Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office action is in response to the application 17/360,910 filed on 08/05/2021. This is a continuation of application No. 16/370,853, filed on Mar. 29, 2019, now Pat. No. 11,057,420.
 Claims 1, 10, and 19 are independent claims.  Claims 1-20 have been examined and are pending. This Action is made Non-FINAL. 

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 06/28/2021 is being considered by the examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  


Claims 1, 10, and 19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 8, and 15 respectively of U.S. Patent No. 11,057,420.  Although the conflicting claims are not identical, they are not patentably distinct from each other because of common subject matter, as follows:
The instant claims 1, 10, and 19 of the instant application cite the limitations: “receiving, at a network infrastructure device, …;”  “identifying, at the network infrastructure device, a first datagram …;”  “determining, at the network infrastructure device, a sequence of datagram lengths and times…;” “sending, from the network infrastructure device, the sequence of datagram lengths and times to a collector device,” “wherein, upon receiving the sequence of datagram lengths and times, …, and  wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow.” which are fully disclose in claims 1, 8, and 15 respectively of the U.S. Patent No. 11,057,420.
This is an obviousness-type double patenting rejection.

Claims 1 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims (1,7) of U.S. Patent No. 10,305,928 in view of McCorkendale et al. (“McCorkendale,” US 8,806,644, issued on Aug. 12, 2014).
Claims (1, 7) of the U.S. Patent No. 10,305,928 discloses all the limitations of the claims except “wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow.”
However, in an analogous art, McCorkendale discloses wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow (McCorkendale: Col. 10, lines 22-27, in response to determining that an application 301 is malicious or suspicious, the user can be warned, the application can be quarantined or removed, an anti-malware product on the user's computer 210 can be activated, information concerning the application can be sent to a central security server)
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of McCorkendal with the method and system of claims (1, 7) of the U.S. Patent No. 10,305,928 to include “wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow.”  One would have been motivated to head all such warnings, the user will avoid benign apps that use the requested permissions and perform the detected actions for legitimate purposes (McCorkendale, Col. 2, lines 33-36).
This is an obviousness-type double patenting rejection.
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-2, 4, 10-11, 13, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. (“Kim,” US 2011/0149793, published on June. 23, 2011) in view of Peles (“Peles,” US 2005/0050316, published on Mar. 3, 2005), further in view of McCorkendale et al. (“McCorkendale,” US 8,806,644, issued on Aug. 12, 2014), and Afek et al. (“Afek,” US 2006/0212572, published Sep. 21, 2006).
Regarding claim 1, Kim discloses a computer-implemented method comprising: 
receiving, at a network infrastructure device, a flow comprising a plurality of packets (Kim: par. 0023, The traffic capture apparatus 2 captures packets passing through a network and generates a two-way flow based on the captured packets. …), the plurality of packets comprising a first set of packets and a second set of packets that is received after the first set of packets (Kim:  par. 0023, The traffic capture apparatus 2 captures packets passing through a network and generates a two-way flow based on the captured packets. …); 
identifying, at the network infrastructure device, a first datagram comprising the first set of packets and a second datagram comprising the second set of packets, the first datagram being associated with a first message and the second datagram being associated with a second message (Kim: figs. 4&5; par. 0032, A payload statistical signature is a combination of a transport layer protocol p, a payload packet vector V indicating the transmission directions and payload sizes of payload packets, the number n of payload packets that form the payload packet vector V, a distance threshold d, and an application program name A.), wherein each packet of the first set of packets is received within a threshold amount of time of receipt of a preceding packet of the first set of packets (Kim: figs. 4&5; par. 0032, par. 0048, ... Examples of the statistical features include the distribution of packet sizes, the distribution of packet inter-arrival times, and, in the case of the TCP, the distribution of window sizes); 
determining, at the network infrastructure device, a sequence of datagram lengths and times for the first datagram and the second datagram within the flow based on an arrival time of the first set of packets and the second set of packets (Kim: figs. 1&2; traffic analysis apparatus (i.e. collector device); fig. 4, pars. 0057- 0059; The basic flow information 42 includes a total number of packets 420, a total size of packets 422, a flow start time 424, and a flow end time 426. The payload statistical information 44 may contain information about transmission directions of a maximum of n captured payload packets in each flow, in addition to information about payload sizes of the n payload packets. The payload statistical information 44 may be stored in the form of a vector; fig. 5, par. 0060; ...The payload statistical signature S is a combination of a transport layer protocol p, a payload packet vector V indicating the transmission directions and payload sizes of payload packets, the number n of payload packets that form the payload packet vector V, a distance threshold d, and an application program name A); and
sending, from the network infrastructure device, the sequence of datagram lengths and times to a collector device (Kim: figs. 1&2; traffic analysis apparatus; fig. 4, pars. 0057- 0059; The basic flow information 42 includes a total number of packets 420, a total size of packets 422, a flow start time 424, and a flow end time 426. The payload statistical information 44 may contain information about transmission directions of a maximum of n captured payload packets in each flow, in addition to information about payload sizes of the n payload packets. The payload statistical information 44 may be stored in the form of a vector; fig. 5, par. 0060; ...The payload statistical signature S is a combination of a transport layer protocol p, a payload packet vector V indicating the transmission directions and payload sizes of payload packets, the number n of payload packets that form the payload packet vector V, a distance threshold d, and an application program name A), 
Kim discloses receiving, at a network infrastructure device, a flow comprising a plurality of packets but does not explicitly disclose an encrypted flow. 
However, in an analogous art, Peles discloses wherein receiving, at a network infrastructure device, an encrypted flow comprising a plurality of packets (Peles: par. 0018, receiving data packets corresponding to the encrypted data, wherein the encrypted data is forwarded to the SSL probe from network equipment that facilitates the flow of encrypted data in a secure communication session between a client and a server).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Peles with the method and system of Kim to include “wherein receiving, at a network infrastructure device, an encrypted flow comprising a plurality of packets.” One would have been motivated to provide only isolated information pertinent to the external entity.  Thus offers passive treatment of encrypted traffic flowing between the client and server (Peles: pars. 0014-0015). 
Kim does not explicitly disclose “wherein the collector device determines whether an application that is associated with the received sequence of datagrams length and times is malicious, and upon determining that the application is malicious, sends an alert signal to an administrator”, and “wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow.”
However, in an analogous art, McCorkendale 
wherein the collector device determines whether an application that is associated with the received sequence is malicious, and upon determining that the application is malicious (McCorkendale: Col. 10, lines 22-27, in response to determining that an application 301 is malicious or suspicious, the user can be warned, the application can be quarantined or removed, an anti-malware product on the user's computer 210 can be activated, information concerning the application can be sent to a central security server); 
and upon determining that the application is malicious, sends an alert signal to an administrator (McCorkendale: Col. 10, lines 22-27, in response to determining that an application 301 is malicious or suspicious, the user can be warned, the application can be quarantined or removed, an anti-malware product on the user's computer 210 can be activated, information concerning the application can be sent to a central security server).
wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow (McCorkendale: Col. 10, lines 22-27, in response to determining that an application 301 is malicious or suspicious, the user can be warned, the application can be quarantined or removed, an anti-malware product on the user's computer 210 can be activated, information concerning the application can be sent to a central security server)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of McCorkendale with the method and system of Kim and Peles to include wherein, upon receiving the sequence of datagram lengths and times, the collector device determines whether an application is malicious based on the sequence of datagram lengths and times, and upon determining that the application is malicious, sends an alert signal to an administrator, wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the application or information regarding the encrypted flow.  One would have been motivated to head all such warnings, the user will avoid benign apps that use the requested permissions and perform the detected actions for legitimate purposes (McCorkendale, Col. 2, lines 33-36).
Kim discloses wherein each packet of the first set of packets is received within a threshold amount of time of receipt of a preceding packet of the first set plurality of packets but does not explicitly disclose wherein a first packet of the second set of packets is received after the threshold amount of time of receipt of a last packet of the first set of packets.
However, in an analogous art, Afek discloses wherein a first packet of the second set of packets is received after the threshold amount of time of receipt of a last packet of the first set of packets (Afek: par. 0090: continuously or periodically analyzes the data in the blocked packet repository in order to determine if the attack from a source or subnetwork source address has concluded.  The guard device typically determines that an attack has concluded by detecting whether traffic from the source has subsided for a certain period of time, at a traffic subsidence check step 78.  If malicious traffic has not subsided, the guard device leaves the source address on the blacklist, at a leave on blacklist step 80.  On the other hand, if the traffic has subsided for a sufficient period of time, the guard device removes the source address from the blacklist, at a remove from blacklist step 82).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Afek with the method and system of Kim, Peles, and McCorkendale to include wherein a first packet of the second set of packets is received after the threshold amount of time of receipt of a last packet of the first set of packets. One would have been motivated to protect against malicious traffic in computer networks (Afek: abstract, pars. 0002, 0007).
Regarding claim 2, the combination of Kim, Peles, McCorkendale, and Afek teaches the computer-implemented method of claim 1. The combination of Kim, Peles, McCorkendale, and Afek further discloses, wherein the sequence of datagram lengths and times for the first datagram and the second datagram comprises a first length of the first datagram, a second length of the second datagram, and a duration value between a first arrival time of the first datagram at the network infrastructure device and a second arrival time of the second datagram at the network infrastructure device (Kim: figs. 1&2; traffic analysis apparatus; fig. 4, pars. 0057- 0059; The basic flow information 42 includes a total number of packets 420, a total size of packets 422, a flow start time 424, and a flow end time 426. The payload statistical information 44 may contain information about transmission directions of a maximum of n captured payload packets in each flow, in addition to information about payload sizes of the n payload packets. The payload statistical information 44 may be stored in the form of a vector; fig. 5, par. 0060; ...The payload statistical signature S is a combination of a transport layer protocol p, a payload packet vector V indicating the transmission directions and payload sizes of payload packets, the number n of payload packets that form the payload packet vector V, a distance threshold d, and an application program name A.).
Regarding claim 4, the combination of Kim, Peles, McCorkendale, and Afek discloses the computer-implemented method of claim 1. The combination of Kim, Peles, McCorkendale, and Afek wherein determining the application that is associated with the sequence of datagram lengths and times comprises: determining at least one of a name, a type, or a version of the application associated with the sequence of datagram lengths and times (McCorkendale: Col. 7, line 3, application’s name). 
Regarding claim 10, claim 10 is directed to a system comprising: a network infrastructure device comprising a first memory unit and one or more first processors configured to perform instructions stored in the first memory unit; and a collector device (Kim: figs. 1&2; traffic analysis apparatus; fig. 5, par. 0060; McCorkendale: fig. 2, system memory) comprising a second memory unit  and one or more second processors (Kim: figs. 1&2; flow record storage unit, 26; McCorkendale: fig. 2, hard disk 244, flash memory, read-only memory (ROM) 214 processor) configured to perform instructions stored in the second memory unit, wherein the network infrastructure device associated with the method claimed in claim 1; claim 10 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 11, claim 11 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Regarding claim 13, claim 13 is similar in scope to claim 4, and is therefore rejected under similar rationale.
Regarding claim 19, claim 19 is directed to one or more non-transitory computer readable media comprising instructions which, when executed by one or more processors associated with the method claimed in claim 1; claim 19 is similar in scope to claim 1, and is therefore rejected under similar rationale.
Regarding claim 20, claim 20 is similar in scope to claim 2, and is therefore rejected under similar rationale.
Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. (“Kim,” US 2011/0149793, published on June. 23, 2011) in view of Peles (“Peles,” US 2005/0050316, published on Mar. 3, 2005), further in view of McCorkendale et al. (“McCorkendale,” US 8,806,644, issued on Aug. 12, 2014), and of Afek et al. (“Afek,” US 2006/0212572, published Sep. 21, 2006), and McNamee et al. (“McNamee,” US 2012/0255019, published on Oct. 4, 2012).
Regarding claim 3, the combination of Kim, Peles, McCorkendale, and Afek teaches the computer-implemented method of claim 1.  The combination of Kim, Peles, McCorkendale, and Afek further discloses wherein determining the application that is associated with the sequence of datagram lengths and times but does not explicitly disclose retrieving information from a database of datagram lengths and times that is associated with known applications; comparing the sequence of datagram lengths and times to the information retrieved from the database of datagram lengths and times.
However, in an analogous art, McNamee discloses wherein 
retrieving information from a database of datagram lengths and times that is associated with known applications (McNamee: par. 0050, The signatures used by the malware detection may be stored in a repository, such as a local database. The signatures specify the characteristics that the malware network traffic will have. This includes data patterns that may be present in network packets, state information associated with the network protocols, and sequences of events that may be considered anomalous network behavior.  These signatures are expressed as detection engine rules. When the malware detection process detects a packet or sequence of packets that matches a specific rule it generates an alert event.).
comparing the received sequence of datagram lengths and times to the information retrieved from the database of datagram lengths and times (McNamee: par. 0050, The signatures used by the malware detection may be stored in a repository, such as a local database. The signatures specify the characteristics that the malware network traffic will have. This includes data patterns that may be present in network packets, state information associated with the network protocols, and sequences of events that may be considered anomalous network behaviour. These signatures are expressed as detection engine rules. When the malware detection process detects a packet or sequence of packets that matches a specific rule it generates an alert event.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of McNamee with the method and system of Kim, Peles, McCorkendale, and Afek to include wherein retrieving information from a database of datagram lengths and times that is associated with known applications; comparing the received sequence of datagram lengths and times to the information retrieved from the database of datagram lengths and times, One would have been motivated to combining TCP session tracking and OS fingerprinting specific OS to be associated with an individual TCP session, which can improve ability to distinguish between the computing device and another computing device. The method enables identifying the OS to enable information to be provided to a user to speed a remediation process in a network-based malware detection system and providing identification of the OS that is infected and request that the user accesses remediation portal with a computer that has particular OS can improve results of the remediation process (McNamee: abstract, par. 0020).
Regarding claim 12, claim 12 is similar in scope to claim 3, and is therefore rejected under similar rationale.
Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. (“Kim,” US 2011/0149793, published on June. 23, 2011) in view of Peles (“Peles,” US 2005/0050316, published on Mar. 3, 2005), further in view of McCorkendale et al. (“McCorkendale,” US 8,806,644, issued on Aug. 12, 2014), and Afek et al. (“Afek,” US 2006/0212572, published Sep. 21, 2006), and Albertson et al. (“Albertson,” (“Albertson,” US 9,009,827, published Apr. 14, 2015).
Regarding claim 5, the combination of Kim, Peles, McCorkendale, and Afek teaches the computer-implemented method of claim 1.  The combination of Kim, Peles, McCorkendale, and Afek further discloses, wherein the collector device determines whether the application is malicious based on the sequence of datagram lengths and times but does not explicitly disclose by determining an application identifier of the application.
However, in an analogous art, Albertson discloses attack data including information about the security attack, such as the IP address of the malicious application, an identifier for the malicious application (Albertson: Col. 5, lines 35-39, The attack data may comprise information about the security attack, such as the IP address of the malicious application, an identifier for the malicious application, and/or the IP addresses of the internal computing devices that were attacked and/or infected).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Albertson with the method and system of Kim, Peles, McCorkendale, and Afek to include determining an application identifier of the application. One would have been motivated to provide security information is shared with the goal improving particular aspect of computer and/or cyber security; sharing attack information allow for distributive and/or efficient responses to security threats (Albertson: Col. 3, lines 29-31, lines 50-51).
Regarding claim 14, claim 14 is similar in scope to claim 5, and is therefore rejected under similar rationale.
Claims 6-8 and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. (“Kim,” US 2011/0149793, published on June. 23, 2011) in view of Peles (“Peles,” US 2005/0050316, published on Mar. 3, 2005), further in view of McCorkendale et al. (“McCorkendale,” US 8,806,644, issued on Aug. 12, 2014), and Afek et al. (“Afek,” US 2006/0212572, published Sep. 21, 2006), and Zorn et al. (“Zorn,” US 2012/0216280, published on Aug. 23, 2012).
Regarding claim 6, the combination of the combination of Kim, Peles, McCorkendale, and Afek teaches the computer-implemented method of claim 1.  The combination of Kim, McCorkendale, Peles, and Afek further discloses the sequence of datagram lengths and times for the first datagram and the second datagram (Kim: figs. 1&2; traffic analysis apparatus; fig. 4, pars. 0057- 0059; The basic flow information 42 includes a total number of packets 420, a total size of packets 422, a flow start time 424, and a flow end time 426. The payload statistical information 44 may contain information about transmission directions of a maximum of n captured payload packets in each flow, in addition to information about payload sizes of the n payload packets. The payload statistical information 44 may be stored in the form of a vector; fig. 5, par. 0060;) but does not explicitly disclose generating training data; and training a machine learning-based classifier using the generated training data for detecting whether the application is malicious.
However, in an analogous art, Zorn discloses wherein generating training data (Zorn: par. 0064; a classifier can be updated based on newly-discovered and/or analyzed code-based malware. For example, if a new code-based malware feature is discovered (e.g., using techniques discussed herein), the feature and its associated probability can be used to update the classifier 134 and/or the client-based classifier 142 discussed above. Thus, in some embodiments a classifier can be trained in an ongoing basis to enable it to recognize a larger variety of code-based malware).
training a machine learning-based classifier using the generated training data for detecting whether the application is malicious (Zorn: par. 0064; a classifier can be updated based on newly-discovered and/or analyzed code-based malware. For example, if a new code-based malware feature is discovered (e.g., using techniques discussed herein), the feature and its associated probability can be used to update the classifier 134 and/or the client-based classifier 142 discussed above. Thus, in some embodiments a classifier can be trained in an ongoing basis to enable it to recognize a larger variety of code-based malware.).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Zorn with the method and system of Kim, Peles, McCorkendale, and Afek, to include wherein generating training data based on the sequence of datagram lengths and times for the first datagram and the second datagram; and training a machine learning-based classifier using the generated training data for detecting whether the application is malicious. One would have been motivated to prevent user access to the network resource and warn the user that the network resource is associated with malicious code (Zorn: abstract, par. 0066).
Regarding claim 7, the combination of Kim, Peles, McCorkendale, Afek, and Zorn teaches the computer-implemented method of claim 6. The combination of Kim, McCorkendale, Peles, Afek, and Zorn further teaches in response to receiving the sequence of datagram lengths and times at the collector device, storing the sequence of datagram lengths and times (Kim: figs. 1&2; traffic analysis apparatus; fig. 4, pars. 0057- 0059; The basic flow information 42 includes a total number of packets 420, a total size of packets 422, a flow start time 424, and a flow end time 426. The payload statistical information 44 may contain information about transmission directions of a maximum of n captured payload packets in each flow, in addition to information about payload sizes of the n payload packets. The payload statistical information 44 may be stored in the form of a vector; fig. 5, par. 0060).
updating the trained classifier with the received sequence of datagram lengths and times (Zorn: par. 0064; a classifier can be updated based on newly-discovered and/or analyzed code-based malware. For example, if a new code-based malware feature is discovered (e.g., using techniques discussed herein), the feature and its associated probability can be used to update the classifier 134 and/or the client-based classifier 142 discussed above. Thus, in some embodiments a classifier can be trained in an ongoing basis to enable it to recognize a larger variety of code-based malware).
Regarding claim 8, the combination of Kim, Peles, McCorkendale, Afek, and Zorn teaches the computer-implemented method of claim 7.  The combination of Kim, McCorkendale, Peles, Afek, and Zorn further teaches detecting a previously unknown malware based on the machine learning-based classifier having been updated Zorn: par. 0064; a classifier can be updated based on newly-discovered and/or analyzed code-based malware. For example, if a new code-based malware feature is discovered (e.g., using techniques discussed herein), the feature and its associated probability can be used to update the classifier 134 and/or the client-based classifier 142 discussed above. Thus, in some embodiments a classifier can be trained in an ongoing basis to enable it to recognize a larger variety of code-based malware.)
Regarding claim 15, claim 15 is similar in scope to claim 6, and is therefore rejected under similar rationale.
Regarding claim 16, claim 16 is similar in scope to claim 7, and is therefore rejected under similar rationale.
Regarding claim 17, claim 17 is similar in scope to claim 8, and is therefore rejected under similar rationale.

Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al. (“Kim,” US 2011/0149793, published on June. 23, 2011) in view of Peles (“Peles,” US 2005/0050316, published on Mar. 3, 2005), further in view of McCorkendale et al. (“McCorkendale,” US 8,806,644, issued on Aug. 12, 2014), and Afek et al. (“Afek,” US 2006/0212572, published Sep. 21, 2006), and Javaid et al. (“Javaid,” US 2014/0141768, published on May. 22, 2014).
Regarding claim 9, the combination of Kim, Peles, McCorkendale, and Afek teaches the computer-implemented method of claim 1. Kim, Peles, McCorkendale, and Afek further do not explicitly disclose teaches upon determining that the application is malicious, displaying the alert signal in a computer-generated graphical user interface of the collector device.
However, in an analogous art, Javaid discloses wherein upon determining that the application is malicious, displaying the alert signal in a computer-generated graphical user interface of the collector device (Javaid: par. 0033, The dashboard may display all this information in a GUI and prompt/warn customers of any malicious activity and/or poorly performing applications).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Javaid with the method and system of Kim, Peles, McCorkendale, and Afek to include, wherein upon determining that the application is malicious, displaying the alert signal in a computer-generated graphical user interface of the collector device. One would have been motivated to analyze the performance data to identify characteristics of the applications and takes action to mitigate the effect of a problematic application, thus allows a user to aware that a particular application consumes a significant amount of data, and hence facilitates the improvement of or removal of problematic applications, a user perception is improved to provide a high quality smart phone user experience (Javaid: par. 0134).
Regarding claim 17, claim 17 is similar in scope to claim 8, and is therefore rejected under similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Canh Le whose telephone number is 571-270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  



For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439

October 3rd 2022



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439