DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-40 are pending.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-5, 7, 12-15, 17-19, 21, 26-32, 34, 39-40 are rejected under 35 U.S.C. 103 as being unpatentable over Valdes et al (“Probabilistic Alert Correlation”, 2001), and further in view of Dasgupta et al (PGPUB 2016/0219065) and Grossman et al (PGPUB 2016/0112443).

Regarding Claims 1, 17, and 30:
	Valdes teaches a method, apparatus, and one or more non-transitory computer-readable media, comprising (abstract, probabilistic approach to alert correlation, extending ideas from multisensory data fusion; framework for correlating alerts that match closely but not perfectly; page 10 section 3.2, Experimental Environment comprising multiple machines for network monitoring and alert management as part of protected network):
	one or more processors (page 10 section 3.2, Experimental Environment comprising multiple machines for network monitoring and alert management as part of protected network); and
	memory storing instructions that, when executed by the one or more processors (page 10 section 3.2, machines running EMERALD alert console software), causes the apparatus to:
	receive (page 10 section 3.2, Experimental Environment comprising multiple machines for network monitoring and alert management as part of protected network), from a first network threat intelligence provider, a first network threat indicator that comprises at least one first network address that has been determined, by the first network threat intelligence provider, to be associated with a potential network threat, wherein the at least one first network address comprises one or more of (page 3-4 section 2.2, probabilistic alert fusion approach maintains list of “meta alerts” composed of several alerts from heterogeneous sensors (i.e. multiple threat intelligence providers); page 10 section 3.2, protected network instrumented with several network monitors; sensors at two machines detect attack and provide alert reports; alerts arrive at correlation machine in non-deterministic order as sensors are distributed; page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports):
a unique Internet host address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports),
a unique domain name, or
a unique Uniform Resource Identifier (URI);
receive, from a second network threat intelligence provider, a second network threat indicator that comprises at least one second network address that has been determined, by the second network threat intelligence provider, to be associated with the potential network threat (page 3-4 section 2.2, probabilistic alert fusion approach maintains list of “meta alerts” composed of several alerts from heterogeneous sensors (i.e. multiple threat intelligence providers); page 10 section 3.2, protected network instrumented with several network monitors; sensors at two machines detect attack and provide alert reports; alerts arrive at correlation machine in non-deterministic order as sensors are distributed; page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports);
	automatically generate one or more responses based on the first network threat indicator and the second network threat indicator by (page 13-14, correlated attack report generated, followed by response directive):
	generating a third network threat indicator that comprises at least one third network address by combining a first portion of the first network threat indicator and a second portion of the second network threat indicator based on common characteristics of the first network address and the second network address (page 2-3 section 2, new alert correlated with most similar meta alert, otherwise new alert starts new meta alert thread; page 3-4 section 2.2, meta alerts (i.e. third threat indicator) composed of several alerts from heterogeneous sensors; for two alerts, we begin by identifying features they have in common, including e.g. source, target, class of attack, and time; meta alert itself supports threading concept, so we can visualize composing meta alerts from meta alerts; page 5 section 2.3, meta alert contains list of attacker addresses).
	Valdes does not explicitly teach wherein automatically generating one or more responses is automatically generating one or more packet filtering rules;
generating a first packet filtering rule configured to filter packets associated with the third network threat indicator; and
assigning a capture directive to the first packet filtering rule, wherein the capture directive is configured to cause a packet corresponding to the third network threat indicator to be captured by causing storage of a copy of at least a portion of the packet on a storage device;
	filtering, on a packet-by-packet basis, one or more packets received by the apparatus to determine a first packet that matches the third network threat indicator of the first packet filtering rule;
	capturing, on a packet-by-packet basis, the filtered first packet that matches the third network threat indicator based on the capture directive being assigned to the first packet filtering rule; and
	generating, for the captured first packet, packet capture data comprising:
	raw packet content of the captured first packet, and
	threat context information comprising an indication of the first packet filtering rule.
	However, Dasgupta teaches the concept wherein automatically generating one or more responses is automatically generating one or more packet filtering rules (paragraph 47, device determines quarantine and action policy for one or more packets in anomalous traffic flow; device applies quarantine and action policies to one or more packets of anomalous traffic flow; paragraph 55, SLA determines the tracking criteria/rules (e.g., the direction, flows, etc. to be tracked) and pushes these criteria down to the DLA, to allow the DLA to match traffic flow packets with specific actions (e.g., according to one or more policies pushed to the DLA with the tracking criteria); paragraph 49, DLA monitors network conditions, e.g. router states, traffic flows, etc., and performs anomaly detection on monitored data using one or more machine learning models; paragraph 51, DLA monitors traffic flows associated with the devices of local network by comparing the monitored conditions to one or more machine-learning models, i.e. “packet filtering rules”; paragraph 40, learning machine constructs model of normal network behavior to detect data points that deviate from this model, i.e. “automatically generating” a response);
generating a first packet filtering rule configured to filter packets associated with a threat indicator (paragraph 40, learning machine constructs model of normal network behavior to detect data points that deviate from this model; paragraph 51, DLA monitors traffic flows associated with the devices of local network by comparing the monitored conditions to one or more machine-learning models, i.e. “packet filtering rules”; DLA uses model to determine that traffic flow is anomalous; paragraph 52, DLA reports detected anomaly and provides indication in response to identifying traffic flow as anomalous; such indication comprises source, destination, type of flow, model used to identify as anomalous, i.e. “threat indicators”); and
assigning a capture directive to the first packet filtering rule, wherein the capture directive is configured to cause a packet corresponding to the threat indicator to be captured by causing storage of a copy of at least a portion of the packet on a storage device (paragraph 47, device determines quarantine and action policy for one or more packets in anomalous traffic flow, i.e. “capture directive”; device applies quarantine and action policies to one or more packets of anomalous traffic flow; paragraph 52, 54, 61, distributed learning agent (DLA) reports detected anomaly to supervisory learning agent (SLA); SLA determines flow tracking criteria in real time by identifying interfaces corresponding to direction/effects of existing flow tracking criteria; the flow tracking criteria may be triggered automatically when an anomaly has been detected by the DLA or in response to receiving confirmation that the flow requires further analysis (e.g., based on rules maintained by the SLA, etc.); paragraph 55, SLA determines the tracking criteria/rules (e.g., the direction, flows, etc. to be tracked) and pushes these criteria down to the DLA, to allow the DLA to match traffic flow packets with specific actions (e.g., according to one or more policies pushed to the DLA with the tracking criteria); paragraph 72, device applies quarantine and action policies to one or more packets of anomalous flow; quarantine policy comprises capture directive causing packet to be captured; paragraph 58, anomalous flows (comprising packets) received, indexed, and stored by quarantine device);
	filtering, on a packet-by-packet basis, one or more packets received by an apparatus to determine a first packet that matches the network threat indicator of the first packet filtering rule (paragraph 40, learning machine constructs model of normal network behavior to detect data points that deviate from this model; paragraph 51, DLA monitors traffic flows associated with the devices of local network by comparing the monitored conditions to one or more machine-learning models, i.e. “packet filtering rules”; DLA uses model to determine that traffic flow is anomalous; paragraph 52, DLA reports detected anomaly and provides indication in response to identifying traffic flow as anomalous; such indication comprises source, destination, type of flow, model used to identify as anomalous, i.e. “threat indicators”; paragraph 47, device determines quarantine and action policy for one or more packets in anomalous traffic flow (as determined by “threat indicators” compared to model, as above);
	capturing, on a packet-by-packet basis, the filtered first packet that matches the network threat indicator based on the capture directive being assigned to the first packet filtering rule (paragraph 53, flow tracking criteria identify in real time packets that match the criteria so that action/mitigation or quarantine policies may be applied to the matching packets; paragraph 55, SLA determines the tracking criteria/rules (e.g., the direction, flows, etc. to be tracked) and pushes these criteria down to the DLA, to allow the DLA to match traffic flow packets with specific actions (e.g., according to one or more policies pushed to the DLA with the tracking criteria); paragraph 61, quarantine policy causes DLA to provide copy of tracked packets of anomalous flow to quarantine device, i.e. “packet capture”; paragraph 72, device applies quarantine and action policies to one or more packets of anomalous flow; policies therefore comprise one or more filtering rules, applied to packets which fit flow tracking criteria; quarantine policy comprises capture directive causing packet to be captured); and
	generating, for the captured first packet, packet capture data comprising (paragraph 52, 54, 61, quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA; DLA reports detected anomaly to SLA, including indication of data regarding the model used by the DLA to identify the flow as anomalous):
	raw packet content of the captured first packet (paragraph 52, 54, 61, quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA), and
	threat context information, wherein the threat context information comprises an indication of the first packet filtering rule (paragraph 52, 54; DLA reports detected anomaly to SLA, including indication of data regarding the model used by the DLA to identify the flow as anomalous; paragraph 59, quarantine device stores metadata indicative of type of anomaly, e.g. graph based anomaly, end host based anomaly, etc.); and
	Valdes teaches wherein the threat indicator is the third threat indicator (page 2-3 section 2, new alert correlated with most similar meta alert, otherwise new alert starts new meta alert thread; page 3-4 section 2.2, meta alerts (i.e. third threat indicator) composed of several alerts from heterogeneous sensors; for two alerts, we begin by identifying features they have in common, including e.g. source, target, class of attack, and time; meta alert itself supports threading concept, so we can visualize composing meta alerts from meta alerts).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the packet capture rule teachings of Dasgupta with the combined threat indicator teachings of Valdes, in order to provide information regarding a possible threat to a system or administrator for forensic purposes, thereby resulting in more accurate or improved rulesets or policies which improve security results and reduce false positives.
Neither Valdes nor Dasgupta explicitly teaches wherein the apparatus is located at a boundary between a protected network and an unprotected network; and
wherein the packet capture data is a packet capture file.
However, Grossman teaches the concept wherein an apparatus is located at a boundary between a protected network and an unprotected network (paragraph 72, network taps inserted at different parts of an enterprise network to detect probing, intrusions, and attacks on the enterprise, and develop appropriate responses to stop or limit the impact; interface of network tap located on boundary between outside and inside of information infrastructure); and
wherein packet capture data is a packet capture file (paragraph 113, network traffic is collected by sensor, i.e. network tap, including multiple packets which are processed by event record and file builder to produce files of packets, i.e. PCAP files).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the boundary device and packet capture file teachings of Grossman with the threat indication and rule generation teachings of Valdes in view of Dasgupta.  Locating a network monitoring device at the boundary between a protected and unprotected network allows packets to flow freely throughout the protected network, while focusing protection efforts at the most likely point of attack on said network, thereby preventing access to any of the protected nodes without passing a security checkpoint.  Furthermore, storing acquired data in the form of files is well known in the art, as files provide a discrete structure which is familiar to longtime computer users and mimics real world information storage.

Regarding Claim 2:
	Valdes in view of Dasgupta and Grossman teaches the method of claim 1.  In addition, Valdes teaches wherein the common characteristics comprise one or more of: 
a common source address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common source port (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common destination address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common destination port (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), or 
a common protocol type.

Regarding Claims 4, 18, and 31:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1, the apparatus of claim 17, and the non-transitory computer-readable media of claim 30.  In addition, Dasgupta teaches wherein the instructions, when executed by the one or more processors, further cause the apparatus to: 
determine whether to log the first packet based on the network threat indicator of first packet filtering rule (paragraph 52, 54, 61, distributed learning agent (DLA) reports detected anomaly to supervisory learning agent (SLA); SLA determines flow tracking criteria in real time by identifying interfaces corresponding to direction/effects of existing flow tracking criteria; the flow tracking criteria may be triggered automatically when an anomaly has been detected by the DLA or in response to receiving confirmation that the flow requires further analysis (e.g., based on rules maintained by the SLA, etc.); quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA); and
	Valdes teaches wherein the threat indicator is the third threat indicator (page 2-3 section 2, new alert correlated with most similar meta alert, otherwise new alert starts new meta alert thread; page 3-4 section 2.2, meta alerts (i.e. third threat indicator) composed of several alerts from heterogeneous sensors; for two alerts, we begin by identifying features they have in common, including e.g. source, target, class of attack, and time; meta alert itself supports threading concept, so we can visualize composing meta alerts from meta alerts).
The rationale to combine Valdes and Dasgupta is the same as provided for claims 1, 17, and 30 due to the overlapping subject matter between claims 1 and 4, 17 and 18, 30 and 31.

Regarding Claim 5:
Valdes in view of Dasgupta and Grossman teaches the method of claim 4.  In addition, Dasgupta teaches wherein the filtering of the one or more packets and the determining whether to log the first packet are performed simultaneously (paragraph 53, flow tracking criteria functions as matching rule used by receiving DLA to identify further packets for additional analysis; paragraph 55, criteria allow DLA to match traffic flow packets with specific actions; paragraph 57, 59-61, actions includes packet indexing, metadata storage, copy, and capture).
The rationale to combine Valdes and Dasgupta is the same as provided for claim 4 due to the overlapping subject matter between claims 4 and 5.

Regarding Claim 7, 21, and 34:
	Valdes teaches a method, an apparatus, and one or more non-transitory computer-readable media, comprising (abstract, probabilistic approach to alert correlation, extending ideas from multisensory data fusion; framework for correlating alerts that match closely but not perfectly; page 10 section 3.2, Experimental Environment comprising multiple machines for network monitoring and alert management as part of protected network):
	one or more processors (page 10 section 3.2, Experimental Environment comprising multiple machines for network monitoring and alert management as part of protected network); and
	memory storing instructions that, when executed by the one or more processors (page 10 section 3.2, machines running EMERALD alert console software), causes the apparatus to:
receiving, from a first network threat intelligence provider, a first network threat indicator that comprises at least one first network address that has been determined, by the first network threat intelligence provider, to be associated with a potential network threat, wherein the at least one first network address comprises one or more of (page 3-4 section 2.2, probabilistic alert fusion approach maintains list of “meta alerts” composed of several alerts from heterogeneous sensors (i.e. multiple threat intelligence providers); page 10 section 3.2, protected network instrumented with several network monitors; sensors at two machines detect attack and provide alert reports; alerts arrive at correlation machine in non-deterministic order as sensors are distributed; page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports):
a unique Internet host address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports),
a unique domain name, or
a unique Uniform Resource Identifier (URI);
receiving, from a second network threat intelligence provider, a second network threat indicator that comprises at least one second network address that has been determined, by the second network threat intelligence provider, to be associated with the potential network threat (page 3-4 section 2.2, probabilistic alert fusion approach maintains list of “meta alerts” composed of several alerts from heterogeneous sensors (i.e. multiple threat intelligence providers); page 10 section 3.2, protected network instrumented with several network monitors; sensors at two machines detect attack and provide alert reports; alerts arrive at correlation machine in non-deterministic order as sensors are distributed; page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports);
	generating the third network threat indicator by combining a first portion of the first threat indicator and a second portion of the second threat indicator based on common characteristics of the first network address and the second network address (page 2-3 section 2, new alert correlated with most similar meta alert, otherwise new alert starts new meta alert thread; page 3-4 section 2.2, meta alerts (i.e. third threat indicator) composed of several alerts from heterogeneous sensors; for two alerts, we begin by identifying features they have in common, including e.g. source, target, class of attack, and time; meta alert itself supports threading concept, so we can visualize composing meta alerts from meta alerts; page 5 section 2.3, meta alert contains list of attacker addresses).
	Valdes does not explicitly teach filtering, on a packet-by-packet basis, one or more packets received by the apparatus to determine a first packet that matches a third network threat indicator of one or more packet filtering rules, wherein one or more packet filtering rules were automatically generated by:
generating a first packet filtering rule configured to filter packets associated with the third network threat indicator; and
assigning a capture directive to the first packet filtering rule, wherein the capture directive is configured to cause a packet corresponding to the third network threat indicator to be captured by causing storage of a copy of at least a portion of the packet on a storage device;
	capture, on a packet-by-packet basis, the filtered first packets that matches the third network threat indicator based on the capture directive being assigned to the first packet filtering rule; and
	generate, for the captured first packet, packet capture data comprising:
	raw packet content of the captured first packet, and
	threat context information comprising:
an indication of the first packet filtering rule, and
the third threat indicator.
	However, Dasgupta teaches the concept of filtering, on a packet-by-packet basis, one or more packets received by an apparatus to determine a first packet that matches a network threat indicator of one or more packet filtering rules (paragraph 47, device determines quarantine and action policy for one or more packets in anomalous traffic flow; device applies quarantine and action policies to one or more packets of anomalous traffic flow; paragraph 55, SLA determines the tracking criteria/rules (e.g., the direction, flows, etc. to be tracked) and pushes these criteria down to the DLA, to allow the DLA to match traffic flow packets with specific actions (e.g., according to one or more policies pushed to the DLA with the tracking criteria); paragraph 49, DLA monitors network conditions, e.g. router states, traffic flows, etc., and performs anomaly detection on monitored data using one or more machine learning models; paragraph 51, DLA monitors traffic flows associated with the devices of local network by comparing the monitored conditions to one or more machine-learning models, i.e. “packet filtering rules”; paragraph 40, learning machine constructs model of normal network behavior to detect data points that deviate from this model, i.e. “automatically generating” a response), wherein one or more packet filtering rules were automatically generated by (paragraph 40, learning machine constructs model of normal network behavior to detect data points that deviate from this model, i.e. “automatically generating” a response);
generating a first packet filtering rule configured to filter packets associated with a network threat indicator (paragraph 40, learning machine constructs model of normal network behavior to detect data points that deviate from this model; paragraph 51, DLA monitors traffic flows associated with the devices of local network by comparing the monitored conditions to one or more machine-learning models, i.e. “packet filtering rules”; DLA uses model to determine that traffic flow is anomalous; paragraph 52, DLA reports detected anomaly and provides indication in response to identifying traffic flow as anomalous; such indication comprises source, destination, type of flow, model used to identify as anomalous, i.e. “threat indicators”); and
assigning a capture directive to the first packet filtering rule, wherein the capture directive is configured to cause a packet corresponding to the network threat indicator to be captured by causing storage of a copy of at least a portion of the packet on a storage device (paragraph 47, device determines quarantine and action policy for one or more packets in anomalous traffic flow, i.e. “capture directive”; device applies quarantine and action policies to one or more packets of anomalous traffic flow; paragraph 52, 54, 61, distributed learning agent (DLA) reports detected anomaly to supervisory learning agent (SLA); SLA determines flow tracking criteria in real time by identifying interfaces corresponding to direction/effects of existing flow tracking criteria; the flow tracking criteria may be triggered automatically when an anomaly has been detected by the DLA or in response to receiving confirmation that the flow requires further analysis (e.g., based on rules maintained by the SLA, etc.); paragraph 55, SLA determines the tracking criteria/rules (e.g., the direction, flows, etc. to be tracked) and pushes these criteria down to the DLA, to allow the DLA to match traffic flow packets with specific actions (e.g., according to one or more policies pushed to the DLA with the tracking criteria); paragraph 72, device applies quarantine and action policies to one or more packets of anomalous flow; quarantine policy comprises capture directive causing packet to be captured; paragraph 58, anomalous flows (comprising packets) received, indexed, and stored by quarantine device);
	capture, on a packet-by-packet basis, the filtered first packets that matches the network threat indicator based on the capture directive being assigned to the first packet filtering rule (paragraph 51, DLA monitors traffic flows associated with the devices of local network by comparing the monitored conditions to one or more machine-learning models, i.e. “packet filtering rules”; DLA uses model to determine that traffic flow is anomalous; paragraph 52, DLA reports detected anomaly and provides indication in response to identifying traffic flow as anomalous; such indication comprises source, destination, type of flow, model used to identify as anomalous, i.e. “threat indicators”; paragraph 47, device determines quarantine and action policy for one or more packets in anomalous traffic flow (as determined by “threat indicators” compared to model, as above); device applies quarantine and action policies to one or more packets of anomalous traffic flow; paragraph 53, flow tracking criteria identify in real time packets that match the criteria so that action/mitigation or quarantine policies may be applied to the matching packets; paragraph 55, SLA determines the tracking criteria/rules (e.g., the direction, flows, etc. to be tracked) and pushes these criteria down to the DLA, to allow the DLA to match traffic flow packets with specific actions (e.g., according to one or more policies pushed to the DLA with the tracking criteria); paragraph 61, quarantine policy causes DLA to provide copy of tracked packets of anomalous flow to quarantine device, i.e. “packet capture”; paragraph 72, device applies quarantine and action policies to one or more packets of anomalous flow; policies therefore comprise one or more filtering rules, applied to packets which fit flow tracking criteria; quarantine policy comprises capture directive causing packet to be captured); and
	generate, for the captured first packet, packet capture data comprising (paragraph 52, 54, 61, quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA; DLA reports detected anomaly to SLA, including indication of data regarding the model used by the DLA to identify the flow as anomalous):
	raw packet content of the captured first packet (paragraph 52, 54, 61, quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA), and
	threat context information comprising:
an indication of the first packet filtering rule (paragraph 52, 54; DLA reports detected anomaly to SLA, including indication of data regarding the model used by the DLA to identify the flow as anomalous; paragraph 59, quarantine device stores metadata indicative of type of anomaly, e.g. graph based anomaly, end host based anomaly, etc.); and
the threat indicator (paragraph 59, metadata associated with captured packets includes data indicative of the type of anomaly).
	Valdes teaches wherein the threat indicator is the third threat indicator (page 2-3 section 2, new alert correlated with most similar meta alert, otherwise new alert starts new meta alert thread; page 3-4 section 2.2, meta alerts (i.e. third threat indicator) composed of several alerts from heterogeneous sensors; for two alerts, we begin by identifying features they have in common, including e.g. source, target, class of attack, and time; meta alert itself supports threading concept, so we can visualize composing meta alerts from meta alerts).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the packet capture rule teachings of Dasgupta with the combined threat indicator teachings of Valdes, in order to provide information regarding a possible threat to a system or administrator for forensic purposes, thereby resulting in more accurate or improved rulesets or policies which improve security results and reduce false positives.
Neither Valdes nor Dasgupta explicitly teaches wherein the computing device is located at a boundary between a protected network and an unprotected network; and
wherein the packet capture data is a packet capture file.
However, Grossman teaches the concept wherein a computing device is located at a boundary between a protected network and an unprotected network (paragraph 72, network taps inserted at different parts of an enterprise network to detect probing, intrusions, and attacks on the enterprise, and develop appropriate responses to stop or limit the impact; interface of network tap located on boundary between outside and inside of information infrastructure); and
wherein packet capture data is a packet capture file (paragraph 113, network traffic is collected by sensor, i.e. network tap, including multiple packets which are processed by event record and file builder to produce files of packets, i.e. PCAP files).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the boundary device and packet capture file teachings of Grossman with the threat indication and rule generation teachings of Valdes in view of Dasgupta.  Locating a network monitoring device at the boundary between a protected and unprotected network allows packets to flow freely throughout the protected network, while focusing protection efforts at the most likely point of attack on said network, thereby preventing access to any of the protected nodes without passing a security checkpoint.  Furthermore, storing acquired data in the form of files is well known in the art, as files provide a discrete structure which is familiar to longtime computer users and mimics real world information storage.

Regarding Claim 12:
Valdes in view of Dasgupta and Grossman teaches the method of claim 7.  In addition, Valdes teaches wherein the common characteristics comprise one or more of:
a common source address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common source port (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common destination address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common destination port (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common protocol type,
a common URI, or
a common domain name.

Regarding Claims 13, 27, and 40:
Valdes in view of Dasgupta and Grossman teaches the method of claim 7, the apparatus of claim 21, and the non-transitory computer-readable media of claim 34.   In addition, Dasgupta teaches wherein the capture directive causes the computing device to store a copy of the entire content of any rule-matching packet on the storage device (paragraph 52, 54, 61, distributed learning agent (DLA) reports detected anomaly to supervisory learning agent (SLA); SLA determines flow tracking criteria in real time by identifying interfaces corresponding to direction/effects of existing flow tracking criteria; the flow tracking criteria may be triggered automatically when an anomaly has been detected by the DLA or in response to receiving confirmation that the flow requires further analysis (e.g., based on rules maintained by the SLA, etc.); quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA; paragraph 58, anomalous flows (comprising packets) received, indexed, and stored by quarantine device; “copy” can be construed to mean the entirety of the contents of the packet).
The rationale to combine Valdes and Dasgupta is the same as provided for claims 7, 21, and 34 due to the overlapping subject matter between claims 7 and 13, 21 and 27, 34 and 40.

Regarding Claim 14:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1.  In addition, Grossman teaches the method, further comprising: 
updating the packet filtering rules associated with a threat incident based on results of a threat incident investigation (paragraph 93, Real Time Analytic Engine analyzes potential threats and correlated behaviors and creates real time decisions about mitigation actions by processing data from multiple scoring engines and other sources; the near real time decisions about mitigation events are structured into command and control (C2) messages (e.g., mitigation threat intelligence messages), passed to the enterprise services bus 116, which they are processed by the control plane engine 114, which in turn takes various mitigation events or actions, such as closing a port, modifying packets, blocking a subnet, blocking one or more Internet Protocols (IPs) or ranges of IPs, blocking one or more internal or external IPs, controlling the transmission of packets or flows).
The rationale to combine Valdes and Grossman is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 14.

Regarding Claim 15:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1.  In addition, Valdes teaches wherein the second network threat indicator comprises one or more network addresses indicating one or more malicious domains (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports).

Regarding Claim 19 and 32:
Valdes in view of Dasgupta and Grossman teaches the apparatus of claim 17 and the non-transitory computer-readable media of claim 30.  In addition, Dasgupta teaches wherein the capture directive is configured to cause the apparatus to copy the entire content of any rule-matching packet on the storage device (paragraph 52, 54, 61, distributed learning agent (DLA) reports detected anomaly to supervisory learning agent (SLA); SLA determines flow tracking criteria in real time by identifying interfaces corresponding to direction/effects of existing flow tracking criteria; the flow tracking criteria may be triggered automatically when an anomaly has been detected by the DLA or in response to receiving confirmation that the flow requires further analysis (e.g., based on rules maintained by the SLA, etc.); quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA; paragraph 58, anomalous flows (comprising packets) received, indexed, and stored by quarantine device; “copy” can be construed to mean the entirety of the contents of the packet).
The rationale to combine Valdes and Dasgupta is the same as provided for claims 17 and 30 due to the overlapping subject matter between claims 17 and 19, 30 and 32.

Regarding Claims 26 and 39:
Valdes in view of Dasgupta and Grossman teaches the apparatus of claim 21 and the non-transitory computer-readable media of claim 34.  In addition Valdes teaches wherein the common characteristics comprise one or more of: 
a common source address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common source port (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common destination address (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), 
a common destination port (page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports), or 
a common protocol type.

Regarding Claim 28:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1.  In addition, Valdes teaches wherein the first portion of the first network threat indicator is different than the second portion of the second network threat indicator (page 6-7 section 2.5, Feature Fusion; when the system decides to fuse two alerts, based on aggregate similarity across common features, the fused feature set is a superset of the features of the two alerts; feature values in fused alerts are typically lists, so alert fusion involves list merging, e.g. attacker address list has new attacker address appended, and lists of target hosts are merged, based on matching port list, i.e. address lists of first and second threat indicators are different, but are matched based on port list).

Regarding Claim 29:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1.  In addition, Valdes teaches wherein the third network threat indicator indicates a range that comprises the first network address and the second network address (page 6-7 section 2.5, Feature Fusion; when the system decides to fuse two alerts, based on aggregate similarity across common features, the fused feature set is a superset of the features of the two alerts; feature values in fused alerts are typically lists, so alert fusion involves list merging, e.g. attacker address list has new attacker address appended, and lists of target hosts are merged, based on matching port list, i.e. meta alert comprises range of values of addresses of included alerts).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Valdes in view of Dasgupta and Grossman, and further in view of Fakeri-Tabrizi et al (PGPUB 2016/0065611).

Regarding Claim 3:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1.
Neither Valdes nor Dasgupta nor Grossman explicitly teaches wherein the common characteristics comprise one or more of:
a common URI, or
a common domain name.
However, Fakeri-Tabrizi teaches the concept wherein determining whether a first threat indicator overlaps with a second threat indicator comprises determining that the first threat indicator and the second indicator both comprise one or more of:
a common uniform resource identifier (URI), or
a common domain name (abstract, method for detecting anomalies in DNS requests; paragraph 38-42, anomaly detection system evaluates anomalous requests by collecting anomalous statistics and correlating said statistics to a fully-qualified domain name (FQDN), customer name, IP address, etc.).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the URI correlation teachings of Fakeri-Tabrizi with the threat indication and rule generation teachings of Valdes in view of Dasgupta and Grossman, in order to generate better statistics and a more accurate view of network threats by finding out which threats relate to each other which may have previously been viewed in isolation, allowing for a system to generate a faster response to threats and reduce false positives.

Claims 6, 20, 33 are rejected under 35 U.S.C. 103 as being unpatentable over Valdes in view of Dasgupta and Grossman, and further in view of Rao (PGPUB 2016/0285706).

Regarding Claims 6, 20, and 33:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1, the apparatus of claim 17, and the non-transitory computer-readable media of claim 30.
Neither Valdes nor Dasgupta nor Grossman explicitly teaches wherein the capturing the first packet further comprises: 
capturing incoming and outgoing packets of a flow.
However, Rao teaches the concept wherein capturing a first packet comprises: capturing incoming and outgoing packets of a flow (abstract, apparatus for filtering; paragraph 171, filters for capturing packets corresponding to bi-directional traffic).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the bidirectional capture teachings of Rao with the threat indication and rule generation teachings of Valdes in view of Dasgupta and Grossman, in order to protect against threats originating both within the network and from outside the network, by monitoring the system for anomalies related to both incoming and outgoing traffic, thereby improving threat detection and mitigation.

Claims 8-11, 22-25, 35-38 are rejected under 35 U.S.C. 103 as being unpatentable over Valdes in view of Dasgupta and Grossman, and further in view of Aumann et al (PGPUB 2016/0020968).

Regarding Claims 8, 22, and 35:
Valdes in view of Dasgupta and Grossman teaches the method of claim 7, the apparatus of claim 21, and the non-transitory computer-readable media of claim 34.
Neither Valdes nor Dasgupta nor Grossman explicitly teaches wherein the instructions, when executed by the one or more processors, cause the apparatus to: 
perform flow correlations of packets originating from both sides of the computing device to determine flow correlated packets from a flow, 
wherein a source address value or a destination address value of flow correlated packets originating from different sides of the flow are equal, and 
wherein a source port value or a destination port value of flow correlated packets originating from different sides of the flow are equal.
However, Aumann teaches the concept of performing flow correlations of packets originating from both sides of a computing device to determine flow correlated packets from a flow (paragraph 69, DPI engine analyses both directions of traffic flows together; in the present disclosure, both directions of traffic flows being analyzed together are referred to as a bi-directional traffic flow; a bi-directional traffic flow groups the two directional traffic flows corresponding to opposite directions together), 
wherein a source address value or a destination address value of flow correlated packets originating from different sides of the flow are equal (paragraph 69-76, a bi-directional traffic flow groups the two directional traffic flows corresponding to opposite directions together; that is to say, the source of one directional traffic flow corresponds to the destination of the other directional traffic flow in opposite direction; bi-directional traffic flow source which matches corresponding destination includes both address and port), and 
wherein a source port value or a destination port value of flow correlated packets originating from different sides of the flow are equal (paragraph 69-76, bi-directional traffic flow source which matches corresponding destination includes both address and port).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the bidirectional flow data teachings of Aumann with the packet capture teachings of Valdes in view of Dasgupta and Grossman, in order to reliably detect application layer protocols (Aumann, paragraph 69), and thereby improve analysis and accuracy of the overall packet monitoring system.

Regarding Claims 9, 23, and 36:
Valdes in view of Dasgupta, Grossman, and Aumann teaches the method of claim 8, the apparatus of claim 22, and the non-transitory computer-readable media of claim 35.  In addition, Dasgupta teaches wherein the instructions, when executed by the one or more processors, cause the apparatus to: generate a flow capture data comprising raw packet content and threat context information of any packets (paragraph 52, 54, 61, quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA; DLA reports detected anomaly to SLA, including indication of data regarding the model used by the DLA to identify the flow as anomalous); and
Grossman teaches wherein the capture data is a capture file (paragraph 113, network traffic is collected by sensor, i.e. network tap, including multiple packets which are processed by event record and file builder to produce files of packets, i.e. PCAP files); and
Aumann teaches wherein the packets are flow correlated packets (paragraph 69, DPI engine analyses both directions of traffic flows together; in the present disclosure, both directions of traffic flows being analyzed together are referred to as a bi-directional traffic flow; a bi-directional traffic flow groups the two directional traffic flows corresponding to opposite directions together).
The rationale to combine Valdes, Dasgupta, Grossman, and Aumann is the same as provided for claims 8, 22, and 35 due to the overlapping subject matter between claims 8 and 9, 22 and 23, 35 and 36.

Regarding Claims 10, 24, and 37:
Valdes in view of Dasgupta and Grossman teaches the method of claim 7, the apparatus of claim 21, and the non-transitory computer-readable media of claim 34.  In addition, Dasgupta wherein the instructions, when executed by the one or more processors, cause the apparatus to:
performing flow correlations of packets (paragraph 53, SLA generates flow tracking criteria; DLA uses flow tracking criteria to identify packets that match the criteria),
wherein the flow correlated packets are generated by a single event (paragraph 50, 52, traffic flows indicative of an anomaly in network; detected anomaly reported to SLA).
Neither Valdes nor Dasgupta nor Grossman explicitly teaches wherein the instructions, when executed by the one or more processors, cause the apparatus to: 
performing flow correlations of packets originating from both sides of the apparatus to determine flow correlated packets from a flow, 
wherein at least one of address values and port values of flow correlated packets originating from different sides of the flow are equal.
However, Aumann teaches the concept of performing flow correlations of packets originating from both sides of a computing device to determine flow correlated packets from a flow (paragraph 69, DPI engine analyses both directions of traffic flows together; in the present disclosure, both directions of traffic flows being analyzed together are referred to as a bi-directional traffic flow; a bi-directional traffic flow groups the two directional traffic flows corresponding to opposite directions together), 
wherein at least one of address values and port values of flow correlated packets originating from different sides of the flow are equal (paragraph 69-76, a bi-directional traffic flow groups the two directional traffic flows corresponding to opposite directions together; that is to say, the source of one directional traffic flow corresponds to the destination of the other directional traffic flow in opposite direction; bi-directional traffic flow source which matches corresponding destination includes both address and port).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the bidirectional flow data teachings of Aumann with the packet capture teachings of Valdes in view of Dasgupta and Grossman, in order to reliably detect application layer protocols (Aumann, paragraph 69), and thereby improve analysis and accuracy of the overall packet monitoring system.
 
Regarding Claims 11, 25, and 38:
Valdes in view of Dasgupta, Grossman, and Aumann teaches the method of claim 10, the apparatus of claim 24, and the non-transitory computer-readable media of claim 37.  In addition, Dasgupta teaches wherein the instructions, when executed by the one or more processors, cause the apparatus to: generate a flow capture data comprising raw packet content and threat context information of any packets (paragraph 52, 54, 61, quarantine policy may cause the DLA to provide a copy of tracked packets of an anomalous flow to a quarantine device; copy of packets of traffic flow provided to SLA; DLA reports detected anomaly to SLA, including indication of data regarding the model used by the DLA to identify the flow as anomalous); and
Grossman teaches wherein the capture data is a capture file (paragraph 113, network traffic is collected by sensor, i.e. network tap, including multiple packets which are processed by event record and file builder to produce files of packets, i.e. PCAP files); and
Aumann teaches wherein the packets are flow correlated packets (paragraph 69, DPI engine analyses both directions of traffic flows together; in the present disclosure, both directions of traffic flows being analyzed together are referred to as a bi-directional traffic flow; a bi-directional traffic flow groups the two directional traffic flows corresponding to opposite directions together).
The rationale to combine Valdes, Dasgupta, Grossman, and Aumann is the same as provided for claim 10, 24, and 37 due to the overlapping subject matter between claims 10 and 11, 24 and 25, 37 and 38.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Valdes in view of Dasgupta and Grossman, and further in view of Buruganahalli et al (US 9,419,942).

Regarding Claim 16:
Valdes in view of Dasgupta and Grossman teaches the method of claim 1.
Neither Valdes nor Dasgupta nor Grossman explicitly teaches wherein combining the first portion of the first network threat indicator with the second portion of the second network threat indicator is based on a certificate or certificate authority.
However, Buruganahalli teaches the concept wherein combining a first portion of a first threat indicator with a second portion of a second threat indicator is based on a certificate or certificate authority (col 6 line 27-48, various techniques used to extract destination domain information (e.g., from the SNI field of a client hello message of a set-up of a TLS session) and to correlate that extracted destination domain information with other information (e.g., other fields of the client hello can be used for relevant data/security analysis); the information extracted from the SNI field can be correlated to the id-at-commonName of the certificate received from the remote server (e.g., external web server); if the SNI name and the commonName from the certificate are determined to not match (e.g., to be different), then the security device (e.g., firewall) can trigger this event as suspicious and use this for further correlation (e.g., to share with a security cloud service), such as from other messages of that and/or other flows).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the certificate teachings of Buruganahalli with the threat indication and rule generation teachings of Valdes in view of Dasgupta and Grossman, in order to generate better statistics and a more accurate view of network threats by finding out which threats relate to each other which may have previously been viewed in isolation, allowing for a system to generate a faster response to threats and reduce false positives.

Response to Arguments
Applicant's arguments filed 6/15/2022 have been fully considered but they are not persuasive. 

Regarding the rejection of claims under 35 USC 103:
	Applicant’s remarks, page 17 paragraph 2-page 19 paragraph 4, consist of a summary of the rejection and the teachings of the Valdes, Dasgupta, and Grossman references.
	Applicant argues, page 19 paragraph 5-page 20 paragraph 1: But none of the cited references teach, disclose, or otherwise suggest at least, as recited by claim 1, "receiving, by a computing device located at a boundary between a protected network and an unprotected network and from a first network threat intelligence provider, a first network threat indicator that comprises at least one first network address that has been determined, by the first network threat intelligence provider, to be associated with a potential network threat,... receiving, by the computing device and from a second network threat intelligence provider, a second network threat indicator that comprises at least one second network address that has been determined, by the second network threat intelligence provider, to be associated with the potential network threat;" and "generating a third network threat indicator that comprises at least one third network address by combining a first portion of the first network threat indicator and a second portion of the second network threat indicator based on common characteristics of the first network address and the second network address." The Action appears to assert that the combination of Valdes and Dasgupta teaches this functionality, but this misunderstands both references. Valdes' alerts have nothing to do with the claimed "network threat indicator[s]." For instance, Valdes' alerts do not comprise "at least one first network address that has been determined, by the first network threat intelligence provider, to be associated with a potential network threat." Rather, Valdes' alerts are merely that: alerts, which might include information such as the source of an attack. Dasgupta does not remedy these deficiencies. The process by which Dasgupta determines an anomalous flow has absolutely no relation to a process whereby two different "network threat indicator[s]" are received, let alone where such network threat indicators comprise, for example, "at least one first network address that has been determined, by the first network threat intelligence provider, to be associated with a potential network threat." In turn, Dasgupta would never "combin[e]" two different threat indicators because Dasgupta does not teach these elements in the first place.

	Examiner’s response: Applicant’s arguments appear to rely on an unreasonably narrow interpretation of the terms “network threat indicator” and “network threat intelligence provider”.  However, the terms are not so limited.  At a minimum, a “network threat indicator” can be seen as information which indicates a threat to a network.  For instance, receiving an alert, i.e. “indicator” regarding a detected attack, i.e. “network threat”, including information such as the source of the attack, is most definitely a “network threat indicator”.  The device which provided the alert, such as a network tap, monitor, sensor, etc., therefore becomes a “network threat intelligence provider”.  This interpretation would appear to be consistent with the BRI of each of the terms.  Applicant acknowledges that Valdes teaches just such a system of alerts and alert providers; therefore, Valdes teaches at least “network threat indicators” and “network threat intelligence providers”.  Applicant asserts but does not provide any evidence as to why such alerts as in Valdes cannot be considered “network threat indicators”.
	With regard to the additional elements of claim 1, i.e. “a first network threat indicator that comprises at least one first network address that has been determined, by the first network threat intelligence provider, to be associated with a potential network threat…”, Examiner notes that the address is merely “associated” with a potential network threat.  For instance, the address could be the source of the attack, target of the attack, exploited machine, intermediary, etc.  The attack alerts of Valdes include this as well: e.g. page 3-4 section 2.2, alerts include features such as source of attack, target (hosts and ports); page 9 section 3.1, exemplary alert includes source/destination IP address/ports.  In addition, Valdes teaches combining alerts into meta alerts comprising combined IP addresses (e.g. page 3-4 section 2.2, meta alerts (i.e. third threat indicator) composed of several alerts from heterogeneous sensors; for two alerts, we begin by identifying features they have in common, including e.g. source, target, class of attack, and time; meta alert itself supports threading concept, so we can visualize composing meta alerts from meta alerts; page 5 section 2.3, meta alert contains list of attacker addresses), i.e. “generating a third network threat indicator that comprises at least one third network address by combining a first portion of the first network threat indicator and a second portion of the second network threat indicator based on common characteristics of the first network address and the second network address.”  Valdes therefore teaches the argued elements of claim 1, above.
	With regard to Dasgupta, Examiner notes that Valdes is not deficient.  Therefore, it is not necessary for Dasgupta to teach what Valdes already teaches.

Applicant argues, page 20 paragraph 2: Moreover, none of the cited references teach "capturing, by the computing device, the filtered first packet that matches the third network threat indicator based on the capture directive being assigned to the first packet filtering rule." At no point does Dasgupta describe that a rule is particularly assigned a "capture directive," let alone one that is associated with a "third network threat indicator."  Dasgupta is focused on remedial actions taken once anomalous packets are detected. One aspect of these remedial actions is causing "the one or more packets to be captured/quarantined for further analysis by an expert." (Dasgupta, para. 0072). But even if this broadly described the concept of capturing packets, Dasgupta never teaches a "assigning a capture directive to the first packet filtering rule, wherein the capture directive is configured to cause a packet corresponding to the third network threat indicator to be captured by causing storage of a copy of at least a portion of the packet on a storage device" because Dasgupta never assigns a capture directive to a rule, but rather simply captures packets in a broad sense. In turn, Dasgupta never describes "capturing, by the computing device, the filtered first packet that matches the third network threat indicator based on the capture directive being assigned to the first packet filtering rule." None of the other references remedy this deficiency.
	
Examiner’s response: Applicant seems to imply that Dasgupta simply collects anomalous packets on a whim.  However, this is not the case.  In order to determine the packets are anomalous, they are compared to a model (e.g. paragraph 51).  A rule can generally be interpreted as any policy, regulation, or directive which leads to a course of action or outcome.  A model which identifies anomalous flows can certainly be seen as a filtering rule.  Once the anomalous flow of packets is identified, information regarding the packet flows and the detection model is provided to an SLA device, which assigns a quarantine policy to copy the anomalous packet data to a quarantine device (paragraph 47, 55); this can certainly be seen as assigning a capture directive to the anomalous packet detection model.  Valdes already teaches combining first and second threat indicators into a third threat indicator.  Therefore, Valdes in view of Dasgupta does teach "assigning a capture directive to the first packet filtering rule, wherein the capture directive is configured to cause a packet corresponding to the third threat indicator to be captured by causing storage of a copy of at least a portion of the packet on a storage device" and "capturing, by the computing device and based on the capture directive, at least one of the one or more packets filtered by the computing device based on determining that the at least one of the one or more packets matches the third threat indicator."

Applicant argues, page 21 paragraph 1-3: This distinction is quite critical to one of the many benefits of the present application. As discussed in the Specification, conventional patent capture solutions are inefficient: 
The motivation for capturing packets is that the cyber-analyst who is investigating threat incidents may want to view the contents of the packets that generated a particular threat incident log. Because conventional solutions cannot readily discriminate between threat and legitimate packets when they are in transit, the default behavior is to capture all, or substantially all, packets. Capturing or storing all packets ensures that when a cyber-analyst wants to investigate a threat incident by examining the associated packets' contents, the associated packets will be in store. However the cost is high: As above with packet logs, given that threat communications typically compose only a small percentage of network traffic, the inefficiencies are very large, with 10X-100X more packets stored than will be needed for threat analysis. 
(Specification, para. 0005). The present claims, which are focused on determining whether to capture specific packets, does not suffer from these issues.

	Examiner’s response: However, the recited advantages of applicant’s invention are irrelevant in this case, as the claims are obvious in view of the prior art.  Furthermore, Dasgupta cannot be seen to “capture all, or substantially all” packets, as Dasgupta at least discriminates between normal and anomalous flows using a set of rules (i.e. “models”).  In addition, the flows are captured on a packet-by-packet basis as the relevant packets are identified (paragraph 51).

Applicant argues, page 21 paragraph 1-3: Applicant notes that these deficiencies persist regardless of how the references are combined. For example, even if the present combination of references were reformatted such that Dasgupta was a primary reference (with Valdes/Grossman as secondary references), this would not remedy the aforementioned deficiencies. 
More broadly, a Person of Ordinary Skill in the Art (a "POSA") would not have been motivated to combine the references in the manner cited by the Action. Indeed, no matter how the references are combined (e.g., Valdes as a primary reference with Dasgupta/Grossman as secondary references, Dasgupta as a primary reference with Valdes/Grossman as secondary references, etc.), the combination would not teach the present claims. The Action proposes a combination of (1) a reference that combines alerts, (2) a reference that inspects the content of packets to identify anomalous packets, and (3) a reference which, among other things, describes a network tap. No matter how these references are combined, they would not teach, for example, the idea of multiple different network-threat intelligence providers, much less combining different network threat indicators into a single network threat indicator for a single rule, much less the concept of attaching a packet capture directive or flow capture directive to that rule, much less the idea of filtering/capturing/logging at the boundary of a protected network and unprotected network using that rule.

Examiner’s response: As shown above, the references are not deficient; Valdes teaches multiple different network-threat intelligence providers (e.g. multiple network sensors and monitors which provide “threat intelligence”, i.e. attack alerts), combining different network threat indicators into a single network threat indicator for a single rule (e.g. meta alerts used to direct a response), Dasgupta teaches attaching a packet capture directive or flow capture directive to the rule (e.g. assigning quarantine directive to anomalous packet model), and Grossman teaches filtering/capturing/logging at the boundary of a protected and unprotected network using corresponding rules (e.g. generating PCAP files of collected network traffic at network boundary using network taps).  The combination of references therefore does teach the argued limitations.

Applicant argues, page 22 paragraph 1: The attached declaration by Dr. Sean Moore elaborates on these distinctions further. As described in that declaration, the present application involves many improvements to then-conventional cybersecurity systems. (Moore decl. ¶¶ 7-14). For example, the present invention generates and uses novel packet filtering rules (Moore decl. ¶ 12), those rules can be based on information from multiple different network threat intelligence providers (Moore decl. ¶ 13 and the present invention generates unique packet capture files which make the overall threat analysis process simpler. (Moore decl. ¶ 14). Moreover, as described in Dr. Moore's declaration, the cited references-alone or in any form of combination-do not achieve any of these benefits. (Moore decl. ¶¶ 15-17). For example, none of the cited references disclose the "network threat indicator[s]" of the claims, let alone the process by which those indicators are "combin[ed]." (Moore decl. ¶¶ 16).

Examiner’s response: Examiner is unpersuaded.  The affidavit discusses the underlying technologies and comparable advantages of Applicant’s invention as envisioned in great detail.  Examiner does not dispute Applicant’s knowledge or expertise.  However, the primary concern with regard to the invention as claimed is the broadest reasonable interpretation (BRI) of the individual claimed elements.  Applicant appears to ascribe special meaning to “network threat indicators” and “network threat intelligence providers” which is not justified according to the plain meaning of the terms.  Absent a more detailed description of said terms in the language of the claim itself, the BRI of “network threat indicators” and “network threat intelligence providers” can be seen to cover the corresponding subject matter of attack alerts and network sensors/monitors as taught by Valdes.

	Applicant’s arguments with regard to independent claims 7, 17, and 21 are similar to those regarding claim 1 and are therefore responded to in a similar way.
	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491