DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

Claims 31 and 33-36 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 8-9 of the issued patent Ahn et al., US 9,560,176 B2 (Ahn’0176 hereinafter), in view of disclosed prior art Bostrom et al., US 2012/0331543 A1 (Bostrom hereinafter). Although the conflicting claims are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is covered by the subject matter of the issued patent US 9,560,176 B2.
The table below shows a side by side comparison of the instant application over the issued patent.
Instant Application
Issued patent US 9,560,176 B2
31. A method comprising:
identifying a first plurality of packets received, by a first device, from a first host in a first network;


generating one or more first log entries corresponding to the first plurality of packets;

identifying a second plurality of packets transmitted, by a second device, to a second host in a second network;

generating one or more second log entries corresponding to the second plurality of packets;

correlating, based on the one or more first log entries and the one or more second log entries, one or more packets of the first plurality of packets with one or more packets of the second plurality of packets;



















determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity; and
transmitting an indication of the malicious entity.


33. The method of claim 31, further comprising:
generating, based on the correlating, one or more new rules configured to identify packets associated with the malicious entity; and
provisioning one or more computing devices with the one or more new rules.


34. A method comprising:
identifying a first plurality of packets received, by a device, from a first host in a first network;

generating one or more first log entries corresponding to the first plurality of packets;

identifying a second plurality of packets transmitted, by the device, to a second host in a second network;

generating one or more second log entries corresponding to the second plurality of packets;

correlating, based on the one or more first log entries and the one or more second log entries, one or more packets of the first plurality of packets with one or more packets of the second plurality of packets;





















determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity; and
transmitting an indication of the malicious entity.

35. The method of claim 34, wherein correlating the one or more packets of the first plurality of packets with the one or more packets of the second plurality of packets comprises:
comparing one or more first times indicated by the one or more first log entries with one or more second times indicated by the one or more second log entries.



















36. The method of claim 34, further comprising:
causing one or more computing devices associated with the first network to drop packets associated with the malicious entity.





1. A method comprising:
identifying, by a computing system, a plurality of packets received by a network device from a host located in a
first network;


generating, by the computing system, a plurality of log entries corresponding to the plurality of packets
received by the network device;
identifying, by the computing system, a plurality of packets transmitted by the network device to a host located in a second network;
generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device;
correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of
packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
and responsive to correlating the plurality of packets transmitted by the network device with the plurality of
packets received by the network device:
generating, by the computing system and based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and
provisioning a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network.

























9. The method of claim 1, comprising:
determining, by the computing system, that the host located in the second network is associated with a malicious entity; and
generating, by the computing system, one or more rules configured to cause the first network to drop packets transmitted by the host located in the first network.

1. A method comprising:
identifying, by a computing system, a plurality of packets received by a network device from a host located in a
first network;
generating, by the computing system, a plurality of log entries corresponding to the plurality of packets
received by the network device;
identifying, by the computing system, a plurality of packets transmitted by the network device to a host located in a second network;
generating, by the computing system, a plurality of log entries corresponding to the plurality of packets transmitted by the network device;
correlating, by the computing system and based on the plurality of log entries corresponding to the plurality of packets received by the network device and the plurality of log entries corresponding to the plurality of
packets transmitted by the network device, the plurality of packets transmitted by the network device with the plurality of packets received by the network device;
and responsive to correlating the plurality of packets transmitted by the network device with the plurality of
packets received by the network device:
generating, by the computing system and based on the correlating, one or more rules configured to identify packets received from the host located in the first network; and
provisioning a packet-filtering device with the one or more rules configured to identify packets received from the host located in the first network.







8. The method of claim 7, wherein:
generating the plurality of log entries corresponding to the plurality of packets received by the network device
comprises generating a plurality of timestamps indicating times corresponding to receipt, by the network device, of the plurality of packets received by the network device;
generating the plurality of log entries corresponding to the plurality of packets transmitted by the network device comprises generating a plurality of timestamps indicating times corresponding to transmission, by the network device, of the plurality of packets transmitted by the network device; and
comparing the one or more times comprises comparing one or more times indicated by the plurality of timestamps indicating times corresponding to receipt with
one or more times indicated by the plurality of timestamps indicating times corresponding to transmission.



9. The method of claim 1, comprising:
determining, by the computing system, that the host located in the second network is associated with a malicious entity; and
generating, by the computing system, one or more rules configured to cause the first network to drop packets transmitted by the host located in the first network.



Regarding claim 31, Ahn’0176 discloses a method comprising:
identifying a first plurality of packets received, by a first device, from a first host in a first network;
generating one or more first log entries corresponding to the first plurality of packets;
identifying a second plurality of packets transmitted, by a second device, to a second host in a second network;
generating one or more second log entries corresponding to the second plurality of packets;
correlating, based on the one or more first log entries and the one or more second log entries, one or more packets of the first plurality of packets with one or more packets of the second plurality of packets (see Ahn’0176 claim 1);
Regarding claim 33, Ahn’0176 discloses further comprising:
generating, based on the correlating, one or more new rules configured to identify packets associated with the malicious entity; and
provisioning one or more computing devices with the one or more new rules (see Ahn’0176 claim 9).
Regarding claim 34, Ahn’0176 discloses a method comprising:
identifying a first plurality of packets received, by a device, from a first host in a first network;
generating one or more first log entries corresponding to the first plurality of packets;
identifying a second plurality of packets transmitted, by the device, to a second host in a second network;
generating one or more second log entries corresponding to the second plurality of packets;
correlating, based on the one or more first log entries and the one or more second log entries, one or more packets of the first plurality of packets with one or more packets of the second plurality of packets (see Ahn’0176 claim 1);
Regarding claim 35, Ahn’0176 discloses wherein correlating the one or more packets of the first plurality of packets with the one or more packets of the second plurality of packets comprises:
comparing one or more first times indicated by the one or more first log entries with one or more second times indicated by the one or more second log entries (see Ahn’0176 claim 8).
Regarding claim 36, Ahn’0176 discloses further comprising:
causing one or more computing devices associated with the first network to drop packets associated with the malicious entity (see Ahn’0176 claim 9).
Regarding claims 31 and 34, Ahn’0176 does not explicitly disclose determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity; and
transmitting an indication of the malicious entity.
In the same field of endeavor (e.g., communication system) Bostrom discloses a method for preventing certain types attacks on computing systems that comprises determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity (correlating the destination IP address and port number with source IP address and port numbers, respectively of entries in the table; and, if the destination IP address and the port number correlate with a source IP address and port number of an entry in the table, marking all entries in the table with a source IP address corresponding to the destination lOP address as a non-treat; and, if the destination IP address and the port number do not correlate with a source IP address and port number of an entry in the table, marking all entries in the table with a source IP address corresponding to the destination lOP address as a threat; see Bostrom, paragraph [0004]); and
transmitting an indication of the malicious entity (If, during block 270, a determination is made that the destination port does not correspond to an entry corresponding to the destination IP address in PATT 136, control proceeds to a "Mark PATT" block 272. During processing associated with "Mark PATT" 272, the entry is marked with an appropriate code that indicates that the packet is a "THREAT DETECTED." During processing associated with a "Blacklist Host" block 274, the entries in PATT 136 corresponding to the internal host of the destination IP address are marked with an appropriate code to indicate that incoming communication for the internal host is disabled; see Bostrom, paragraph [0028]. Also see paragraph [0044], “During processing associated with an "IP Match?" block 264 a determination is made as to whether or not the destination IP address matches any entries in PATT 136. If not, indicating that there is no corresponding address in private network 116, control proceeds to a "Reject Packet" block 266. During processing associated with block 266, appropriate measures are taken to process an undeliverable packet, such as but not limited to, notifying an administrator of private network 116 and perhaps the sender of the packet”).
It would have thus been obvious to a person of the ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the features of Bostrom regarding preventing certain types attacks on computing systems into the method related to correlating packets in communications network of the Instant application. The motivation to do so is to prevent an attack without exposing the network to denial-of-service attacks (see Bostrom, abstract).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 31 and 34-36 are rejected under 35 U.S.C. 103 as being unpatentable over disclosed prior art Darisi et al., US 8,004,994 B1 (Darisi hereinafter), in view of disclosed prior art Bostrom et al., US 2012/0331543 A1 (Bostrom hereinafter).
Here is how the references teach the claims. 
Regarding claim 31, Darisi discloses a method comprising:
identifying a first plurality of packets received, by a first device, from a first host in a first network (In an exemplary test environment, all traffic from both the source 12 and destination DUT on medium #1 (15) is captured by the source monitor; see Darisi, col. 4, lines 36-38. Also see col. 3, lines 52-56, “In FIG. 1, the source and destination DUTs communicate over medium #1 (15), which may be, for example, a wireless communication medium, using protocols such as the 802.11 Local Area Network (LAN) protocol, or wire-line medium”);
generating one or more first log entries corresponding to the first plurality of packets (The source monitor 16 includes a source list 18, which records packets that are transmitted by the source DUT 12 to the destination DUT 14; see Darisi, col. 4, lines 28-30);
identifying a second plurality of packets transmitted, by a second device, to a second host in a second network (and all the traffic forwarded by the destination DUT on medium#2 (17) is captured by the destination monitor 20; see Darisi, col. 4, lines 38-40. Also see col. 4, lines 8-11, “In the exemplary embodiment of FIG. 1, the destination DUT couples source 12 to medium #2 which is a wire-line network that uses an Ethernet protocol”);
generating one or more second log entries corresponding to the second plurality of packets (The destination monitor 20 maintains a destination list 22, which is a record of each packet that is captured on medium #2. In a system without faults, the destination list would list every packet that is received by the destination DUT 14; see Darisi, col. 4, lines 40-44);
correlating, based on the one or more first log entries and the one or more second log entries, one or more packets of the first plurality of packets with one or more packets of the second plurality of packets (The source list and destination list are compared to identify packets that were recorded by the source monitor as sent by the source DUT but do not appear in the destination list; see Darisi, col. 2, lines 34-37. Also see col. 5, lines 32-35, “When determining whether the destination DUT received the packet, in a first phase of analysis the correlation analyzer 25 performs a bit-wise comparison of the contents of each captured packet to identify packet 'matches'”. Also see col. 5, lines 35-37, “The matches explicitly show the receipt of the packet by the destination monitor”);
Regarding claim 34, Darisi discloses a method comprising:
identifying a first plurality of packets received, by a device, from a first host in a first network (In an exemplary test environment, all traffic from both the source 12 and destination DUT on medium #1 (15) is captured by the source monitor; see Darisi, col. 4, lines 36-38. Also see col. 3, lines 52-56, “In FIG. 1, the source and destination DUTs communicate over medium #1 (15), which may be, for example, a wireless communication medium, using protocols such as the 802.11 Local Area Network (LAN) protocol, or wire-line medium”);
generating one or more first log entries corresponding to the first plurality of packets (The source monitor 16 includes a source list 18, which records packets that are transmitted by the source DUT 12 to the destination DUT 14; see Darisi, col. 4, lines 28-30);
identifying a second plurality of packets transmitted, by the device, to a second host in a second network (and all the traffic forwarded by the destination DUT on medium#2 (17) is captured by the destination monitor 20; see Darisi, col. 4, lines 38-40. Also see col. 4, lines 8-11, “In the exemplary embodiment of FIG. 1, the destination DUT couples source 12 to medium #2 which is a wire-line network that uses an Ethernet protocol”);
generating one or more second log entries corresponding to the second plurality of packets (The destination monitor 20 maintains a destination list 22, which is a record of each packet that is captured on medium #2. In a system without faults, the destination list would list every packet that is received by the destination DUT 14; see Darisi, col. 4, lines 40-44);
correlating, based on the one or more first log entries and the one or more second log entries, one or more packets of the first plurality of packets with one or more packets of the second plurality of packets (The source list and destination list are compared to identify packets that were recorded by the source monitor as sent by the source DUT but do not appear in the destination list; see Darisi, col. 2, lines 34-37. Also see col. 5, lines 32-35, “When determining whether the destination DUT received the packet, in a first phase of analysis the correlation analyzer 25 performs a bit-wise comparison of the contents of each captured packet to identify packet 'matches'”. Also see col. 5, lines 35-37, “The matches explicitly show the receipt of the packet by the destination monitor”);
Regarding claims 31 and 34, Darisi does not explicitly disclose 
determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity; and
transmitting an indication of the malicious entity.
In the same field of endeavor (e.g., communication system) Bostrom discloses a method for preventing certain types attacks on computing systems that comprises determining, based on the correlating, that either or both of the first host and the second host are associated with a malicious entity (correlating the destination IP address and port number with source IP address and port numbers, respectively of entries in the table; and, if the destination IP address and the port number correlate with a source IP address and port number of an entry in the table, marking all entries in the table with a source IP address corresponding to the destination lOP address as a non-treat; and, if the destination IP address and the port number do not correlate with a source IP address and port number of an entry in the table, marking all entries in the table with a source IP address corresponding to the destination lOP address as a threat; see Bostrom, paragraph [0004]); and
transmitting an indication of the malicious entity (If, during block 270, a determination is made that the destination port does not correspond to an entry corresponding to the destination IP address in PATT 136, control proceeds to a "Mark PATT" block 272. During processing associated with "Mark PATT" 272, the entry is marked with an appropriate code that indicates that the packet is a "THREAT DETECTED." During processing associated with a "Blacklist Host" block 274, the entries in PATT 136 corresponding to the internal host of the destination IP address are marked with an appropriate code to indicate that incoming communication for the internal host is disabled; see Bostrom, paragraph [0028]. Also see paragraph [0044], “During processing associated with an "IP Match?" block 264 a determination is made as to whether or not the destination IP address matches any entries in PATT 136. If not, indicating that there is no corresponding address in private network 116, control proceeds to a "Reject Packet" block 266. During processing associated with block 266, appropriate measures are taken to process an undeliverable packet, such as but not limited to, notifying an administrator of private network 116 and perhaps the sender of the packet”).
It would have thus been obvious to a person of the ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the features of Bostrom regarding preventing certain types attacks on computing systems into the method for monitoring operation of communication devices of Darisi. The motivation to do so is to prevent an attack without exposing the network to denial-of-service attacks (see Bostrom, abstract).
Regarding claim 35, Darisi discloses wherein correlating the one or more packets of the first plurality of packets with the one or more packets of the second plurality of packets (The source list and destination list are compared to identify packets that were recorded by the source monitor as sent by the source DUT but do not appear in the destination list; see Darisi, col. 2, lines 34-37. Also see col. 5, lines 32-35, “When determining whether the destination DUT received the packet, in a first phase of analysis the correlation analyzer 25 performs a bit-wise comparison of the contents of each captured packet to identify packet 'matches'”. Also see col. 5, lines 35-37, “The matches explicitly show the receipt of the packet by the destination monitor”) comprises:
comparing one or more first times indicated by the one or more first log entries with one or more second times indicated by the one or more second log entries (An example of information that may be used in the source and destination lists for measuring delay will now be described with regard to FIG. 4. In FIG. 4, a source list 65 is shown to include a packet sequence number 69a, packet data 69b and a packet time stamp 69c, for example, packet number 1, with contents of 'HELLO' was captured by the source monitor at time S-Tl after source transmission. The 'HELLO' packet is received by the destination DUT at time D-T3. The delay can be measured by subtracting the transmission time from the receive time. (D-T3-S-Tl=delay); see Darsi, col. 7, lines 20-29. Also see col. 7, liens 39-45, “FIG. 5 is a flow diagram that illustrates steps that may be performed by a correlation analyzer during a delay measurement process 70. At step 72 a packet is selected from the source list, and the time stamp indicating when the packet was transmitted (Packet Transmit Timestamp (PTT) is obtained. At step 74 the next entry in the source list is retrieved and evaluated”).
Regarding claim 36, Darisi does not explicitly disclose further comprising:
causing one or more computing devices associated with the first network to drop packets associated with the malicious entity. In the same field of endeavor (e.g., communication system) Bostrom discloses a method for preventing certain types attacks on computing systems that comprises further comprising:
causing one or more computing devices associated with the first network to drop packets associated with the malicious entity (The IBM firewall receives the spoofed packets that appear to be reply packets from google.com: 12345, but because all but one of the packets received will have the wrong destination port (i.e. the random port '7825' assigned by the IBM firewall's PAT algorithm), all but one packet will be dropped by the IBM firewall; see Bostrom, paragraph [0024]).
It would have thus been obvious to a person of the ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the features of Bostrom regarding preventing certain types attacks on computing systems into the method for monitoring operation of communication devices of Darisi. The motivation to do so is to prevent an attack without exposing the network to denial-of-service attacks (see Bostrom, abstract).

Claim 32 are rejected under 35 U.S.C. 103 as being unpatentable over disclosed prior art Darisi et al., US 8,004,994 B1 (Darisi hereinafter), in view of disclosed prior art Bostrom et al., US 2012/0331543 A1 (Bostrom hereinafter), as applied to the claims above and further in view of disclosed prior art Ivershen et al., US 8,219,675 (Ivershen hereinafter).
Here is how the references teach the claims. 
Regarding claim 32, Darisi and Bostrom discloses the method of claim 31. Darisi and Bostrom do not explicitly disclose wherein the second device is configured to perform network address translation before transmitting the second plurality of packets to the second host. 
In the same field of endeavor (e.g., communication) Ivershen discloses a method for correlating IP flows across a NAT firewall that comprises wherein the second device is configured to perform network address translation before transmitting the second plurality of packets to the second host (Steps 403 and 404 are similar to steps 401 and 402, respectively, but are applied to packets on a second side of the NAT firewall, such as packets captured from a second interface coupled to the NAT firewall, wherein the interface carries packets after NAT translation; see Ivershen, col. 7, lines 66-67).
It would have thus been obvious to a person of the ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the feature of Ivershen regarding tracing packets via an intermediary device in the method for monitoring operation of communication devices of Darisi and Bostrom. The motivation to do so is to effectively securing the private addresses space from the external devices (see Ivershen, col. 1, lines 35-38).

Claim 33 are rejected under 35 U.S.C. 103 as being unpatentable over disclosed prior art Darisi et al., US 8,004,994 B1 (Darisi hereinafter), in view of disclosed prior art Bostrom et al., US 2012/0331543 A1 (Bostrom hereinafter), as applied to the claims above and further in view of disclosed prior art in view of Pleshek et al., US 2012/0106354 A1 (Pleshek hereinafter).
Here is how the references teach the claims. 
Regarding claim 33, Darisi and Bostrom discloses the method of claim 31. Darisi and Bostrom do not explicitly disclose further comprising:
generating, based on the correlating, one or more new rules configured to identify packets associated with the malicious entity; and
provisioning one or more computing devices with the one or more new rules.
In the same field of endeavor (e.g., communication system) Pleshek discloses a method for collecting and analyzing packets associated with network communications that comprises further comprising:
generating, based on the correlating, one or more new rules configured to identify packets associated with the malicious entity (The network tools and tool optimizers can also automatically generate filter rules and apply them to the appropriate filter engines so that packets are forwarded as desired by the user. Further, the network devices and tool optimizers can include a packet processing system whereby forwarding behavior is governed by matching packets in parallel against multiple user-specified packet filtering criteria, and by performing forwarding actions associated with all such matching filter criteria; see Pleshek, paragraph [0017]. Also see paragraph [0064], “Network tools include traffic monitoring devices, packet sniffers, data recorders, voice-over-IP monitors, intrusion detection systems, network security systems, application monitors and/or any other desired network management or security tool device”); and
provisioning one or more computing devices with the one or more new rules (Once generated, these filter rules are then applied by the dynamic filter processor 106 to filter engines 109 that are used to determine how packets are forwarded by the tool optimizer 102 from the network sources 112A, 112B ... 112C to the destination tools 114A, 114B; see Pleshek, paragraph [0065]).
It would have thus been obvious to a person of the ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the features of Pleshek regarding collecting and analyzing packets associated with network communications into the method for monitoring operation of communication devices of Darisi and Bostrom. The motivation to do so is to support a method that allows for improved management and control of packet forwarding in network systems (see Pleshek, paragraphs [0003] and [0017]).

Claims 1-30 are allowed

Examiner’s Note
Following prior arts are made of record and not relied upon is considered pertinent to applicant's disclosure.
1. Gula et al., US 2014/0283083 A1: discloses a log correlation engine that receives various logs containing events describing observed network activity and discover a network vulnerability in response to the logs containing at least one event that matches a regular expression in at least one correlation rule associated with the log correlation engine that indicates a vulnerability. The log correlation engine obtains information about the indicated vulnerability from at least one data source cross-referenced in the correlation rule and generates report that the indicated vulnerability was discovered in the network. The report include the information about the indicated vulnerability obtained from the at least one data source cross-referenced in the correlation rule (see abstract and paragraph [0004] and paragraph [0016]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OBAIDUL HUQ whose telephone number is (571)270-7199. The examiner can normally be reached Mon-Fri 8:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kwang Bin Yao can be reached on 571-272-3182. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/OBAIDUL HUQ/Primary Examiner, Art Unit 2473                                                                                                                                                                                                        Dated: 09/10/2022