DETAILED ACTION
A Request for Continued Examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on September 19, 2022 has been entered.  
Claims 1-20 are pending and are directed toward SYSTEMS AND METHODS FOR CAUSATION ANALYSIS OF NETWORK TRAFFIC ANOMALIES AND SECURITY THREATS.
Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Response to Arguments
Applicant’s arguments with regards to claims 1-20 have been fully considered, but they are not persuasive.
“does not identify” argument – Applicant argues that paragraphs such as paragraph [0054] talk about aggregating events but does not identify any events as dominant or having a relative higher contribution to the alarm condition that at least one other dominant key having a relative lower contribution and then excluding the at least one other dominant key having the relative lower contribution from an aggregation of dominant keys to determine a combination of dominant keys. Therefore, Applicant submits that Figura fails to disclose amended claim 1 (REMARKS, pages 7-8).
Response: Examiner points Applicant’s attention at least to Figura [0066]-[0067] and FIG. 9A -9B, where aggregating events with specific rules including currently claimed limitation are explicitly disclosed.
Conclusion -Therefore, in view of the above reasons, Examiner maintains rejections.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 1-6, 9-14, and 17-20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Figura et al. (US 2013/0182700, Pub. Date: Jul. 18, 2013), hereinafter referred to as Figura.
As per claim 1, Figura teaches a method comprising:
detecting an alarm condition at a network device, the alarm condition comprising an anomaly or increase in a traffic condition in a network (Yet another embodiment is directed to a method for automatically calculating KPI thresholds in a monitoring product by using self-learning triggers based on KPI values considered to be normal (values observed during normal conditions), and adaptively triggering alarms to indicate deviance from normal conditions. Figura, [0072]);
identifying a first dominant key having a first key type and a second dominant key having a second key type, wherein the first dominant key and the second dominant key are different key types (The correlator correlates or associates events of one or several types, producing new events. Figura, [0145]) and both  contributed to the alarm condition (For instance, in the context of monitoring VoIP calls, embodiments described herein automatically learn that a normal Mean Opinion Score (MOS) for calls from carrier A is x, the normal MOS for carrier B is y, etc. After these values have been determined, the system may automatically trigger alarms when calls with MOS values below ( or above depending on the context) those levels are detected. these learned values can also be time dependent. Figura, [0073]), and wherein the first dominant key and the second dominant key each have relative higher contributions to the alarm condition that at least one other dominant key having a relative lower contribution (A user could also specify that only the highest (or lowest) N values may be kept during the aggregation using the Top-N or Bottom-N selection algorithm. Figura, [0066]);
excluding the at least one other dominant key having the relative lower contribution from an aggregation of dominant keys to determine a combination of dominant keys (This may be useful when tracking "too many" dimension instances. For example, for a KPI that tracks the quality of experience for subscribers, it does not make sense to keep track of possibly millions of subscribers, it is enough to track the ones that are having the worst experience. Figura, [0066], and the operation may alternatively have been "max", "min", "average", "top 5", "bottom 3 ", "stddev", etc. Figura, [0067]);
aggregating the first dominant key and the second dominant key to determine the combination of dominant keys which contributed to the alarm condition (For example the system can learn the "normal" values for a tested function, such as "Busy Hour" and "Off Times" and use the KPI aggregators to compare against these at the appropriate times. Figura, [0073]); and
identifying a dominant traffic flow comprising the combination of dominant keys which contributed to the alarm condition (For example, a "best" MOS score on a VoIP network may be 4.19 for the G.711 codec. If a score of 4.19 was received after normal values of between 3 and 4 had been learned, then a score of 4.19 would be flagged as falling outside the range of normal values. However, in this case a score of 4.19 would not be a cause for concern, because it is a very good MOS score, so there would be no need for a user to receive an alarm for receiving an excellent MOS score. Hence, the system could automatically adapt a trigger so that an alarm was not triggered even though the deviation from normal was outside of the normal range that had been learned because the deviation was good, not bad. Figura, [0076]).
As per claim 2, Figura teaches the method of claim 1, wherein the traffic condition comprises one or more of a jitter, latency, packet drop count, or retransmission (For example, in VoIP networks, a network probe many monitor media quality information such as MOS, packet jitter, packet loss, among other metrics. Figura, [0028]).
As per claim 3, Figura teaches the method of claim 1, wherein the first key type and the second key type each comprise one or more of a source IP address, destination IP address, port, protocol, application, interface, application identifier (ID), interface ID, Security Group Tag (SGT), Access Point (AP) ID, Wireless Local Area Network (LAN) Controller (WLC) ID, Client Media access control (MAC) address, or Virtual LAN (VLAN) ID (Enrichment enables a user to establish and configure relationships between external information and the data processed by the platform, including data events, KPis, and other output events. For example for a data event containing IP addresses for networks and networking gear, enrichment could be used to match these IP addresses to a geographic location. The external data could include the location name, type of the address, etc. Using an enrichment scheme like this could monitor the network based off of geographic location. Figura, [0143], see also [0145], [0035], and FIG.2).
As per claim 4, Figura teaches the method of claim 1, wherein identifying the first dominant key and the second dominant key comprises grouping and clustering the traffic condition pertaining to the first key type or the second key type (Clustering can also be used to identify normal KPI values. Common types of clustering algorithms include hierarchical algorithms, partitional algorithms, and subspace clustering methods. Figura, [0087]) to determine outliers (Other aggregation statistical operations include determining the median, the mode, quartiles, and outliers. Figura, [0056]).
As per claim 5, Figura teaches the method of claim 1, wherein aggregating the first dominant key and the second dominant key comprises ordering the first dominant key and the second dominant key into an ordered set based on their individual contributions to the alarm condition, and aggregating contributions from combinations of the first dominant key and the second dominant key to determine whether a combination of first dominant key and the second dominant key have a contribution greater than a predetermined threshold to the alarm condition (The configuration methodology enables a wide range of aggregation operations to be used and defined by the user. For example, a first aggregation operation can count the number of received KPI data events, a second aggregation can sum the values for a particular dimension from a plurality of KPI data events, a third aggregation can sum the squares of the values for a particular dimension from a plurality of KPI data events, etc. Other aggregation operations include determining the minimum value for a dimension from a plurality of KPI data events, determining the maximum value from the plurality of KPI data events, determining the largest N values from the from the plurality of KPI data events, determining the smallest N values from the plurality of KPI data events, determining the average of the values from the plurality of KPI data events, determining the standard deviation, and determining the value distribution of the values from the plurality of KPI data events into a predefined number of value buckets. Figura, [0056]).
As per claim 6, Figura teaches the method of claim 5, further comprising eliminating least contributing dominant keys from the ordered set in a stepwise manner until the combination of first dominant key and the second dominant key having the contribution greater than the predetermined threshold to the alarm condition is obtained (Selection algorithms can also be used to limit the number of individual dimension values reported by a KPI aggregator. For instance, the k smallest values or the k largest values can be retrieved from the values of a set of KPI data events. Figura, [0056]).
Claims 9-14, and 17-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 7, 8, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Figura et al. (US 2013/0182700, Pub. Date: Jul. 18, 2013), in view of Parandehgheibi et al. (US 2016/0359740, Pub. Date: Dec. 8, 2016), hereinafter referred to as Figura and Parandehgheibi.
As per claim 7, Figura teaches the method of claim 1, wherein one of the first dominant key and the second dominant key comprises a dominant source IP address which contributed to a predominant number of packet drops or retransmissions at ports of the network device (For example, if a switch is identified to be dropping packets, then the executed script or sequence of steps can reroute traffic by using a different switch until the switch flagged as the source of the problem is fixed. Figura, [0083]). Fifura does not teach malware, Parandehgheibi however teaches and wherein the method further comprises identifying the dominant source IP address (For example, the network traffic data can include source/destination MAC address, source/destination IP address, protocol, port number, etc. Parandehgheibi, [0027]) to include an originator of malware for scanning the network (The identified anomalies may be used to detect suspicious network activity potentially indicative of malicious behavior. During a policy analysis stage 314, one or more policies can be determined for handling the suspect network traffic. Parandehgheibi, [0073]).
Figura in view of Parandehgheibi are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Figura in view of Parandehgheibi. This would have been desirable because In addition, the alert can trigger the execution of a script or a sequence of steps used to resolve or mitigate the original issue (Figura, [0083]).

As per claim 8, Figura in view of Parandehgheibi teaches the method of claim 7, wherein packet drops or retransmissions are collected at a collector from different routers of the network at which packets from the dominant source IP address were received and dropped (The process 600 can begin at step 602 in which the network captures network or packet header data for a first flow routed through the network to and/or from a host or endpoint of the network. For example, the network or packet header data may include packet header fields such as source address, source port, destination address, destination port, protocol type, class of service, etc. and/or aggregate packet data such as flow start time, flow end time, number of packets for a flow, number of bytes for a flow, the union of TCP flags for a flow, etc. As discussed, a sensor network can collect the packet header data from multiple perspectives to provide a comprehensive view of network behavior. The sensor network may include sensors at multiple nodes of a data path, Parandehgheibi, [0100]).
Figura in view of Parandehgheibi are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Figura in view of Parandehgheibi. This would have been desirable because the process 600 may continue on to step 604, in which the network determines additional features or attributes corresponding to the first flow, such as data about a source host or a destination host of the first flow, data about a virtualization platform of the source host or destination host, data about a process initiating the first flow, data about the process owner. In some embodiments, network topology information, application information (e.g., configuration information, previously generated application dependency maps, application policies, etc.), and other data regarding the first flow may also be collected.( Parandehgheibi, [0100]).

Claims 15, and 16 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492