DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-22 have been examined and are pending.
Examiner Comments

Claim 22 is directed towards “...a first software-based utility on hardware...and  as second software-based utility executed on hardware...” and has been analyzed for 35 USC 101. The claim he claim comprises is a network detection system comprising  a first utility and a second utility to be executed on hardware. No 35 USC 101 deemed necessary since specification states: “Those of ordinary skill in the art will appreciate that the hardware in Figs. 1-2 may vary depending on the implementation. Other internal hardware or peripheral devices, such as flash memory, equivalent non-volatile memory, or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIGs 1-2. Also, the processes of the illustrative embodiments may be applied to a multiprocessor data processing system, other than the SMP system mentioned previously, without departing from the spirit and scope of the disclosed subject matter” (p.12, lines 15-21).

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/18/2020 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Specification
The use of the term Linux, QRadar SIEM, IPFIX and NetFLOW, on p. 17, line 20, line 10, p. 19, line 14, p. 19, lines 21, and p. 21, line 17 respectively; which is a trade name or a mark used in commerce, has been noted in this application. The term should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it appears or, where appropriate, include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 22 is rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more.            Per the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG) 
101 Flowchart Analysis: 
Step 1: meets the statutory category of a mental process;  Step 2A/Prong 1: recited claims – a network threat detection system, comprising: a first software-based utility executed on hardware and configured to obtain a packet capture and generate a first encoding, the first encoding including a set of interval-bound traffic measurements for each pairing of one or more addressable network interfaces in the packet capture, together with any other detectable session data;  and a second software-based utility executed on hardware and configured to receive a data stream, and, as the data stream is received, to real-time pattern match an encoding of the received data stream against a set of encodings that include the first encoding – when viewed as a whole meet a mental process, thus an abstract idea; and 
Step 2B/Prong 2:  recites an additional element in steps (1)-(2) software-based to perform real-time pattern match an encoding of received data stream against a set of encoding, which are a form of insignificant extra-solution activity.  However, the particular additional element is recited at high level of generality that is no more than merely “apply” the mental step using a generic computer system.  The matching step (2) is comparing data against a set of data is also recited at high level of generality, not integrated into a practical application, and amounts to a mere post-solution of matching and comparing that is a form of insignificant extra-solution activity. 
 The additional elements are determined to be no more than insignificant extra-solution activity.  In particular, the processor and computer system are considered conventional and well-understood, and are recited at high level of generality.  As the result, the claim, as a whole, is no more than attempting to broadly cover the concept of using a computer system to implement analysis of what a human security analyst would have performed in the mind. Therefore, the claim 22 is considered as an abstract idea without significantly more than the judicial exception.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3-4, 6-8, 10-11, 13-15, 17-18, and 20-22 are rejected under 35 U.S.C. 103 as being unpatentable over Gong et al., hereinafter (“Gong”), US PG Publication (20160065601 A1), in view of Tran, US PG Publication (20070285843A1).
Regarding claims 1, 8, and 15, Gong teaches a method to identify threats on a TCP/IP-based network, comprising; a processor; computer memory holding computer program instructions executed by the processor to identify threats on a TCP/IP-based network, the computer program instructions including program code configured to; and computer program product in a non-transitory computer readable medium for use in a data processing system to identify threats on a TCP/IP-based network, the computer program product holding computer program instructions that, when executed by the data processing system, are configured to: [Gong, ¶0020: computer(s); ¶¶0026-0027, 0029-0030: a method to detect threat activities on a network; determine traffic patterns for transmission control protocol (“TCP”)/IP]
obtaining a set of reference patterns associated with one or more defined Indicators of Compromise (IoCs), wherein a reference pattern is an encoding of a packet capture and 5includes a set of interval-bound traffic measurements for each pairing of one or more addressable network interfaces in the packet capture, together with any other detectable session data; [Gong,  ¶¶0016-0018 and 0026: Network environment 100 generate signatures; data collectors obtain 1st order Indicators of Compromise (IoCs)(obtaining a set of reference patterns associated with one or more defined Indicators of Compromise (IoCs)) so different traffic patterns can be analyzed; where the security server 108 receives suspicious data from one or more data collectors. ¶0022: Access points 124 include any device configured to provide wireless connectivity with one or more other digital devices. ¶0023: encoded data (wherein a reference pattern is an encoding of a packet capture) traverses communication network; ¶0052: collected network traffic/data may be initially identified as suspicious until determined otherwise (e.g., associated with a whitelist) or heuristics find no reason that the network data should be flagged as suspicious. The data flagging module 518 may perform packet analysis (a packet capture) to look for suspicious characteristics in the header, footer, destination IP, origin IP, payload, and the like using techniques including those described herein. Those skilled in the art will appreciate that the data flagging module 518 may perform a heuristic analysis, a statistical analysis, and/or signature identification. ¶¶0015, 0025-0027, 0033, and 0041: System monitors simultaneously north-south traffic and east-west traffic. East-west traffic (each pairing) can contain the same set of network protocols seen on north-south boundaries, as well as network protocols meant for internal access and data sharing. A method to detect one or more second order indicators of compromise according to an embodiment. The method includes generating a behavior profile for at least one network device or end-user device (302); An example of a behavior profile for an end-user device includes: a distribution of the time duration (a set of interval-bound traffic measurement) for one or more connections. A data collector is configured to have one or more of an interesting domain name and IP address the detection mechanism is configured to build a real-time behavior profile where one or more communication network interfaces 404 (one or more addressable network interfaces in the packet capture)]
receiving, as a data stream, network traffic data associated with a traffic pattern; [Gong  ¶0026: a data collector(s) are configured to intercept network data (a data stream) between network devices; is configured to detect network traffic and to determine traffic patterns (network traffic data associated with a traffic pattern) across the protocol stack between network devices.]
responsive to identifying a match between the network spectral and at least one of the set of reference patterns, taking a given remediation or mitigation action. [Gong, ¶¶0054 0056 and 0068-0069: the signature module 528 may provide signatures which are used to determine if network traffic/data is suspicious or is malware. If network data matches a signature that is suspicious, then the network data may be flagged as suspicious data. A quarantine module 530 (or instructions) is configured to quarantine suspicious data and/or network traffic/data.]
While Gong teaches the received network traffic and encoding the received network traffic to generate a network spectral; and as the data stream is received, real-time pattern matching [See Gong, ¶¶0016 and 0023: encoded data traversing the communication network 106 to generate signatures (encoding the received network traffic to generate a network spectral); ¶0026: a data collector(s) are configured to intercept network data (a data stream) between network devices; is configured to detect network traffic and to determine traffic patterns (network traffic data associated with a traffic pattern). ¶¶0034-0035 and 0068: behavior profiles created from real-time network patterns observed; signature matches performed by signature module 528]; however, Gong fails to explicitly teach but Tran teaches encoding the received network traffic to generate a network spectral; [Tran ¶0131: fractal generator employs transformation encoding digital data (encoding the received network traffic) representing spectral data (a network spectral)]
10as the data stream is received, real-time pattern matching the network spectral against a set of reference patterns that include the reference pattern; [Tran, ¶0129 digitized data received by NANO sensors that apply algorithms to detect patterns associated with a chemical signals of associated substance. ¶0131: fractal generator employs transformation encoding digital data representing spectral data (a network spectral). ¶0140: method of whole-chemical structure template matching (real-time pattern matching) has been extended to deal with connected chemical structure recognition. The hidden Markov model is used to derive a set of reference pattern templates, each template representative of an identified pattern in a vocabulary set of reference chemical sub-structure patterns (a set of reference patterns that include the reference pattern).] and 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of system and method for detecting lateral movement and data exfiltration of Gong before him or her by including the teachings of NANO electronics of Tran. The motivation/suggestion would have been obvious to try to modify the network environment 100 to detect threat activities of Gong by adding the matching of the spectral data as taught by Tran [Tran, ¶0140].  

Regarding claims 3, 10, and 17, the combination of Gong and Tran teach claim 1 as described above.
Gong teaches wherein the at least one reference pattern is generated by encoding the packet capture and filtering one or more time-bounded intervals.  [Gong, See ¶0023 encoded data (wherein the at least one reference pattern is generated by encoding the packet capture) traverses communication network;  ¶¶0029 and 0032: there is a security posture associated for a given period of time for a generated risk score based on an asset value; additionally data collectors and security server support filtering based on  the security policy/posture]

Regarding claims 4, 11, and 18, the combination of Gong and Tran teach claim 1 as described above.
Gong teaches wherein the one or more addressable network interfaces are associated with at least two (2) distinct computing entities.  [See Gong ¶¶0015, 0025-0027, 0033, and 0041:... data collector is configured to have one or more of an interesting domain name and IP address the detection mechanism is configured to build a real-time behavior profile where one or more communication network interfaces 404 (one or more addressable network interfaces in the packet capture). Those skilled in the art will appreciate that although FIG. 1 depicts a limited number of digital devices, collectors, routers, access points, and firewalls, there may be any kind and number of devices. For example, there may be any number of end-user devices 110 (at least two (2) distinct computing entitie). Hence, Examiner interprets any number of end-user devices 110 as analogous to at least two distinct computing entities.]

Regarding claims 6, 13, and 20, the combination of Gong and Tran teach claim 1 as described above.
Gong teaches wherein the encoding also includes at least one of: traffic volume, directional data, and non-encrypted traffic metadata associated with a transport connection.  [Gong, ¶¶0023 and 0033: communication network 106 carries encoded data; a method to detect one or more second order indicators of compromise where generating a behavior profile across the protocol stack using heuristics/supervised or unsupervised ML; a total amount of data exchanged (traffic volume); a breakdown of the amount of data in each direction (directional data)]

Regarding claims 7, 14, and 21 the combination of Gong and Tran teach claim 1 as described above.
Gong teaches wherein the received network traffic data is one of: captured packet traffic, and data derived from live captured traffic.  [Gong, ¶0052: collected network traffic/data may be initially identified as suspicious until determined otherwise (e.g., associated with a whitelist) or heuristics find no reason that the network data should be flagged as suspicious. The data flagging module 518 may perform packet analysis (captured packet traffic) to look for suspicious characteristics (data derived from live captured traffic) in the header, footer, destination IP, origin IP, payload, and the like using techniques including those described herein. Those skilled in the art will appreciate that the data flagging module 518 may perform a heuristic analysis, a statistical analysis, and/or signature identification.]

Regarding claim 22, Gong teaches a network threat detection system, comprising: 
a first software-based utility executed on hardware and configured to obtain a packet capture and generate a first encoding, the first encoding including a set of interval-bound traffic measurements for each pairing of one or more addressable network interfaces in the 5packet capture, together with any other detectable session data; [See Gong,  ¶¶0016-0018, 0021, and 0026: Network environment 100 generate signatures; data collectors obtain 1st order Indicators of Compromise (IoCs) so different traffic patterns can be analyzed; where the security server 108 receives suspicious data from one or more data collectors. Firewalls may include software and/or hardware firewalls. ¶0022: Access points 124 include any device configured to provide wireless connectivity with one or more other digital devices. ¶0023 encoded data (wherein a reference pattern is an encoding of a packet capture) traverses communication network; ¶¶0015, 0025-0027, 0033, and 0041: System monitors simultaneously north-south traffic and east-west traffic. East-west traffic  (each pairing) can contain the same set of network protocols seen on north-south boundaries, as well as network protocols meant for internal access and data sharing. A method to detect one or more second order indicators of compromise according to an embodiment. The method includes generating a behavior profile for at least one network device or end-user device (302); An example of a behavior profile for an end-user device includes: a distribution of the time duration (a set of interval-bound traffic measurement) for one or more connections. A data collector is configured to have one or more of an interesting domain name and IP address the detection mechanism is configured to build a real-time behavior profile where one or more communication network interfaces 404 (one or more addressable network interfaces in the packet capture)]]  and 
While Gong teaches a first encoding [Gong, ¶0023: encoded data traverses communication network]; however, Gong fails to explicitly teach but Tran teaches a second software-based utility executed on hardware and configured to receive a data stream, and, as the data stream is received, to real-time pattern match an encoding of the received data stream against a set of encodings that include the first encoding.  [Tran, ¶0129 digitized data (a data stream) received by NANO sensors that apply algorithms (a second software-based utility) to detect patterns associated with a chemical signals of associated substance. The chemical signal is parameterized into chemical features by a feature extractor. The output of the feature extractor is delivered to a sub-chemical structure recognizer. ¶0131: These transformations are employed in the process of encoding digital data representing spectral data. The encoded output constitutes a “fractal transform” of the spectral data and consists of coefficients of the affine transformations. Different fractal transforms correspond to different images or sounds. The fractal transforms are iteratively processed in the decoding operation. ¶0138: Once chemical features have been characterized, chemical recognizer compares input chemical signals with stored templates: a template matcher. ¶0140: method of whole-chemical structure template matching (real-time pattern matching) has been extended to deal with connected chemical structure recognition. The hidden Markov model is used to derive a set of reference pattern templates, each template representative of an identified pattern in a vocabulary set of reference chemical sub-structure patterns (a set of reference patterns that include the reference pattern).]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of system and method for detecting lateral movement and data exfiltration of Gong before him or her by including the teachings of NANO electronics of Tran. The motivation/suggestion would have been obvious to try to modify the network environment 100 to detect threat activities of Gong by adding the matching functionality using a template matcher to determine compared characteristics of chemical input signals as taught by Tran [Tran, ¶¶0131-0140].  

Claims  2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gong et al., hereinafter (“Gong”), US PG Publication (20160065601 A1), in view of Tran, US PG Publication (20070285843A1), in view Jakobsson, US PG Publication (20200053111 A1).
Regarding claims 2, 9, and 16, the combination of Gong and Tran teach claim 1 as described above.
Tran teaches wherein real-time pattern matching includes: identifying each of the set of reference patterns as a match to the network spectral; [See Tran, ¶¶0129 and 0140]  
However, the combination of Gong and Tran fail to explicitly teach but Jakobsson teaches as a confidence for a match between the network spectral and a given reference pattern declines below a configurable threshold, removing the given reference pattern from 20further consideration.  [Jakobsson, ¶¶0163-0164: Detonation analysis of incoming messages; Artifacts are preferably detonated if any aspect of the message is higher risk than tolerable, which is determined by the security system computing a risk score and a confidence score based on the sender MUA and comparing at least one of these to a threshold where the latter case corresponds to a match. When the risk exceeds a first threshold or the confidence is below a second threshold, then additional scrutiny or security actions are performed. ¶0289: The system can determine that one device is likely under attack and automatically and rapidly reroute messages intended for that account to another account by deleting the incoming message as it is delivered or soon after it has been delivered]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Gong and Tran before him or her by including the teachings of artifact modification and associated abuse detection of Jakobsson. The motivation/suggestion would have been obvious to try to modify the network environment 100 to detect threat activities of Gong by adding the matching of the spectral data as taught by Tran, with a detonation analysis determines if the confidence is a match, thereby deleting the message indicating risky and from further deleted as taught by Jakobsson [Jakobsson, ¶¶0163-0164 and 0289].  

Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Gong et al., hereinafter (“Gong”), US PG Publication (20160065601 A1), in view of Tran, US PG Publication (20070285843A1), in view of Wang et al., hereinafter (“Wang”), US Patent (9,842,498 B2).
Regarding claims 5, 12, and 19, the combination of Gong and Tran teach claim 4 as described above.
However, the combination of Gong and Tran fail to explicitly teach but Wang teaches wherein the at least one reference pattern is a multi-directional traffic pattern involving more than two (2) distinct computing entities.  [Wang, Col 8, lines 34-39: For example, assume the traffic information includes possible directions of travel of wireless devices in a particular area. When the wireless device 606 travels in an area with only eastbound/westbound traffic, the wireless device 606 selects its PDRID from two sets of identifiers 652, 654, each with nine identifiers. Col 10,  lines 20-23: a multi-directional traffic pattern in which wireless devices are heading various directions from one intersecting place or heading for the intersection from various directions.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Gong and Tran before him or her by including the teachings of a Road-traffic-based group, identifier, and resource selection in vehicular peer-to-peer networks of Wang. The motivation/suggestion would have been obvious to try to modify the network environment 100 to detect threat activities of Gong by adding the matching of the spectral data as taught by Tran, with multi-directional traffic pattern of wireless devices in Wang [Wang, Col 8, lines 34-39].  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Sharma et al (20160293172 A1) discloses Multi-mode audio recognition and auxiliary data encoding and decoding.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Sakinah White Taylor/           Primary Examiner, Art Unit 2497