DETAILED ACTION
1.	This office action is in response to the communication filed on 12/31/2020.
2.	Claims 1-20 are pending. 

Notice of Pre-AIA  or AIA  Status
3.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Claim Objections
5.	Claim(s) 3-4, 11-12, and 19-20 is/are objected to because of the following informalities:  
- The limitation “source IPs” should be “source IP addresses”.
Appropriate correction(s) is/are required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


6.	Claim(s) 1, 6, 8-9, 14 and 16-17 is/are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Bartos et al. (US 2016/0226904 A1, hereafter Bartos).
Regarding claim(s) 1, 9, and 17:
Bartos discloses a method comprising: 
identifying, from online clustering data, an internet protocol (IP) pair; determining, by a processing device during an offline process, that the IP pair is part of a botnet (see fig. 1 and paras. 31, 41-50, 60 where network incidents collected during network communications (i.e., online communications), by attacked nodes, are recorded into incident data records to be transmitted to a security system (i.e., processing device) for being correlated and clustered into clusters based on behavioral properties and the sources/origins of the incidents, wherein the security system identifies and determines that the sources/origins are known to launch malware attacks based on received incident data records and data table (s) (e.g., malicious incident origin data table) stored in a local database (e.g., database 112) of the security system, wherein a source/origin is an IP address; see para. 124 where a botnet comprises compromised computers/nodes launching malicious attacks. In other words, source IP addresses (i.e., two source IP addresses as IP pair) are identified, from the network incidents (i.e., online clustering data) collected during online communications by attacked nodes, and determined, by a security system based on accessing a local database (i.e., during an offline process), to be part of a botnet launching malicious attacks); and 
in response to the determining, appending data associated with the botnet to the online clustering data (see paras. 59-60 and/or 165 where new events or new incidents associated with the sources launching malwares attacks are included or added to one or more clusters of incidents; see para. 124 where a botnet comprises compromised computers/nodes launching malicious attacks).

Regarding claim(s) 6 and 14:
Bartos discloses:
determining that the botnet is associated with a multi-site attack (see para. 65 where the sources of incidents are determined as launching malware attacks; see paras. 33, 124 where a botnet comprises compromised computers/nodes launching a malware attack (i.e., multi-site attack) to a plurality of attacked nodes).

Regarding claim(s) 8 and 16:
Bartos discloses:
determining that the botnet is associated with an attack occurring over a regular period (see para. 124 where a botnet comprises compromised computers/nodes launching a malicious/malware attack; see paras. 44-45 where incident data records contain behavioral characteristic indicating a malicious attack, or origin characteristic indicating a malicious attacker; see para. 106 where incidents occur within a certain period of time).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

7.	Claim(s) 2, 10, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Kirti et al. (US 2015/0319185 A1, hereafter Kirti).
Regarding claim(s) 2, 10, and 18:
Bartos discloses:    
wherein in response to the determining, [blocking one or more IP addresses] associated with the botnet (see paras. 59-60 and/or 165 where new events or new incidents associated with the sources launching malwares attacks are included or added to one or more clusters of incidents associated with malware attacks; see para. 124 where a botnet comprises compromised computers/nodes launching malicious attacks).
Bartos does not, but Kirti discloses:    
blocking one or more IP addresses (see Kirti, paras. 42, 44, for blocking one or more source IP addresses associated with malicious activity).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Bartos's invention by enhancing it to blocking one or more IP addresses, as taught by Kirti, in order for blocking source IP addresses associated with malicious activities (Kirti, para. 44).

8.	Claim(s) 3-5, 11-13, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Yehudai et al. (US 2019/0372934 A1, hereafter Yehudai).
Regarding claim(s) 3, 11, and 19:
Bartos discloses:
wherein the IP pair comprises two source IPs (see paras. 31, 50 where the sources/origins of incidents are source IP addresses known to launch malware attacks; see para. 124 where a botnet comprises compromised computers/nodes/bots launching malicious attacks).
Bartos does not, but Yehudai discloses: 
determining a distance metric corresponding to a feature of the two source IPs; and determining that the IP pair is part of the botnet when the distance metric is less than a predefined threshold (see Yehudai, para. 28, where feature(s) of malicious events is/are determined, wherein a feature includes a source/origin IP address associated with attacks from bots (i.e., botnet); see para. 25 where a distance (i.e., distance metric) between a feature of malicious events is calculated by an attack analyzer, wherein the malicious events are determined to be similar for being aggregated in a same cluster of previously detected and analyzed malicious events when the distance is less that a threshold distance (i.e. predefined threshold)).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Bartos's invention by enhancing it to determining a distance metric corresponding to a feature of the two source IPs; and determining that the IP pair is part of the botnet when the distance metric is less than a predefined threshold, as taught by Yehudai, in order to determine the events are similar to be aggregated in a same cluster of analyzed malicious events based on the distance between feature(s) of malicious events (Yehudai, paras. 25, 28).

Regarding claim(s) 4, 12,and 20:
Bartos discloses:
[extracting] the feature from the online clustering data (see fig. 1 and para. 42 where network incidents (i.e., online clustering data) are collected during network communications (i.e., online communications), by attacked nodes; see paras. 70-71 where a feature of incidents including a source/origin IP address is used to cluster similar types of malicious behavior into incident cluster);
Bartos does not, but Yehudai discloses:
extracting the feature; and defining a distance function corresponding to the distance metric, the distance function to calculate a distance between the feature of the two source IPs, respectively (see Yehudai, para. 36 where a feature is extracted from malicious events; see para. 28 where a feature includes a source/origin IP address associated with attacks from bots (i.e., botnet); see abstract where a distance (i.e., distance metric) between a feature of malicious events is calculated using a non-Euclidean distance function).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Bartos's invention by enhancing it to extracting the feature; and defining a distance function corresponding to the distance metric, the distance function to calculate a distance between the feature of the two source IPs, respectively, as taught by Yehudai. The motivation is the same as presented in claim 3.

Regarding claim(s) 5 and 13:
Bartos discloses:
wherein the feature comprises at least one of: an IP property, a correlation property, a narrative property, or a history property (see paras. 70-71 where a feature associated with malware includes: incident volume, persistence, frequency, and/or source IP address. Note: in addition, see Yehudai, para. 28 where a feature includes: source/origin IP address, geographical region, type of attack, time of attack, and/or type of tool).

9.	Claim(s) 7 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bartos in view of Nantel (US 20160173446 A1).
Regarding claim(s) 7 and 15:
Bartos discloses:
determining that the botnet is associated with an attack occurring over a duration [that exceeds a predefined threshold] (see para. 124 where a botnet comprises compromised computers/nodes launching a malicious/malware attack; see para. 43 where incidents contain behavioral characteristic value indicating a malicious attack; see para. 106 where incidents that occurred within a certain period of time).
Bartos does not, but Nantel discloses:
a duration that exceeds a predefined threshold (see Nantel, para. 55, where the duration of threat(s) is over a threshold, e.g., 2 hours).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Bartos's invention by enhancing it for a duration that exceeds a predefined threshold, as taught by Nantel, in order to analyzing events associated with one or more threats based on the duration of occurrence of threats (see Nantel, abstract and para. 55).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Achan et al. (US 8745731 B2), Clustering Botnet Behavior Using Parameterized Models.
Harris et al. (US 20180332064 A1), Cybersecurity System.
Ranjan (US 8682812 B1), Machine Learning Based Botnet Detection Using Real-time Extracted Traffic Features.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA, can be reached on 571-272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HUAN V DOAN/Primary Examiner, Art Unit 2499