DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 06/30/2022. 

Response to Amendment
Claims 1, 6-12, 15 and 18-20 have been amended. 
Applicant's arguments filed on 06/30/2022 have been fully considered but they are not persuasive. As per the applicant’s arguments that prior arts of record do not teach the limitations: “receiving data from nodes of a private network at an external service that is external to the private network, wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information, wherein the nodes of the private network comprise edge nodes of the private network including physical devices and virtual services that collectively form a border of the private network, and wherein the external service is configured to automatically adjust sampling rates of data received from the nodes of the private network via communication with the nodes of the private network or through an associated application programming interface”, the examiner respectfully disagrees. Prior art of record Hadden teaches: “[0032] The enterprise network 131 (private network) of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 (edge nodes of the private network). The enterprise network 131 typically connects to the network cloud 26 via a firewall 36 device. The firewall 36 typically provides a single point of connection for each organization's enterprise network 131 to the network cloud 26. The configuration server 63 includes a config API 39 that enables an external client such as the IM 102 (external service) to execute actions on devices within the client's enterprise network 131. [0033] In the example enterprise network 131 for ACME Company, the firewall 36 also typically connects to a corporate network 70 of the enterprise network 131. A router 34 connects the corporate network 70 to a local network 72. [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1. Prior art of record Takeshi teaches: [0025]: Next, the configuration of a LAN (Local Area Network) in a data center according to one embodiment of the present invention will be described with reference to the block diagram of FIG. In FIG. 1, the physical servers 20 to 23 are connected to each other via general-purpose switches 61, 62, 71 to 74. [0026]: A plurality of virtual machines 40-1 to 40-h and a virtual switch 30 are arranged on the physical server 20, and a virtual LAN 50 is configured by these. [0027]: The virtual switch 30 (virtual service) in the physical server 20 is connected to both the general-purpose switches 71 and 72. [0028]: Therefore, a "virtual tunnel" using an IP address is formed between the physical servers 20 to 23 and the general-purpose switches 61 to 74. Then, communication between the virtual machines 40-1 to 43-k becomes possible through the virtual LANs 50 to 53, the virtual switches 30 to 33, and the virtual tunnel. [0036]: The general-purpose switches 61 to 74 send and receive a plurality of IP packets 202, and some of these IP packets 202 have a specified sampling rate due to the hardware processing of the general-purpose switch (processing by a control circuit other than the CPU). It is sampled by R. [0037]: The general-purpose switches 61 to 74 are provided with a memory, and a predetermined area thereof is secured as a flow management area 210. In the flow management area 210, traffic information such as the number of packets and the number of bytes is accumulated for each flow. These traffic information is transmitted to the controller 100 (external service). [0049]: Next, when the process proceeds to step S8, the determined sampling rate is notified from the sampling rate setting means 113 to each of the general-purpose switches 61 to 74 via the input / output interface 124. After that, in each of the general-purpose switches 61 to 74, the IP packet is sampled at the newly determined sampling rate. In many cases, the newly determined sampling rate is higher than the sampling rate in normal times, so that the general-purpose switches 61 to 74 can obtain more accurate flow information than in normal times, i.e., the controller (external service) automatically adjusts the sampling rate of the data received from the general-purpose switches 61 to 74 (nodes of the private network) via communication with the switches.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 2, 4, 6, 8-9, 11-13 and 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20160072836 to Hadden et al (hereinafter Hadden) and prior art of record JP 2016146581 A to Takeshi et al (hereinafter Takeshi).
As per claims 1, 19 and 20, Hadden teaches: 
A method, comprising: 
receiving data from nodes of a private network at an external service that is external to the private network, wherein the nodes of the private network comprise edge nodes of the private network including physical devices that collectively form a border of the private network (Hadden: [0030]: The IMs 102 are hosted within an application server 140. The application server 140 is included within a service network 132. [0031] IM(s) 102-1, 102-2, and 102-3 (external service) manage the incident response for enterprise networks 131 of exemplary organizations ACME Company, BigCorp, and CamCorp, respectively (private networks). [0032] The enterprise network 131 (private network) of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34 firewalls 36 (edge nodes of the private network). The enterprise network 131 typically connects to the network cloud 26 via a firewall 36 device. The firewall 36 typically provides a single point of connection for each organization's enterprise network 131 to the network cloud 26. The configuration server 63 includes a config API 39 that enables an external client such as the IM 102 (external service) to execute actions on devices within the client's enterprise network 131. [0033] In the example enterprise network 131 for ACME Company, the firewall 36 also typically connects to a corporate network 70 of the enterprise network 131. A router 34 connects the corporate network 70 to a local network 72. [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file, and sends data associated with the incident in messages to the ACME IM 102-1. [0054] According to step 408, the ACME IM 102-1 receives messages including information associated with the detected data security incident); 
analyzing the received data at the external service (Hadden: [0055]: the IM 102 automatically creates the incident object 121 in response to receiving the messages including the information associated with the detected data security incident. [0056] In step 412, the ACME IM 102 detects creation of the incident object 121 and optionally creation of IAs 120 associated with the incident, and parses their contents to identify any included data resources (e.g. IP addresses and the md5 hash for the downloaded file) within the incident object 121, and creates IAs 120 for the data resources identified within the incident object 121); 
detecting from analyzing the data a security event in the private network (Hadden: [0056]: Then, in step 414, the ACME IM 102-1 issues queries to first level TIS(s) 20 configured in the TIS configuration repository 128, to determine whether the IAs 120 (e.g. md5 hash for downloaded file and/or IP addresses of downloaded packets) for the incident object 121 are identified as known threats. [0057] According to step 416, if any known threats are identified, the method transitions to step 418. [0059] In step 420, the IM 102 executes a lookup of known threats (e.g. the IP addresses and/or hash for downloaded file data resources) against the Rules engine 178. If any rules 180 in the rules engine 178 have an IA type that matches the IA type of the known threats in step 422, the method transitions to step 424 and executes the matching rules); and 
automatically generating an output from the external service in response to detecting the security event that facilitates remediating the security event at least at one or more of the nodes of the private network (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).
Hadden teaches receiving incident objects from networking devices such as routers and firewalls that include IP addresses and md5 hash of the downloaded files but does not teach: wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information; edge nodes including virtual services; and wherein the external service is configured to automatically adjust sampling rates of data received from the nodes of the private network via communication with the nodes of the private network or through an associated application programming interface. However, Takeshi teaches:
wherein the data comprises sampled packet data that includes information defining communication sessions but not packet payload information (Takeshi: [0036]: The general-purpose switches 61 to 74 send and receive a plurality of IP packets 202, and some of these IP packets 202 have a specified sampling rate due to the hardware processing of the general-purpose switch (processing by a control circuit other than the CPU). It is sampled by R. [0037]: The header of the IP packet 202 includes a source IP address, a destination IP address, a source port, a destination port number, a protocol, and the like, and the flow is specified by these. These traffic information is transmitted to the controller 100 (external service). The writing of the flow information to the flow management area 210, the accumulation of the traffic information, and the transmission of the traffic information to the controller 100 are executed by the CPU in the general-purpose switch); 
edge nodes including virtual services (Takeshi: [0025]: Next, the configuration of a LAN (Local Area Network) in a data center according to one embodiment of the present invention will be described with reference to the block diagram of FIG. In FIG. 1, the physical servers 20 to 23 are connected to each other via general-purpose switches 61, 62, 71 to 74. [0026]: A plurality of virtual machines 40-1 to 40-h and a virtual switch 30 are arranged on the physical server 20, and a virtual LAN 50 is configured by these. [0027]: The virtual switch 30 (virtual service) in the physical server 20 is connected to both the general-purpose switches 71 and 72. [0028]: Therefore, a "virtual tunnel" using an IP address is formed between the physical servers 20 to 23 and the general-purpose switches 61 to 74. Then, communication between the virtual machines 40-1 to 43-k becomes possible through the virtual LANs 50 to 53, the virtual switches 30 to 33, and the virtual tunnel); and 
wherein the external service is configured to automatically adjust sampling rates of data received from the nodes of the private network via communication with the nodes of the private network or through an associated application programming interface (Takeshi: [0007]: When the resource confirmation means and the congestion detection means detect the congestion, the resource confirmation means, the sampling rate setting means for setting the sampling rate related to the flow information for the plurality of switches according to the remaining resources. [0008]. Fig. 1 and [0029]: The controller 100 (external service) has a CPU (Central Processing Unit) 110. Then, the CPU 110 functions as the means 111 to 116 described later by executing the program stored in the storage device 122. [0049]: Next, when the process proceeds to step S8, the determined sampling rate is notified from the sampling rate setting means 113 to each of the general-purpose switches 61 to 74 via the input / output interface 124. After that, in each of the general-purpose switches 61 to 74, the IP packet is sampled at the newly determined sampling rate. [0043]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Takeshi in the invention of Hadden to include the above limitations. The motivation to do so would be to improve the accuracy of the traffic information collected from each switch by the traffic information collecting means (Takeshi: [0008]).

As per claim 2, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the data comprises a data stream (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file (data stream), and sends data associated with the incident in messages to the ACME IM 102-1).

As per claim 4, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the data comprises flow data (Hadden: [0053] In step 406, a data security incident is detected, e.g., a data networking device such as a router 34 or firewall 36 in ACME Company's corporate network 70 detects data associated with a significant increase in download activity for a specific file (flow data), and sends data associated with the incident in messages to the ACME IM 102-1).

As per claim 6, Hadden in view of Takeshi teaches:
The method of claim 1, wherein edge nodes of the private network comprise routers, switches, or both (Hadden: [0032] The enterprise network 131 (private network) of each organization includes a number of devices. These include computing devices, database systems, and data networking devices such as routers 34).  

As per claim 8, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the external service provides security operations for the private network (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 9, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the external service facilitates defending the private network from threats and attacks (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 11, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the external service facilitates blocking only of Internet Protocol (IP) addresses associated with threats or attacks that are actually detected (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 12, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the output is generated by a rules engine of the external service that is configured to map the detected security event to an action (Hadden: [002]: [0042] The rules engine 178 generates a list of tasks 192 for an IM 102 or IRT personnel 172 to execute in response to data security incidents. The tasks 192 include recommended actions that should be taken to provide an incident response to the data security incidents. Note that the rules engine 178 can also be programmed to automatically execute actions in response to incidents, such as instructing the firewall 36 to block access to certain IP addresses or suspicious protocol ports in response to a data security incident).

As per claim 13, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the output comprises a routing filter or block list (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 15, Hadden in view of Takeshi teaches:
The method of claim 1, wherein the output is communicated to the at least one or more nodes of the private network via an application programming interface (API) associated with the external service (Hadden: [0061]: According to step 430, using the config API 39 of the configuration server 63, the IM 102 instructs reconfiguration of network devices within the client's enterprise network 131, e.g., send a message over the network cloud 26 to the configuration server 63 via the firewall 36, where the message includes instructions to block the bad IP addresses on the router 34 of the enterprise network 131. The config API 39 receives the message and forwards the message to the router 34 for execution on the router 34 in step 432).

As per claim 16, Hadden in view of Takeshi teaches:
The method of claim 1, further comprising tagging the data (Hadden: [0044]: If the IA 120 already exists, the IM 102 can "link" or associate the existing IA 120 with the newly created incident object 121. The IM 102 can then annotate the existing IA 120 with information obtained from the newly created incident object 121).

As per claim 17, Hadden in view of Takeshi teaches:
The method of claim 1, further comprising storing the data (Hadden: [0036]: The IM 102 also includes an incident database 122 that stores incident objects 121 and incident artifacts (IAs) 120).

As per claim 18, Hadden in view of Takeshi teaches:
The method of claim 1, further comprising providing a portal to the external service that is accessible to an operator of the private network (Hadden: [0034] Personnel typically associated with an Incident Response Team ("IRT") 172 access the IM 102 via the browser 150. The browser 150, in one example, presents a graphical user interface (GUI) application for managing and interacting with the IM 102. [0035] The members of the IRT 172 can also communicate with the IM 102 using web browsers 150 or stand-alone applications running on user devices such as tablet devices, where the application server 140 additionally functions as a web server. [0051] IRT personnel 172 within ACME Company's enterprise network 131 access the ACME (IM) 102 via a browser 150 running on the application server 140).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden in view of Takeshi as applied to claim 1 above, and further in view of prior art of record US 20200028866 to Kurakami (hereinafter Kurakami).
As per claim 3, Hadden in view of Takeshi does not teach the limitations of claim 3. However, Kurakami teaches:
wherein data from different nodes comprises different sampling rates (Kurakami: [0034] The respective routers 2 performs sampling on traffic information received by the respective interfaces 20 at a predetermined sampling rate, and outputs to the monitoring device 10 as flow information. [0035] To the respective routers 2, a different sampling rate per interface 20 may be set).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Kurakami in the invention of Hadden in view of Takeshi to include the above limitations. The motivation to do so would be to detect a traffic abnormality speedily and accurately by using flow information (Kurakami: [0010]).

Claims 5 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Hadden in view of Takeshi as applied to claim 1 above, and further in view of prior art of record US 10084811 to Dinning et al (hereinafter Dinning).
As per claim 5, Hadden in view of Takeshi does not teach: wherein the data comprises log data. However, Dinning teaches: 
wherein the data comprises log data (Dinning: column 3, lines 55-67: The hub server may be configured to receive files from an automated tool, such as, for example, a vulnerability scanner monitoring an enterprise network, a log repository that stores logged events related to actions or the status of a given server).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Dinning in the invention of Hadden in view of Takeshi to include the above limitations. The motivation to do so would be to allow for most or all identified risk issues to be efficiently reviewed, and manually or automatically correlated with additional contextual metrics for manual or automated analysis, reporting, and/or downstream decision-making (Dinning: column 2, lines 1-6).

As per claim 10, Hadden in view of Takeshi does not teach: wherein the external service comprises a distributed intrusion detection and prevention system. However, Dinning teaches:
wherein the external service comprises a distributed intrusion detection and prevention system (Dinning: A security appliance 105 may be any computing device comprising a processor configured to execute various network and device security functions. Non-limiting examples of security appliances may include a firewall, an intrusion detection/prevention system etc.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Dinning in the invention of Hadden in view of Takeshi to include the above limitations. The motivation to do so would be to allow for most or all identified risk issues to be efficiently reviewed, and manually or automatically correlated with additional contextual metrics for manual or automated analysis, reporting, and/or downstream decision-making (Dinning: column 2, lines 1-6).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden in view of Takeshi as applied to claim 1 above, and further in view of US 20110075674 to Li (hereinafter Li).
As per claim 7, Hadden in view of Takeshi does not teach the limitations of claim 7. However, Li teaches:
wherein edge nodes of the private network comprise virtual private cloud services (Li: [0031] A virtual machine 116a may be a server instance on server 114a in the cloud network 103 that is controlled by the customer located in private enterprise network 101. [0032] The virtual machines 116a-d allocated to a customer may be connected logically to each other inside the cloud. [0036] A Cloud Data Center CE 112 may be a customer edge router and may be implemented by equipment operated by a customer of a cloud service provider. It should be apparent that although referred to as a "customer" edge device, Cloud Data Center CE 112 may be owned and/or operated by the cloud service provider or some other entity. In some embodiments, the physical CE device containing the logical customer edge router 112 may be shared by multiple enterprise networks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Li in the invention of Hadden in view of Takeshi to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).
	
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Hadden in view of Takeshi as applied to claim 1 above, and further in view of prior art of record US 7873993 to Joel W. King (hereinafter King).
As per claim 14, Hadden in view of Takeshi does not teach: wherein the output is communicated to the at least one or more nodes of the private network via Border Gateway Protocol (BGP) or FlowSpec. However, King teaches:
wherein the output is communicated to the at least one or more nodes of the private network via Border Gateway Protocol (BGP) or FlowSpec (King: column 3, lines 8-20: the iBGP protocol configures remote office routers to block the return path to malicious websites with the use of split tunneling while allowing paths to third party resource websites. The iBGP protocol runs on the remote router, advertises routes from the enterprise iBGP router to the remote router and enables the head-end to effectively set up a policy at each remote router. Enterprise policies for blocking access to "blackholed" rogue website addresses are centrally administered).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of King in the invention of Hadden in view of Takeshi to include the above limitations. The motivation to do so would be to efficiently distribute a central policy to distributed egress points from the enterprise network rather than moving agent packet traffic to the head-end before egress to the Internet (King: column 2, lines 40-44).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438