DETAILED ACTION
This office action is in response to the correspondence filed on 04/01/2021. This application has a provisional application 63/140,678 filed 01/22/2021. Claims 1-20 are pending and are examined.


Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant's claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 


Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 07/22/2021, 10/12/2021, and 02/11/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 4-5, 12-13, and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Brown et al. (US Patent No. 11,347,896 B1, referred to as Brown).
Regarding claims 1 and 12, taking claim 12 as exemplary, Brown anticipates,
	12. A non-transitory machine-readable medium storing a program which when executed by at least one processing unit identifies security threats to a datacenter, the program comprising sets of instructions for:
from a plurality of host computers in the datacenter, (Brown: Fig. 4A; Coln. 11, ls. 24-38; computing environment may employ a plurality of computing devices.) receiving data indicating port usage for a particular time period for each of a plurality of destination data compute nodes (DCNs) executing on the host computers; (Brown: Fig. 2; Coln. 7, ls. 24-38; the control module may be operably interconnected with a log processing service 235, which may be a program, service, or application running on the host computer system, configured to process information received from the control module. Coln. 6, ls. 44-55; the data structure management unit 205 is configured to monitor all incoming traffic requests and populate the relevant data into the appropriate ring buffer. As each of ring buffers 202a-202c is populated with respective data, a control module 240 may be operably interconnected with the ring buffers to monitor and analyze the data stored in the ring buffers over a certain time period.
The control module 240 can be configured to count/measure the size of one or more buffers based on the data stored in each slice of each buffer in order to identify outlier data, such as data that appears suspicious, anomalous, abnormal, etc. that may indicate a horizontal port scan. Coln. 2, 26-29; each port, of up to the 65,535 available ports, may have an equally sized ring buffer assigned to it, where each ring buffer provides a historical view of the connections on that specific port for a period of time (data indicating port usage for a particular time period).
Coln. 3; ls. 54-67; a host computer system, which may be one of a plurality of host computer systems running within a computer system environment, may have one or more services, processes, and/or applications running on the system and may also have one or more users of the system. The computer system network may, for example, be a local network, an internal network, a public network such as the Internet, a wide-area network, a wireless network, a mobile network, a satellite network, a cellular network, a distributed computing system with a plurality of network nodes and/or other such networks (host computers and nodes).)
for each DCN of a set of the DCNs, identifying whether the port usage for the particular time period deviates from a historical baseline port usage for the DCN; and (Brown: Coln. 7, ls. 7-12; while the control module may detect an attacker or performance of a port scan (port usage over a certain time period), the information may be recorded in the log processing service in order to raise an alarm regarding possible or actual threats and provide historical data records for comparing to new threats. Coln. 7, ls. 33-46; the log processing service may further be operably interconnected with the data structure management unit 205 and configured to return historical data to the management unit. In some embodiments, the host computer system may detect that an attack is occurring after a certain system determined amount of suspicious behavior is attempted based at least in part on the historical or log data (deviates from the historical baseline) provided from the log processing service to the data structure management unit.)
when the port usage for a particular DCN deviates from the historical baseline for the particular DCN, identifying the particular DCN as a target of a security threat. (Brown: Coln. 7, ls. 7-12; while the control module may detect an attacker or performance of a port scan, the information may be recorded in the log processing service in order to raise an alarm regarding possible or actual threats and provide historical data records for comparing to new threats. Coln. 7, ls. 33-46; the log processing service may further be operably interconnected with the data structure management unit 205 and configured to return historical data to the management unit. In some embodiments, the host computer system may detect that an attack (security threat) is occurring (identifying the particular DCN) after a certain system determined amount of suspicious behavior is attempted based at least in part on the historical or log data (deviates from the historical baseline) provided from the log processing service to the data structure management unit.)


Regarding claims 2 and 13, taking claim 13 as exemplary, Brown further anticipates, 
13. The non-transitory machine-readable medium of claim 12, wherein the program further comprises a set of instructions for computing the historical baseline port usage for each DCN over an extended time period. (Brown: Coln. 2, 26-29; each port, of up to the 65,535 available ports, may have an equally sized ring buffer assigned to it, where each ring buffer provides a historical view of the connections on that specific port for a period of time (historical data indicating port usage for a particular time period, ports are associated with each host/node).)


Regarding claim 4, Brown further anticipates, 
	4. The method of claim 1, wherein the data indicating port usage for the particular DCN comprises a number of unique ports used by data flows sent to the DCN during the particular time period. (Brown: Fig. 1; Coln. 5, ls. 17-27; the source identifier may be a port number, where the source identifier A is used to provide multiplexing services on each port number that a source host connects to for communications, where the traffic from a source IP address being transmitted via the port number (source identifier A) may include a destination IP address. For example, the computer network may be monitored for potential attackers by tracking the port numbers (e.g., source identifiers A-D (102a-d)) to determine the source hosts that are using those ports to access different destination IP addresses (unique ports usage by the host/node). Coln. 6, ls. 44-55; the data structure management unit 205 is configured to monitor all incoming traffic requests and populate the relevant data into the appropriate ring buffer. As each of ring buffers 202a-202c is populated with respective data, a control module 240 may be operably interconnected with the ring buffers to monitor and analyze the data stored in the ring buffers over a certain time period (particular time period).)


Regarding claim 5, Brown further anticipates, 
5. The method of claim 4, wherein the ports comprise transport layer port numbers. (Brown: Coln. 2; ls 17-19; there are 216 port numbers (0 to 65,536) used by Transport Layer Protocols (e.g., Transmission Control Protocol (TCP) (transport layer port numbers).)


Regarding claim 15, Brown further anticipates, 
15. The non-transitory machine-readable medium of claim 12, wherein the data indicating port usage for the particular DCN comprises a number of unique transport layer port numbers used by data flows sent to the DCN during the particular time period. (Brown: Fig. 1; Coln. 5, ls. 17-27; the source identifier may be a port number, where the source identifier A is used to provide multiplexing services on each port number that a source host connects to for communications, where the traffic from a source IP address being transmitted via the port number (source identifier A) may include a destination IP address. For example, the computer network may be monitored for potential attackers by tracking the port numbers (e.g., source identifiers A-D (102a-d)) to determine the source hosts that are using those ports to access different destination IP addresses (unique ports usage by the host/node). Coln. 6, ls. 44-55; the data structure management unit 205 is configured to monitor all incoming traffic requests and populate the relevant data into the appropriate ring buffer. As each of ring buffers 202a-202c is populated with respective data, a control module 240 may be operably interconnected with the ring buffers to monitor and analyze the data stored in the ring buffers over a certain time period (particular time period). Coln. 2; ls 17-19; there are 216 port numbers (0 to 65,536) used by Transport Layer Protocols (e.g., Transmission Control Protocol (TCP) (unique transport layer port numbers).)


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Brown, in view of Amit et al. (US Pub No. 2020/0244676 A1, referred to as Amit).
Regarding claims 3 and 14, taking claim 14 as exemplary, Brown discloses, 
14. The non-transitory machine-readable medium of claim 12, 
wherein the historical baseline port usage is based on port usage for a …[time period] (Brown: Coln. 2, 26-29; each port, of up to the 65,535 available ports, may have an equally sized ring buffer assigned to it, where each ring buffer provides a historical view of the connections on that specific port for a period of time (historical data indicating port usage for a particular time period.)
Brown does not explicitly disclose, however Amit teaches,
wherein the particular time period is one day, (Amit: [0036]; for each aggregated communication session 58, the port scan time period 62 comprise specified time period (e.g., a specific number of hours or days), and subset 86 refers to a plurality of communication sessions 68 (24 hours or one day).)
…port usage is based on port usage for a plurality of days. (Amit: [0036]; for each aggregated communication session 58, the port scan time period 62 comprise specified time period (e.g., a specific number of hours or days), and subset 86 refers to a plurality of communication sessions 68 (port scan can span multiple days and they become the history).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Amit into the teachings of Brown with a motivation to allow the period of time to have increased specificity and granularity to enable limiting a measurable period to a specified range i.e. hours/days.


Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Brown in view of Bhattacharyya et al. (US Patent No. 7,908,655 B1, referred to as Bhattacharyya).
Regarding claims 6 and 16, taking claim 16 as exemplary, Brown discloses, 
16. The non-transitory machine-readable medium of claim 12, wherein the set of instructions for identifying whether the port usage for the particular DCN for the particular time period deviates from the historical baseline port usage for the DCN comprises sets of instructions for: (Brown: Coln. 7, ls. 7-12; while the control module may detect an attacker or performance of a port scan (port usage over a certain time period), the information may be recorded in the log processing service in order to raise an alarm regarding possible or actual threats and provide historical data records for comparing to new threats. Coln. 7, ls. 33-46; the log processing service may further be operably interconnected with the data structure management unit 205 and configured to return historical data to the management unit. In some embodiments, the host computer system may detect that an attack is occurring after a certain system determined amount of suspicious behavior is attempted based at least in part on the historical or log data (deviates from the historical baseline) provided from the log processing service to the data structure management unit.)
determining whether the port usage for the particular DCN is greater than the historical baseline for the DCN; and (Brown: Coln. 7, ls. 33-46; the log processing service may further be operably interconnected with the data structure management unit 205 and configured to return historical data to the management unit. In some embodiments, the host computer system may detect that an attack is occurring after a certain system determined amount of suspicious behavior is attempted based at least in part on the historical or log data (greater than the historical baseline because attack is not associated with activity less than normal) provided from the log processing service to the data structure management unit.)
Brown does not explicitly disclose, however Bhattacharyya teaches,
if the port usage for the particular DCN is greater than the historical baseline for the DCN, determining whether the deviation from the historical baseline for the particular DCN is greater than a minimum deviation determined for the particular DCN. (Bhattacharyya: Coln. 15, ls. 15-19; those skilled in the art will recognize that any number of threshold values may indicate port-scanning behaviors and that historical data from known port scanners may be used to appropriately set such values (threshold can be set using historical data plus a margin/minimum).)
Examiner notes that limitation with “if…” is conditional and potentially lack patentable weight; art was provided to promote compact prosecution. Examiner suggests: “responsive to”, “based on”, “upon determining” can be used instead.
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Bhattacharyya into the teachings of Brown with a motivation to stop the propagation of worms that exploit software vulnerabilities by detecting malicious activities using thresholds with historical data (Bhattacharyya Coln. 1, ls 16-20).


Claims 7-8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Brown in view of Crabtree et al. (US Pub No. 2020/0396254 A1, referred to as Crabtree).
Regarding claims 7 and 17, taking claim 17 as exemplary, Brown discloses, 
17. The non-transitory machine-readable medium of claim 12, wherein the set of instructions for identifying the particular DCN as the target of a security threat comprises a set of instructions for 
Brown does not explicitly disclose, however Crabtree teaches,
computing a score for the deviation of the port usage for the particular DCN based on a plurality of weighted factors. (Crabtree: [0006]; receive a cybersecurity scoring model, the cybersecurity scoring model comprising weights for each of the following categories: domain name system A records, the domain name system sender policy framework records, the domain name system domain-based message authentication, reporting, and conformance records, the list of open ports, and further comprising an algorithm for combining the categories; retrieve the records stored in the cloud-based storage bin; and calculate a cybersecurity score by applying the algorithm to the weighted categories (computing a cybersecurity score using the weights of different factors including port usage).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Crabtree into the teachings of Brown with a motivation to provide a method for cybersecurity reconnaissance, analysis, and scoring that uses distributed, cloud-based computing services to provide sufficient scalability for analysis of larger networks by making observations of publicly accessible features of the IT enterprise by using such cybersecurity scoring system with weighted factors (Crabtree [0004]).


Regarding claim 8, the combination of Brown and Crabtree discloses, 
8. The method of claim 7, 
Brown does not explicitly disclose, however Crabtree teaches,
wherein if the computed score is greater than a threshold the particular DCN is flagged as likely being targeted by a security threat. (Crabtree: [0069]; Where the score 1120 is above or below the set score 1125 (threshold), changes to network security may be implemented 1140 (flagged for security change).)
The same motivation that was utilized for combining Brown and Crabtree as set forth in claim 7 is equally applicable to claim 8.


Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Brown in view of Crabtree, further in view of Bhattacharyya.
Regarding claim 9, the combination of Brown and Crabtree discloses, 
9. The method of claim 8, 
The combination of Brown and Crabtree does not disclose, however Bhattacharyya teaches,
wherein the identified security threats are vertical port scans targeting the DCNs of the datacenter. (Bhattacharyya: Coln. 4; ls. 59-66; The method 200, at a step 206, defines a set of thresholds for use in evaluating potential port scanning behavior. These thresholds may provide a quantifiable measure to determine whether a device is exhibiting behaviors of a port-scanning device. For example, a port scanner generally attempts one of two distinct access patterns to find vulnerable hosts. The first, a vertical access pattern, is accomplished by trying to connect to multiple ports on each of a limited number of devices (a measurement of port activities can be compared to a threshold to determine vertical port scan).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Bhattacharyya into the combination of Brown and Crabtree with a motivation to stop the propagation of worms that exploit software vulnerabilities by detecting malicious activities including measuring port activities to thresholds (Bhattacharyya Coln. 1, ls 16-20).


Regarding claim 18, the combination of Brown and Crabtree discloses, 
18. The non-transitory machine-readable medium of claim 17, 
The combination of Brown and Crabtree does not disclose, however Bhattacharyya teaches,
wherein if the computed score is greater than a threshold the particular DCN is flagged as likely being targeted by a vertical port scan. (Bhattacharyya: Coln. 4; ls. 59-66; The method 200, at a step 206, defines a set of thresholds for use in evaluating potential port scanning behavior. These thresholds may provide a quantifiable measure to determine whether a device is exhibiting behaviors of a port-scanning device. For example, a port scanner generally attempts one of two distinct access patterns to find vulnerable hosts. The first, a vertical access pattern, is accomplished by trying to connect to multiple ports on each of a limited number of devices (a measurement of port activities can be compared to a threshold to determine vertical port scan).)
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to implement the teachings of Bhattacharyya into the combination of Brown and Crabtree with a motivation to stop the propagation of worms that exploit software vulnerabilities by detecting malicious activities including measuring port activities to thresholds (Bhattacharyya Coln. 1, ls 16-20).


Allowable Subject Matter
Claims 10-11, and 19-20 are objected to as being dependent upon rejected base claims, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is an examiner’s statement of reasons for allowance: 
Although prior arts Brown, Amit, Bhattacharyya, and Crabtree above disclose all the limitations of the prior claims (see rejections above), none of the prior arts of record alone or in combination discloses the weighted factors comprise (i) an amount of deviation of port usage, (ii) a usage of unique ports not used during previous time periods, and (iii) a number of connection errors detected for flows sent to the particular DCN; or adjusting the weights based on the administrator feedback received based on identification of a DCN target as described in the claims.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
EWAIDA; Bashar H. M. et al.		US-PGPUB	US 20210185073 A1	Techniques for analyzing network vulnerabilities
Balasubramanian; Swaminathan et al.	US-PGPUB	US 20180063164 A1	Detecting potential security compromise including port scanning

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KA SHAN CHOY whose telephone number is (571) 272-1569.  The examiner can normally be reached on MON - FRI: 9AM-5:30PM EST Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/KA SHAN CHOY/Examiner, Art Unit 2435