DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the amendments filed on 08/03/2022. 
Claims 31-60 are currently pending in this application. Claims 31, 44 and 53 have been amended.
No new IDS has been filed.

Allowable Subject Matter
Claim 35 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, and amended to overcome the 112(a) and/or 112(b) rejections stated below.

Response to Arguments
The previous 112(a) and 112(b) rejections to the claim 31-60 have been withdrawn in response to the applicant’s amendments/remarks.

Regarding the 102 rejections, the applicant, in pages 13-15 of the remarks, has argued that “… Merza do not teach or suggest classifying, based on the extracted URL categories and timestamps, the first network connection as corresponding to a detected access pattern included in a plurality of access patterns that are predetermined prior to analyzing … the access pattern is not predetermined prior to analyzing the received event … plurality of predetermined access patterns …”.
The applicant’s these arguments are not persuasive.
As taught in Merza, Merza clearly teaches that the data aggregator 235 of the security monitoring system 150 identifies which value is to be extracted from the retrieved events based on a metric of interest and the extracted value is processed to determine, for example, a length or number of bytes of the extracted value or to determine whether the extracted value matches a comparison value. The values extracted from the events and pertaining to the metric of interest include: a user agent string, a URL, a traffic size and a URL category. In other words, the security monitoring system classifies or categorizes, based on the extracted values from the retrieved events (or the first set of network metrics), the network connection as corresponding to a first network connection profile (e.g., one of the user agent string profile, the URL profile, the traffic size profile or a URL categories) included in a plurality of network connection profiles (e.g., among the user agent string profile, the URL profile, the traffic size profile and a URL categories), that are predetermined prior to analyzing the network traffic (e.g., the metric of interest and the comparison value are predetermined prior to analyzing the network traffic because they are used in extracting and matching the metric value of the retrieved events). See also figures 5, 19A, 19B, 20, etc. for determining metric value in the URL categories. Therefore, it is clear that Merza teaches the argued/claimed limitations – see also the 102 rejections section below for detail.

The applicant’s arguments for the claims 44, 53 and all dependent claims regarding the limitations of the claim 31 responded above are not persuasive and the response for these arguments is similar to the response to the claim 31 stated above.

Thus, the applicant’s arguments are not persuasive. Please see amended rejections below for amended claims. The action is final.

Claim Rejections - 35 U.S.C. § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 31-34 and 36-60 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Merza et al. (US 2013/0326620 A1).

As per claim 31, Merza teaches a computer-implemented method [see fig. 1 and par. 0008], comprising:
analyzing network traffic data for a first network connection associated with a computing device [fig. 1; par. 0041, lines 1-9 of Merza teaches analyzing network traffic data (e.g., the data collected by the security monitoring system 150 or HTTP events information) for a first network connection associated with a computing device (e.g., the user device 110 or 120)];
identifying, as a result of analyzing the network traffic data, a first set of network metrics for the first network connection [par. 0041, lines 5-16 of Merza teaches identifying, as a result of analyzing the network traffic data, a first set of network metrics (e.g., the metric values of the events of the collected data) for the first network connection (e.g., the network connection between the security monitoring system 150 and resources 160)];
classifying, based on the first set of network metrics, the first network connection as corresponding to a first network connection profile included in a plurality of network connection profiles that are predetermined prior to analyzing the network traffic data, wherein the first network connection profile specifies a first plurality of network metrics that characterize a network connection corresponding to the first network connection profile, and wherein the first set of network metrics corresponds to the first plurality of network metrics [figs. 2, 5, 19A, 19B, 20; par. 0048, lines 1-11; par. 0049, lines 1-10; par. 0050, lines 1-7; par. 0068, lines 1-28; par. 0133, lines 1-16 of Merza teaches classifying (e.g., categorizing), based on the first set of network metrics (e.g., the metric values of the events of the collected data), the first network connection as corresponding to a first network connection profile (e.g., the category defining the pattern or metrics, such as the URL categories or subset criteria) included in a plurality of network connection profiles (e.g., the access patterns or behavioral patterns of the network categories, such as a user agent string category, a URL category, a traffic size category, etc.) that are predetermined prior to analyzing the network traffic (e.g., the stored data), wherein the first network connection profile specifies a first plurality of network metrics (e.g., the comparison value or the metric of interest including a user agent string, a URL, a traffic size, etc.) that characterize a network connection corresponding to the first network connection profile, and wherein the first set of network metrics (e.g., the metrics values related to a user agent string, a URL, a traffic size, etc.) corresponds to the first plurality of network metrics (e.g., the comparison value or the metric of interest including a user agent string, a URL, a traffic size, etc.)]. In other words, the security monitoring system classifies or categorizes, based on the extracted values from the retrieved events (or the first set of network metrics), the network connection as corresponding to a first network connection profile (e.g., one of the user agent string profile, the URL profile, the traffic size profile or a URL categories) included in a plurality of network connection profiles (e.g., among the user agent string profile, the URL profile, the traffic size profile and a URL categories), that are predetermined prior to analyzing the network traffic (e.g., the metric of interest and the comparison value are predetermined prior to analyzing the network traffic because they are used in extracting and matching the metric value of the retrieved events). See also figures 5, 19A, 19B, 20, etc. for determining metric value in the URL categories;
detecting a potential security threat for the first network connection based on the first network connection profile [par. 0049, lines 1-10; par. 0096, lines 1-14; par. 0116, lines 1-22 of Merza teaches detecting a potential security threat for the first network connection based on the first network connection profile (e.g., the category defining the pattern)]; and
initiating a mitigation action with respect to the first network connection in response to detecting the potential security threat [par. 0062, lines 1-20; par. 0063, lines 1-7; par. 0111, lines 1-18 of Merza teaches initiating a mitigation action (e.g., triggering an alert, blocking an action, enhance/mitigate a level off detail of the security threat, etc.) with respect to the first network connection in response to detecting the potential security threat].

As per claim 32, Merza teaches the computer-implemented method of claim 31.
Merza further teaches wherein the first network connection profile specifies at least two different types of metrics, wherein the types of metrics include a symmetry metric, a responsiveness metric, and an efficiency metric [par. 0047, lines 1-13; par. 0048, lines 1-16; par. 0068, lines 1-28; par. 0125, lines 1-6; par. 0128, lines 1-3 of Merza teaches wherein the first network connection profile specifies at least two different types of metrics, wherein the types of metrics include a symmetry metric (e.g., a high count or frequency of requests, etc.), a responsiveness metric (e.g., time between receipt and query time), and an efficiency metric (e.g., misspellings, profanity or old version identifiers, etc.)].

As per claim 33, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies a symmetry metric, wherein the symmetry metric is based on a number of bytes transmitted in one direction via the network connection and a number of bytes transmitted in an opposite direction via the network connection during a particular time duration [fig. 18A; par. 0048, lines 1-16; par. 0068, lines 1-28; par. 0128, lines 1-19; par. 0131, lines 1-13 of Merza teaches the first network connection profile specifies a symmetry metric, wherein the symmetry metric is based on a number of bytes transmitted (e.g., determining a length or number of bytes of the extracted value or the traffic size) in one direction via the network connection (e.g., the query or GET request) and a number of bytes transmitted (e.g., determining a length or number of bytes of the extracted value) in an opposite direction via the network connection(e.g., receipt or POST request) during a particular time duration (e.g., time between receipt and a query time or occurring within a particular time period)].

As per claim 34, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies a responsiveness metric, wherein the responsiveness metric represents a responsiveness of one or more computing devices exchanging data via the network connection [fig. 1; par. 0005, lines 1-19; par. 0068, lines 1-28 of Merza teaches wherein the first network connection profile specifies a responsiveness metric (e.g., the time between a receipt and a query), wherein the responsiveness metric represents a responsiveness of one or more computing devices exchanging data via the network connection (see the network connection of fig. 1)].

As per claim 36, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies an efficiency metric, wherein the efficiency metric represents an efficiency of the network connection [par. 0127, lines 1-17 of Merza teaches the first network connection profile specifies an efficiency metric (e.g., the metric value matching suspicious strings, wherein the efficiency metric represents an efficiency (e.g., profanity, old version or misspellings) of the network connection – see also rejections to the claim 31].

As per claim 37, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the first network connection profile specifies an efficiency metric, wherein the efficiency metric indicates an average size of a plurality of packets exchanged via the network connection [par. 0076, lines 1-10; par. 0128, lines 1-19 of Merza teaches the first network connection profile specifies an efficiency metric, wherein the efficiency metric indicates an average (e.g., the determining average) size of a plurality of packets exchanged (e.g., the output of the traffic-sensitive events of the packet analyzer) via the network connection].

As per claim 38, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein: a second network connection profile included in the plurality of network connection profiles specifies a second plurality of network metrics that is different from the first plurality of network metrics specified by the first network connection profile [par. 0058, lines 1-15; par. 0139, lines 1-14 of Merza teaches a second network connection profile (e.g., a second category defining the pattern of the traffic events or timestamp) included in the plurality of network connection profiles (e.g., the access patterns or behavioral patterns of the network categories) specifies a second plurality of network metrics that is different from the first plurality of network metrics specified by the first network connection profile (e.g., the category defining the pattern) – see also rejections to the claim 31].

As per claim 39, Merza teaches the computer-implemented method of claim 38. 
Merza further teaches wherein: the first plurality of network metrics specifies at least a first network metric and a second network metric; the second plurality of network metrics specifies at least a third network metric and a fourth network metric, wherein the first network metric, second network metric, third network metric, and fourth network metric comprise different network metrics [figs. 18A, 20; par. 0133, lines 1-16; par. 0137, lines 1-12 of Merza teaches the first plurality of network metrics specifies at least a first network metric and a second network metric; the second plurality of network metrics specifies at least a third network metric and a fourth network metric, wherein the first network metric, second network metric, third network metric, and fourth network metric comprise different network metrics (e.g., the category metrics)].

As per claim 40, Merza teaches the computer-implemented method of claim 38. 
Merza further teaches wherein: the first plurality of network metrics specifies a first network metric, at least one of a first threshold or a first range for the first network metric, a second network metric, and at least one of a second threshold or a second range for the second network metric; and the second plurality of network metrics specifies a third network metric, at least one of a third threshold or a third range for the third network metric, a fourth network metric, and at least one of a fourth threshold or a fourth range for the fourth network metric, wherein the first network metric is different from the third network metric and the fourth network metric [fig. 1, 19B; par. 0061, lines 1-12; par. 0112, lines 1-7; par. 0136, lines 1-12; par. 140, lines 1-19 of Merza teaches the first plurality of network metrics specifies a first network metric, at least one of a first threshold or a first range for the first network metric, a second network metric, and at least one of a second threshold or a second range for the second network metric; and the second plurality of network metrics specifies a third network metric, at least one of a third threshold or a third range for the third network metric, a fourth network metric, and at least one of a fourth threshold or a fourth range for the fourth network metric, wherein the first network metric is different from the third network metric and the fourth network metric (e.g., the range of the values in the set of metrics and the lower and/or upper threshold set for each category].

As per claim 41, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein the plurality of network connection profiles are predetermined prior to analyzing the network traffic data [par. 0066, lines 1-17 of Merza teaches the plurality of network connection profiles (e.g., the access patterns/structures or behavioral patterns of the network categories) are predetermined (e.g., predefined and/or identified) prior to analyzing the network traffic data].

As per claim 42, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that each network metric included in the first set of network metrics has subsequently deviated from each corresponding network metric included in the first plurality of network metrics specified by the first network connection profile [par. 0082, lines 1-17; par. 0096, lines 1-17; par. 0138, lines 1-9 of Merza teaches detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that each network metric included in the first set of network metrics has subsequently deviated (e.g., deviation or modifying the first object or metric value) from each corresponding network metric included in the first plurality of network metrics specified by the first network connection profile].

As per claim 43, Merza teaches the computer-implemented method of claim 31. 
Merza further teaches wherein detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that at least one network metric included in the first set of network metrics has subsequently deviated from at least one corresponding network metric specified in the first plurality of network metrics by a predetermined threshold amount [par. 0056, lines 1-18; par. 0057, lines 1-6; par. 0082, lines 1-17; par. 0096, lines 1-17; par. 0138, lines 1-9 of Merza wherein detecting the potential security threat comprises determining, after the first set of network metrics is identified based on the network traffic data, that at least one network metric included in the first set of network metrics has subsequently deviated from at least one corresponding network metric specified in the first plurality of network metrics by a predetermined threshold amount (e.g., the threshold selected by a client)].

Claims 44-52 are non-transitory computer-readable storage medium claims that corresponds to the method claims (or the combination of the method claims) 31-34, 36, 38, 39 and 41-43, and are analyzed and rejected accordingly – see par. 0009 for the processing components.
Claims 53-60 are device claims that corresponds to the method claims 31-34, 36, 38, 39 and 41, are analyzed and rejected accordingly – see par. 0009 for the processing components.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAUNG T LWIN whose telephone number is (571)270-7845. The examiner can normally be reached Monday - Friday 10:00 am - 6:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAUNG T LWIN/Primary Examiner, Art Unit 2495