102. 
Para:0064-0065 teaches measuring and collecting packet information can be useful for mitigating potentially problematic current conditions on a network. At the control server 200, an anomaly detection module 378 performs a detection process 379 of on-demand or periodically evaluating, for instance, the top-N entries to identify a threat or anomaly, and a mitigation engine 276 performs a mitigation process 380 to respond to the anomaly detection module 378.
Detection can be performed by evaluating the entries in the top-K/top-N table and information related to those entries. Known signal processing algorithms, machine learning methods, or the like, can be used to automatically identify unusual packet features or packet features correlated with prior events. Identification can be performed with less complex techniques, such as selecting entries with highest statistics, comparing statistics of entries with normalized thresholds, using time information to identify large rates or sudden rate increases, correlating the topmost statistically significant packet features with congestion signals, and so forth. When a key or packet feature is identified as a problem, the mitigation service 276 is notified.
Para:0072 teaches the terms “top-N” and “top-K” refer to any type of subset of topmost members in a set. The “N” value may vary from host to host or may vary at each host over time. The “K” value may similarly vary over time. The “N” and “K” values may be the same or different; the different labels are intended to distinguish between local and collective data. The conditions that define a top-K/N set of packet features can vary. A top-K/N set of packet features can be a ratio of top packet features (e.g., the top one fifth), a fixed number of top packet features (e.g., the ten packet features with a highest count), packet features with statistic values above a threshold value, application-defined, etc. Moreover, packet features can be ranked, relative to each other, in a number of ways, and rankings can be the basis for determining a top-K/N set. Rankings can be determined by weighted combinations of attributes (e.g., classifications) and/or statistic values);

analyzing the fields and values identified by each network element to generate a policy for processing subsequently received packets; and using the to allow or drop the subsequently received packets (Para:0066 and Para:0070 teaches the mitigation process 380 obtains information or traits of any detected threat or anomaly, perhaps represented by a key (packet feature), to determine which mitigation actions to take. Traits of an identified packet feature can be determined in many ways, for instance by payload contents, protocols or ports, known addresses, historical statistics of the packet feature, or leveraging external information such as blacklists of IP addresses known to have sent malicious traffic, etc. The relevant traits can be used, by a defined policy or heuristically, to select a mitigation action. The traits can be provided to a trained or untrained classification algorithm to identify a category of threat or anomaly associated with the packet feature. Categories can be, for example, a level of importance (high, medium, or low) an attack category such as DoS or syn flood, an application level type of attack such as a particular HTTP attack, a spoofing attack, a failed network link or malformed route on the network, etc. Mitigation actions are formulated accordingly for example dropping the packet, or packets matching a pattern can be re-routed to specific end points e.g., traffic scrubbers).

Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filing to modify the teachings of Parandehgheibi to include performing at each network element an analysis to identify a set of Top-N analysis fields of the received packets that corresponds to the detected change in the traffic and a set of values associated with the identified Top-N fields, as taught by Jain such a setup would automatically detect and mitigate completely new types of attack packets. 

8. Regarding claim 2 Parandehgheibi teaches the method, wherein the learning manager is trained to generate an attack model based on the traffic pattern (Para: 0081-0084 and Para: 0092 teaches trained to generate an attack model based on the traffic).

9. Regarding claim 3 Parandehgheibi teaches the method, wherein the attack model is based at least in part on analysis of a plurality of layers of packet data (Para:0037-0038 and Para:0055 teaches analysis of a plurality of layers of packet data). 

 10. Regarding claim 4 Parandehgheibi  in view of Jain teaches the method, wherein the analyzing comprises sending the Top-N fields from each network element to a controller to be aggregated (Jain: Para:0028-0029 and Para:0064-0065 teaches sending top-N analysis to an analysis engine. 
 Parandehgheibi: Para: 0051 teaches the flow is generally one or more packets sharing certain attributes that are sent within a network within a specified period of time. The flow attributes 332 can include packet header fields such as a source address (e.g., Internet Protocol (IP) address, Media Access Control (MAC) address, Domain Name System (DNS) name, or other network address), source port, destination address, destination port, protocol type, class of service, among other fields. The source address may correspond to a first endpoint (e.g., network device, physical server, virtual partition, etc.) of the network, and the destination address may correspond to a second endpoint, a multicast group, or a broadcast domain. The flow attributes 332 can also include aggregate packet data such as flow start time, flow end time, number of packets for a flow, number of bytes for a flow, the union of TCP flags for a flow, among other flow data. Para: 0055 teaches the analytics engine 310 may include any number of engines 350, including for example, a flow engine 352 for identifying flows (e.g., flow engine 352) or an attacks engine 354 for identify attacks to the network. Para: 0077 teaches the data flow and associated data (such as its attributes) can be aggregated and summarized daily).

11. Regarding claim 5 Parandehgheibi teaches the method, wherein the received packets correspond to a domain name service (DNS) request (Para: 0031 teaches the packets that are received correspond to a DNS request).

12. Regarding claim 6 Parandehgheibi teaches the, wherein the DNS request is for a non-existent domain (Para: 0031 teaches updating new IP addresses).

13. Regarding claim 8 Parandehgheibi teaches the method, wherein the change in the traffic pattern is based at least in part on extracting a feature of the received packets (Para:0029 and Para:0051 teaches the flow is generally one or more packets sharing certain attributes that are sent within a network within a specified period of time. The flow attributes 332 can include packet header fields such as a source address (e.g., Internet Protocol (IP) address, Media Access Control (MAC) address, Domain Name System (DNS) name, or other network address), source port, destination address, destination port, protocol type, class of service, among other fields. The source address may correspond to a first endpoint (e.g., network device, physical server, virtual partition, etc.) of the network, and the destination address may correspond to a second endpoint, a multicast group, or a broadcast domain. The flow attributes 332 can also include aggregate packet data such as flow start time, flow end time, number of packets for a flow, number of bytes for a flow, the union of TCP flags for a flow, among other flow data [these are the extracted features]. 
Para: 0055 and Para:0058 teaches the analytics engine 310 may include any number of engines 350, including for example, a flow engine 352 for identifying flows (e.g., flow engine 352) or an attacks engine 354 for identify attacks to the network and will detect the change in the traffic pattern).

14. Regarding claim 9 Parandehgheibi teaches the method, wherein the feature of the received packets is determined based at least in part on a machine learning model (Para: 0046 and Para: 0083 teaches the network traffic may be associated with malicious programs or devices. The analytics engine 310 may be provided with examples of network states corresponding to an attack and network states corresponding to normal operation. The analytics engine 310 can then analyze network traffic and corresponding data to recognize when the network is under attack. The network may operate within a trusted environment for a period of time so that the analytics engine 310 can establish a baseline of normal operation. Since malware is constantly evolving and changing, machine learning may be used to dynamically update models for identifying malicious traffic patterns).

15. Regarding claim 10 Parandehgheibi in view of Jain teaches the method, wherein the identification of a set of Top-N fields is based at least in part on mapping the change in the traffic pattern to an attack type (Jain: Para:0028-0029 teaches the host's packets 106 are inspected to identify 130 packet features from headers and/or payloads of the packets 106. Packet features include, for example, source and destination network addresses, hashes of payload contents, protocols, ports, payload sizes, packet counts etc. Various top-N packet features may be tracked at each host. Locally derived statistics of packet features are then collectively used to identify 134 the top packet features occurring among participating hosts 100 across the network 102. 
Para:0064-0065 teaches measuring and collecting packet information can be useful for mitigating potentially problematic current conditions on a network. At the control server 200, an anomaly detection module 378 performs a detection process 379 of on-demand or periodically evaluating, for instance, the top-N entries to identify a threat or anomaly, and a mitigation engine 276 performs a mitigation process 380 to respond to the anomaly detection module 378.
Detection can be performed by evaluating the entries in the top-K/top-N table and information related to those entries. Known signal processing algorithms, machine learning methods, or the like, can be used to automatically identify unusual packet features or packet features correlated with prior events. Identification can be performed with less complex techniques, such as selecting entries with highest statistics, comparing statistics of entries with normalized thresholds, using time information to identify large rates or sudden rate increases, correlating the topmost statistically significant packet features with congestion signals, and so forth. When a key or packet feature is identified as a problem, the mitigation service 276 is notified).

16. Regarding claim 11 Parandehgheibi teaches the method, wherein the Top-N analysis defines which layer to use to determine whether the request corresponds to an attack (Para: 0037-0038 and Para: 0055 teaches analysis the layers to determine attack).

17. Regarding claim 12 Parandehgheibi in view of Jain teaches the method, generating the policy in response to changes in the traffic pattern reduces processing cycles by dropping the packet earlier (Jain: Para:0028-0029 and Para:0064-0065 teaches performing Top-N analysis. Parandehgheibi: para: 0040 teaches dropping the packets before the analysis). 

18. Regarding claim 13 Parandehgheibi in view of Jain teaches the method, wherein the network elements are a plurality of service engines (Para: 0055 and Para: 0064 teaches network elements are a plurality of service engines).
 
19. Regarding claim 14 Parandehgheibi teaches the method, wherein the plurality of service engines is distributed across a plurality of physical devices (Para: 0055 and Para: 0064 teaches the service engines is distributed across a plurality of physical devices).

20. Regarding claim 15 Parandehgheibi teaches the method, further comprising generating  a model at a virtual service level (Para: 0015, Para: 0034 and Para: 0081-0083 teaches the aggregated analysis is a model at a virtual server).

21. Regarding claim 16 Parandehgheibi in view of Jain teaches the method, wherein the said performing and analyzing are performed in real time to  the received packets to determine whether an attack is occurring (Jain: Para:0028-0029 teaches analyzing the packets in real time to determine malicious).

22. Claims 7 is rejected under 35 U.S.C. 103 as being unpatentable over Parandehgheibi (US Pub.No.2016/0359705) in view of Jain (US Pub.No.2017/0250953) as applied to claim 1 above and further in view of Weinberg (US Pub.No.2017/0142144).

 23. Regarding claim 7 Parandehgheibi in view of Jain teaches all the above claimed limitations but does not expressly teach, the method wherein the received packets correspond to a fully qualified domain name (FQDN) with a response size larger than a threshold.

Weinberg teaches the received packets correspond to a fully qualified domain name (FQDN) with a response size larger than a threshold (Para: 0044 teaches determine the received packets correspond to a fully qualified domain name (FQDN)).

Therefore, it would have been obvious to one of ordinary skill in the art before the invention was filing to modify the teachings of Parandehgheibi in view of Jain to include the received packets correspond to a fully qualified domain name, as taught by Weinberg such a setup would monitor the use of the DNS functionality and to generate notifications when anomalous DNS use is detected.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506. The examiner can normally be reached Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431