DETAILED ACTION


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on September 23, 2022 has been entered.


Claims 14, 20, 34, and 39 have been cancelled. 


Claims 11-13, 15-18, 32-33n 35-38, 40-41 are pending.



Response to Arguments
 
35 U.S.C. 103 Rejections
	Applicant’s arguments filed in the communications on 09/23/2022 have been fully considered but are moot because the arguments do not apply to the combination of references being used in the current rejection. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	Claims 11-13, 15-18, 32-33, 35-38, and 40-41 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav et al. (USPGPub 2016/0359872) in view of Rostami-Hesarsorkh et al. (USPGPub 2017/0251003).


As per claim 11, Yadav teaches an apparatus comprising: 
at least one processor (Yadav, see paragraph [0053], a processing unit (CPU or processor) 410) and 
at least one memory comprising computer program code (Yadav, see paragraph [0053], including the system memory 415, such as read only memory (ROM) 470)
 the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to
 detect a network context for the apparatus (Yadav, see paragraph [0010], detecting, using sensors, packets throughout a datacenter) 
collect network data for the apparatus based at least in part on policy information associated with the network context, wherein the policy information describes a collection policy for the network data (Yadav, see paragraph [0010], The sensors can then send packet logs to various collectors which can then identify and summarize data flows in the datacenter. Also see paragraph [0021], Collectors 108 can also characterize the traffic flows going to and from various nodes. In some example embodiments, collectors 108 can match packets based on sequence numbers, thus identifying traffic flows and connection links) and
 transmit at least part of the collected network data to a server for data composition (Yadav, see paragraph [0019], Sensors 104 can send network traffic data to one or multiple collectors 108. In some example embodiments, sensors 104 can be assigned to a primary collector and a secondary collector. In other example embodiments, sensors 104 are not assigned a collector. Also see paragraph [0020], Collectors 108 can serve as a repository for the data recorded by sensors 104. In some example embodiments, collectors 108 can be directly connected to a top of rack switch. In other example embodiments, collectors 108 can be located near an end of row switch. Collectors 108 can be located on or off premises. Also see paragraph [0459], The Compute Engine processes the flow data in the HDFS, including annotating each flow with certain metadata based on specified rules in order to classify each flow).
Yadav doesn’t explicitly teach transmit a tag derived from the policy information to a server for data composition.
In analogous art Rostami-Hesarsorkh teaches transmit a tag derived from the policy information to a server for data composition (Rostami-Hesarsorkh, see paragraph [0237], …a tag can be a high priority tag. For example, if a malware sample is detected/received that matches a tag that is a high priority tag (e.g., a tag that is associated with a serious threat can be identified as a high profile tag, such as by the security vendor for the malware analysis platform for threat intelligence), then an alert can be sent to a network/security admin for ACME Corporation that their network is being targeted based on an alert that a malware sample matching the high profile tag was identified as having penetrated their network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Rostami-Hesarsorkh and apply them on the teaching of Yadav as doing so would help to prioritize security events in network environment by distinguishing between threats or campaigns with global impact (e.g., based on alerting tags) and less impactful threats that do not pose a direct or immediate security risk (e.g., based on informational tags). (Rostami-Hesarsorkh, see paragraph [0059]).

As per claim 12, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 11, wherein the collection policy indicates one or more collection schemes for the network data according to a category of the network data (Yadav, see paragraph [0148], The network data observed by a sensor A inside a VM is a subset of the network data observed by a sensor B inside the hypervisor on which the VM is running. Further, the network data observed by a sensor B running inside a Hypervisor is again a subset of the network data observed by a sensor C running either inside or as part of the networking gear to which the hypervisor or the physical machine is connected to).

	As per claim 13, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 11 wherein the policy information indicates one or more instructions for pre-processing the collected network data to obtain the at least part of the collected network data (Yadav, see paragraph [0018], sensors 104 can preprocess network traffic data before sending to collectors 108. For example, sensors 104 can remove extraneous or duplicative data or they can create a summary of the data (e.g., latency, packets and bytes sent per flow, flagged abnormal activity, etc.)).

	
	As per claim 15, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 11, wherein the policy information comprises at least one of the following information elements for the network data: a network type; a network protocol; a data location; a data category; a data importance level; a collection priority; a data length; a storage type; a collector identification; and a composition tag (Yadav, see paragraph [0465], custom tags among different tenants, associate tags to a hierarchy (e.g., classify tags as associated with certain organizations, or classify tags as relating to networking, etc.), alias tags (i.e., same rules w/different names).).

	As per claim 16, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 11, wherein the tag indicates one or more data composition algorithms for the at least part of the collected network data. (Yadav, see paragraph [0148], The relationship information about whether sensor B in placed in a hypervisor which contains the VM where sensor A is placed, is very important for a lot of algorithms that do analysis on the captured data).

	As per claim 17, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 11, wherein the tag indicates one or more security threats related to the at least part of the collected network data. (Yadav, see paragraph [0026], analytics module 110 can use machine learning techniques to identify security threats to a network using malware detection module 166. For example, malware detection module 166 can be provided with examples of network states corresponding to an attack and network states corresponding to normal operation. Malware detection module 166 can then analyze network traffic flow data to recognize when the network is under attack).

	As per claim 18, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 11, wherein the tag indicates collection time of the network data. (Yadav, see paragraph [0021], collectors 108 can retain a complete dataset describing one period (e.g., the past minute or other suitable period of time), with a smaller dataset of another period (e.g., the previous 2-10 minutes or other suitable period of time), and progressively consolidate network traffic flow data of other periods of time (e.g., day, week, month, year, etc.)).

	
		As per claim 32, Yadav teaches an apparatus comprising:
 at least one processor (Yadav, see paragraph [0053], a processing unit (CPU or processor) 410) and 
at least one memory comprising computer program code, (Yadav, see paragraph [0053], including the system memory 415, such as read only memory (ROM) 470)
the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to
 receive network data and a tag, wherein the network data are collected for a communication node based at least in part on policy information associated with a network context of the communication node (Yadav, see paragraph [0022], collectors 108 can receive data from external data sources 106, such as security reports, white-lists (106a), IP watchlists (106b), who is data (106c), or out-of-band data, such as power status. Also see paragraph [0455], A flow can be tagged with metadata to provide additional information about the flow such that the flows are searchable based on tags, or flows having common tags can be aggregated to visualize flow data.) and wherein the policy information describes a collection policy for the network data and perform data composition of the network data. (Yadav, see paragraph [0459], The Compute Engine processes the flow data in the HDFS, including annotating each flow with certain metadata based on specified rules in order to classify each flow. This enables the UI to present meaningful views of flows or allows users to search flows based on tags.).
Yadav doesn’t explicitly teach receive a tag performing data composition of the network data based in part on the tag.
In analogous art Rostami-Hesarsorkh teaches receive a tag performing data composition of the network data based in part on the tag (Rostami-Hesarsorkh, see paragraph [0237], …a tag can be a high priority tag. For example, if a malware sample is detected/received that matches a tag that is a high priority tag (e.g., a tag that is associated with a serious threat can be identified as a high profile tag, such as by the security vendor for the malware analysis platform for threat intelligence), then an alert can be sent to a network/security admin for ACME Corporation that their network is being targeted based on an alert that a malware sample matching the high profile tag was identified as having penetrated their network).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to take the teaching of Rostami-Hesarsorkh and apply them on the teaching of Yadav as doing so would help to prioritize security events in network environment by distinguishing between threats or campaigns with global impact (e.g., based on alerting tags) and less impactful threats that do not pose a direct or immediate security risk (e.g., based on informational tags). (Rostami-Hesarsorkh, see paragraph [0059]).


As per claim 33, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the collection policy indicates one or more collection schemes for the network data according to a category of the network data.  (Yadav, see paragraph [0148], The network data observed by a sensor A inside a VM is a subset of the network data observed by a sensor B inside the hypervisor on which the VM is running. Further, the network data observed by a sensor B running inside a Hypervisor is again a subset of the network data observed by a sensor C running either inside or as part of the networking gear to which the hypervisor or the physical machine is connected to).

As per claim 35, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the policy information comprises at least one of the following information elements for the network data: a network type; a network protocol; a data location; a data category; a data importance level; a collection priority; a data length; a storage type; a collector identification; and a composition tag.  (Yadav, see paragraph [0465], custom tags among different tenants, associate tags to a hierarchy (e.g., classify tags as associated with certain organizations, or classify tags as relating to networking, etc.), alias tags (i.e., same rules w/different names).).

As per claim 36, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the tag indicates one or more data composition algorithms for the network data. (Yadav, see paragraph [0148], The relationship information about whether sensor B in placed in a hypervisor which contains the VM where sensor A is placed, is very important for a lot of algorithms that do analysis on the captured data).
  
As per claim 37, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the tag indicates collection time of the network data.  (Yadav, see paragraph [0021], collectors 108 can retain a complete dataset describing one period (e.g., the past minute or other suitable period of time), with a smaller dataset of another period (e.g., the previous 2-10 minutes or other suitable period of time), and progressively consolidate network traffic flow data of other periods of time (e.g., day, week, month, year, etc.)).

As per claim 38, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the tag indicates one or more security threats related to the network data.  (Yadav, see paragraph [0026], analytics module 110 can use machine learning techniques to identify security threats to a network using malware detection module 166. For example, malware detection module 166 can be provided with examples of network states corresponding to an attack and network states corresponding to normal operation. Malware detection module 166 can then analyze network traffic flow data to recognize when the network is under attack).

As per claim 40, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the network data comprise security-related data, and wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus further to measure a security level for a network with the network context based at least in part on the security-related data and the tag. (Yadav, see paragraph [0022], collectors 108 can receive data from external data sources 106, such as security reports, white-lists (106a), IP watchlists (106b), who is data (106c), or out-of-band data, such as power status, temperature readings, etc.).

As per claim 41, Yadav-Rostami-Hesarsorkh teaches the apparatus according to claim 32, wherein the data composition of the network data is performed based at least in part on the tag by: applying one or more processing algorithms indicated by the tag to the network data (Yadav, see paragraph [0147], whether the reported sensor data was from a sensor deployed inside a VM or from a sensor deployed inside Hypervisor or from a sensor deployed inside a networking gear is very important for a number of algorithms that do processing on the gathered data) and aggregating respective outputs of the one or more processing algorithms to obtain a result of the data composition (Yadav, see paragraph [0129], the second layer collector will be set to receive the complete flow from the layer one collectors. The second layer collector can then aggregate the data related to that flow).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HERMON ASRES whose telephone number is (571)272-4257. The examiner can normally be reached Monday to Friday 9AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HERMON ASRES/Primary Examiner, Art Unit 2449