DETAILED ACTION
The non-final of the previous action is withdrawn, and new grounds of rejection are set forth below. This action is made NONFINAL.
This action is in response the communications filed on 08/16/2022 in which claims 1, 10, 11 and 20 are amended, and claims 1, 3-11 and 13-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 08/12/2022 in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 3-11 and 13-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.
In regard to claims 1 and 11,
Step 1:  Is the claim to a process, machine, manufacture, or composition of matter? 
 Yes, claims 1 and 11 recite a method and a non-transitory machine readable medium storing a program, and therefore recite a process and article of manufacture respectively, which is a statutory category of invention.

Step 2A, prong One: Does the claim recite an abstract idea, law of nature or natural phenomenon? 
Yes, claims 1 and 11 recite “identifying flows associated with a plurality of network addresses, and statistics associated with the identified flows, said statistics including probabilistic values specifying a frequency for occurrence of the flow; identifying a set of traffic patterns through the network based on the identified statistics associated with the plurality of flows; associating each of the plurality of network addresses with the set of traffic patterns, each traffic pattern associated with a particular network address with a particular probability; generating groupings of network addresses with similar distributions of traffic pattern probabilities for display in a user interface; and defining the security policies for a set of applications associated with a set of network addresses based on a set of groupings generated for the set of network addresses.” 
Under BRI the limitation of “identifying flows associated with a plurality of network addresses, and statistics associated with the identified flows, said statistics including probabilistic values specifying a frequency for occurrence of the flow” is a mental process (evaluation). 
Under BRI the limitation of “identifying a set of traffic patterns through the network based on the identified statistics associated with the plurality of flows” is a mental process (evaluation or observation). 
Under BRI the limitation of “associating each of the plurality of network addresses with the set of traffic patterns, each traffic pattern associated with a particular network address with a particular probability” is a mental process (evaluation or observation). 
Under BRI the limitation of “generating groupings of network addresses with similar distributions of traffic pattern probabilities…” is a mental process (evaluation or observation). 
Under BRI the limitation of “defining the security policies for a set of applications associated with a set of network addresses based on a set of groupings generated for the set of network addresses.” is a mental process (evaluation). 

	If a claim limitation, under its broadest reasonable interpretation, covers concepts performed in the human mind, then it falls within mental processes of abstract ideas. Accordingly, the claims 1 and 11 recite an abstract idea.

Step 2A, prong Two: Does the claim recite additional elements that integrate the judicial exception into a practical application? 
No, the judicial exception is not integrated into a practical application. In particular, claims 1 and 11 recite “computers, a datacenter, a network, network addresses, a user interface,” claim 11 further recites “a non-transitory machine readable medium, a program, one processing unit” which are all generally linked to the abstract idea.

Claims 1 and 11: The use of “computers, a datacenter, a network, network addresses, a user interface, a non-transitory machine readable medium, a program, one processing unit” amounts to an attempt to generally link the use of a judicial exception to a computer technological environment or field of use - see MPEP 2106.05(h). 


Accordingly, these additional elements do not provide a meaningful limitation to transform the abstract idea into a patent eligible application of the abstract idea. The claims 1 and 11 as a whole, considering all additional elements both individually and in combination, are directed to an abstract idea.

Step 2B: Does the claim recite additional elements that amount to significantly more than the judicial exception? 
No, the claims 1 and 11 do not recite additional elements that amount to an inventive concept (significantly more) than the recited judicial exception. 
Claims 1 and 11:  These additional elements, as explained above: “computers, a datacenter, a network, network addresses, a user interface, a non-transitory machine readable medium, a program, one processing unit” are generally linking the use of a judicial exception to a computer environment.

Accordingly, considering the claim as a whole and the additional elements both individually and in combination, do not provide significantly more than the abstract idea. These independent claims are not patent eligible.

Dependent claims 3 and 13 recite “wherein the identified statistics comprise at least one of internet protocol flow information export (IPFIX) data and tcpdump data.” In step 2A prong One, under BRI the claims recite more specifics of abstract idea (i.e. identifying statistics) and therefore is part of abstract ideas. Further in step 2A prong Two and step 2B, the claims recite additional elements “protocol flow information export (IPFIX) data and tcpdump data” amount to an attempt to generally link the use of a judicial exception to a computer technological environment or field of use (e.g. computer networking) - see MPEP 2106.05(h). 

Dependent claims 4 and 14 recite “wherein identifying the set of traffic patterns comprises using probabilistic topic modeling to identify the set of traffic patterns.” In step 2A prong One, under BRI the claim is more specifics of abstract idea (i.e. identifying traffic patterns) and therefore is part of abstract ideas; using probabilistic topic modeling is a mental process (judgement). Further in step 2A prong Two and step 2B, the claims recite the use of a probabilistic topic modeling (i.e. LDA) to identify traffic patterns. The use of software (i.e. “applying it” with the judicial exception) or a model (i.e. specifying a particular technological environment or field) to provide the result is not illegible – see MPEP 2106.05(f) or 2106.05(h).

Dependent claims 5 and 15 recite “wherein the probabilistic topic modeling is latent Dirichlet allocation (LDA).” In step 2A prong One, using probabilistic topic modeling is a mental process (judgement). In step 2A prong Two and step 2B, the claims recite additional element “latent Dirichlet allocation (LDA).” The use of software (i.e. “applying it” with the judicial exception) or a model (i.e. specifying a particular technological environment or field) to provide the result is not illegible – see MPEP 2106.05(f) or 2106.05(h).

Dependent claims 6 and 16 recite “wherein the LDA uses network addresses of computers in networks as the documents for its analysis.” In step 2A prong One, under BRI the claim is more specifics of abstract idea (i.e. using LDA model) and therefore is part of abstract ideas. Further in step 2A prong Two and step 2B, the claims recite additional elements “network addresses of computers in networks, documents” amount to an attempt to generally link the use of a judicial exception to a computer technological environment or field of use (e.g. computer networking or statistical model) - see MPEP 2106.05(h). 


Dependent claims 7 and 17 recite “wherein the LDA uses a particular plurality of statistics associated with a particular network address as a plurality of flows associated with a particular document defined by the particular network address.” In step 2A prong One, under BRI the claim is more specifics of abstract idea (i.e. using LDA model) and therefore is part of abstract ideas. Further in step 2A prong Two and step 2B, the claims recite additional elements “network address, flows, a document” amount to an attempt to generally link the use of a judicial exception to a computer technological environment or field of use (e.g. computer networking or statistical model) - see MPEP 2106.05(h).

Dependent claims 8 and 18 recite “wherein the statistics that are associated with a particular flow comprise at least one of a flow direction, a source port, and a destination port.” In step 2A prong One, under BRI the claim is more specifics of abstract idea (i.e. identifying statistics) and therefore is part of abstract ideas. Further in step 2A prong Two and step 2B, the claims recite additional elements “a flow direction, a source port, and a destination port” amount to an attempt to generally link the use of a judicial exception to a computer technological environment or field of use (e.g. computer networking) - see MPEP 2106.05(h).

Dependent claims 9 and 19 recite “wherein the statistics that are associated with a particular flow comprise at least one of a number of bytes exchanged, a number of packets exchanged, and a duration of the flow.” In step 2A prong One, under BRI the claim is more specifics of abstract idea (i.e. identifying statistics) and therefore is part of abstract ideas. Further in step 2A prong Two and step 2B, the claims recite additional elements “a number of bytes exchanged, a number of packets exchanged, and a duration of the flow” amount to an attempt to generally link the use of a judicial exception to a computer technological environment or field of use (e.g. computer networking) - see MPEP 2106.05(h).

Dependent claims 10 and 20 recite “wherein generating the groupings of network addresses comprises using k-means clustering.” In step 2A prong One, under BRI the claim using k-means clustering is a mental process (judgement). Further in step 2A prong Two and step 2B, the claims recite the use of a k-means clustering. The use of software (i.e. “applying it” with the judicial exception) or a model (i.e. specifying a particular technological environment or field) to provide the result is not illegible – see MPEP 2106.05(f) or 2106.05(h).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1, 4-5, 11 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Shan ("Network security policy for large-scale VPN") in view of Lee (US 20160219068 A1).

In regard to claims 1 and 11, Shan teaches: A method of specifying security policies for applications executing on computers in a datacenter comprising a network and associated with network addresses, the method comprising: (Shan, p. 217 right col. "The trusted-domain model of VPN is a hierarchical structure. Its basic elements include hosts, security nodes, and security link... Each domain contains some basic elements, or may contain sub-domain, and makes independently security policies according to the security requirements of all elements in it. The network Security policies between two different domains are made through negotiation of both sides."; p. 219 right col. "Let subject selector be (SSsrAddr [e.g. network address], SSsrcPort), object selector be (SOdstAddr, SOdstPort), communication information selector be SIprotocol..."; each node or host in the VPN inherently teach applications executing on computers in a datacenter and associated with network addresses; protocol such as TCP is a standard that defines how to establish and maintain a network conversation by which applications can exchange data, which also inherently teaches application executing on computers.)
identifying flows associated with a plurality of network addresses, and (Shan, p. 219 left col. "The three elements of the net-flow identity correspond to SS, SO, SI respectively. Generally, the subject identity is composed of 2 selectors: source IP address, source port number; the object identity is composed of 2 selectors: destination IP address and destination port number; the communication information identity is composed of protocol number.")

    PNG
    media_image1.png
    175
    439
    media_image1.png
    Greyscale
defining the security policies for a set of applications associated with a set of network addresses based on a set of groupings generated for the set of network addresses. (Shan, p. 217 right col. "Each domain contains some basic elements, or may contain sub-domain, and makes independently security policies according to the security requirements of all elements in it. The network Security policies between two different domains are made [defining security policies based on sub-domains/groupings] through negotiation of both sides... we describe a typical trusted-domain network system illustrated in Fig. 1 in detail. The system contains three independent trusted-domains...The set E of all domains in the system is E=E1∪E2∪E3"; "... where, the security nodes play a control and protection role to ensure the safe of internal network resources, permitting legal users to access legal resources, and setting up security tunnel with the peer node to protect traffic through the unsecured link... "; p. 219 right col. "... the security policy is simplified as: ((SssrcAdddr, SssrcPort), (SssrcAddr, SssrcPort), SIprotocol) ⟶ act (t1,t2,…,tM) ...Therefore, there are the following policies in one security node...")

Shan does not teach, but Lee teaches: identifying flows… and statistics associated with the identified flows, said statistics including probabilistic values specifying a frequency for occurrence of the flow; (Lee, [0021] "Generating the one or more network flows may include extracting at least one substring from the one or more network flows; and calculating a frequency of discovery of the at least one substring from each of the one or more network flows."; [0027] [0113] "The Dirichlet distribution may enable modeling of a probability [probabilistic values] that, for the one or more network flows, each network flow will contain at least one certain topic."; Dirichlet distribution in the Latent Dirichlet allocation (LDA) model provides probabilities values and LDA is a statistical model.)
identifying a set of traffic patterns through the network based on the identified statistics associated with the plurality of flows; (Lee, Fig. 2, see 'substring frequency' in [0089]-[0098],  'signature extraction unit' and 'a discovery frequency' in [0116]-[0120], [0063] "At step 230, the generation unit 130 may generate the signature [traffic patterns] of a detection rule by applying latent Dirichlet allocation to the one or more network flows. "; see [0009] signature is also viewed as signature pattern in the art, and the signature pattern is generated based on the frequency/statistics/probability of the flow, and further the LDA is a statistical model.)
associating each of the plurality of network addresses with the set of traffic patterns, each traffic pattern associated with a particular network address with a particular probability; (Lee, [0027] [0113] "The Dirichlet distribution may enable modeling of a probability [a particular probability] that, for the one or more network flows, each network flow will contain at least one certain topic."; [0023] "Generating the signature of the detection rule may include classifying the one or more network flows into clusters; extracting a substring that satisfies a predetermined condition from the one or more network flows... setting the extracted substring as the signature of the detection rule..."; [0145]-[0149]; each signature/pattern is associated with a network flow, which is associated with a particular network address (source/destination IP address), as taught by Shan.)
generating groupings of network addresses with similar distributions of traffic pattern probabilities for display in a user interface; and (Lee, [0023] "Generating the signature of the detection rule may include classifying the one or more network flows into clusters [generating groups]..."; [0013] [0147] "… for automatically identifying the signature of malicious traffic using the distribution information of keywords for respective clusters [groupings with similar distribution], with respect to network traffic classified by clustering."; [0136]-[0139] "the statistical data output unit 1010 may output statistical data for latent Dirichlet allocation... may output the set signature.", [0142] "The signature identification apparatus 100 may be implemented... may include ... a UI output device 1227 [displaying in a user interface]")

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the analysis the network flow of Shan to include a signature identification apparatus using the LDA, as taught by Lee. Doing so would make the system to automatically identify the signature of malicious traffic. (Lee, [0052] "FIG. 1 is a configuration diagram showing a signature identification apparatus for automatically identifying the signature of malicious traffic using latent Dirichlet allocation according to an embodiment.")

Claim 11 recites substantially the same limitation as claim 1, therefore the rejection applied to claim 1 also apply to claim 11. In addition, Shan does not teach, but Lee teaches: A non-transitory machine readable medium storing a program for execution by at least one processing unit, the program for generating groupings of network addresses, the program comprising sets of instructions for: (Lee, [0142] "The processor may be a Central Processing Unit (CPU), or a semiconductor device for executing processing instructions stored in the memory 1223 or the storage 1228."; [0023] "Generating the signature of the detection rule may include classifying the one or more network flows into clusters [generating groups]..."; network flows inherently teaches source and destination network addresses, also see prior art Shan, sub-domains in Fig. 1)

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have implement the system of Shan on a computer of Lee and also include a signature identification apparatus using the LDA of Lee. Doing so would make the system to automatically identify the signature of malicious traffic. (Lee, [0052] "FIG. 1 is a configuration diagram showing a signature identification apparatus for automatically identifying the signature of malicious traffic using latent Dirichlet allocation according to an embodiment.")

In regard to claims 4 and 14, reference is made to the rejection of claims 1 and 11 respectively, and further, Shan does not teach, but Lee teaches: wherein identifying the set of traffic pattern comprises using probabilistic topic modeling to identify the set of traffic patterns. (Lee, [0063] "At step 230, the generation unit 130 may generate the signature [traffic patterns] of a detection rule by applying latent Dirichlet allocation [probabilistic topic modeling] to the one or more network flows. "; also see [0027] [0113], see [0009] signature is also viewed as signature pattern in the art)
The rationale for combining the teachings of Shan and Lee is the same as set forth in the rejection of claims 1 and 11 respectively.

In regard to claims 5 and 15, reference is made to the rejection of claims 4 and 14 respectively, and further, Shan does not teach, but Lee teaches: wherein the probabilistic topic modeling is latent Dirichlet allocation (LDA). (Lee, [0063] "At step 230, the generation unit 130 may generate the signature of a detection rule by applying latent Dirichlet allocation [probabilistic topic modeling] to the one or more network flows. "; also see [0027] [0113])
The rationale for combining the teachings of Shan and Lee is the same as set forth in the rejection of claims 4 and 14 respectively.

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Shan in view of Lee in further view of Rieke (US 20160205002 A1).

In regard to claims 3 and 13, reference is made to the rejection of claims 1 and 11 respectively, and further, Shan and Lee does not teach, but Rieke teaches: wherein the identified statistics comprise at least one of internet protocol flow information export (IPFIX) data and tcpdump data. (Rieke, [0116] "Many conventional systems for network monitoring, network control, and network security typically use network flow data from routers, switches, or other hardware configured to collect network traffic statistics using a standard known as 'IP Flow Information Export' (IPFIX), which is also known as 'Netflow.'")

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified the analysis the network flow information of Shan and Lee to include IPFIX format, as taught by Rieke. Doing so would make the system to qualify information exchanges based on network connection attributes. (Rieke, [0116] "IPFIX allows for the monitoring (e.g., auditing) of network exchanges between assets and, to some degree, qualifies information exchanges based on network connection attributes, such as IP address, source and destination port numbers, as well as byte count and other packet or connection attributes defined in the IPFIX protocol and implemented by the IPFIX sending device or software.")

Claims 6-7 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Shan in view of Lee in further view of Niu ("Network Steganography based on Traffic Behavior in Dynamically Changing Wireless Sensor Networks").

In regard to claims 6 and 16, reference is made to the rejection of claims 5 and 15 respectively, and further, Shan and Lee do not teach, but Niu teaches an analogous LDA model, wherein the LDA uses network addresses of computers in networks as the documents for its analysis. (Niu, p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document [documents] that the authors write about."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses of computers] are included in the packet header. In this paper, we utilize this feature to achieve accurate inference by applying both word topic and author-topic probability to infer the network flow.")


It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Shan and the LDA model of Lee with the network addresses disclosed by Niu. The modification would be obvious because doing so would help the system of Lee find out the most dominant sequences of packets forming some behavior. (Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node or group of nodes. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)...")

In regard to claims 7 and 17, reference is made to the rejection of claims 6 and 16 respectively, and further, Shan and Lee does not teach, but Niu teaches: wherein the LDA uses a particular plurality of groups of flow characteristics associated with a particular network address as a plurality of words associated with a particular document defined by the particular network address. (Niu p.2 "We use protocol, message type, packet length, and time interval in a day [e.g. statistics], to construct words for ATM"; p. 3 "p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document that the authors write about [a particular document defined by the particular author/address]."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses] are included in the packet header...") (More details in Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node [statistics associated with particular network address]or group of nodes. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)..."; IV. PROPOSED SCHEME "... We mainly use ATM to discover the traffic behavior in terms of which packets are usually sent together in the flow (traffic pattern) [statistics viewed as flows], what are the active/inactive times of nodes (business pattern), what traffic patterns and business patterns a given source node is likely to follow and which nodes act similarly."; also see p. 4-5 D. Network Behavior Discovered with ATM)
The rationale for combining the teachings of Shan, Lee and Niu is the same as set forth in the rejection of claims 6 and 16 respectively.

Claims 8-10 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shan in view of Lee in view of Niu in further view of Bassett (US 20150236935 A1).

In regard to claims 8 and 18, reference is made to the rejection of claims 7 and 17 respectively, and further, Shan, Lee and Niu do not teach, but Bassett teaches: wherein the flow characteristics that make up a particular word comprise at least one of a flow direction, a source port, and a destination port. (Bassett, [0018] " the network activity information is periodically stored in a particular format, such as a format associated with a version of NetFlow. The network activity information identifies characteristics, metrics, features, or dimensions (e.g., source internet protocol (IP) address, destination IP address, source port, destination port, byte rate, byte total, etc.) of network activity between hosts of the network.")

It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Shan, Lee and Niu to incorporate the teachings of Bassett by including clustering machine learning algorithms. Doing so would automatically determine the number of clusters. (Bassett, [0018] "... clusters are developed using clustering machine learning algorithms from the observation vectors. Depending on the particular clustering algorithm selected, the number of clusters can be pre-determined, automatically determined as part of the technique, and any combination of pre-determined and automatic.")

In regard to claims 9 and 19, reference is made to the rejection of claims 7 and 17 respectively, and further, Shan, Lee and Niu do not teach, but Bassett teaches: wherein the flow characteristics that make up a particular word comprise at least one of a number of bytes exchanged, a number of packets exchanged, and a duration of the flow. (Bassett, [0018] " the network activity information is periodically stored in a particular format, such as a format associated with a version of NetFlow. The network activity information identifies characteristics, metrics, features, or dimensions (e.g., source internet protocol (IP) address, destination IP address, source port, destination port, byte rate, byte total, etc.) of network activity between hosts of the network... The records are summarized to observation vectors periodically (e.g., daily, weekly, etc.)... "; [0033] "collects network activity information periodically (e.g., hourly, daily, weekly, monthly, yearly, etc.,"; [0042][0023])

The rationale for combining the teachings of Shan, Lee, Niu and Bassett is the same as set forth in the rejection of claims 8 and 18 respectively.

In regard to claims 10 and 20, reference is made to the rejection of claims 6 and 16 respectively, and further, Shan, Lee and Niu do not teach, but Bassett teaches: wherein generating the groupings of network addresses comprises using k-means clustering. (Bassett, [0035] "Turning next to the classification component 206, in this embodiment, the classification component 206 is configured to perform one or more operations, including, creating clusters from the observation vectors. The creation of clusters from the observation vectors is a way to organize and/or group similar hosts, primarily those of the internal network 116 but also potentially including those of the outside network 118.  In some embodiments, the classification component 206 creates clusters using a clustering technique utilizing a single, or a combination of, any suitable clustering algorithms. Examples of suitable clustering algorithms include, k-means clustering, hierarchal clustering, expectation maximization clustering, and self-organizing maps.")

The rationale for combining the teachings of Shan, Lee, Niu and Bassett is the same as set forth in the rejection of claims 8 and 18 respectively.

Response to Arguments
Applicant's arguments with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but they are moot:
(a) Applicant argues: (see p. 2 bottom): “A. Generating Groupings of Network Addresses to Define Security Policies… Niu does not disclose that these three IP addresses are grouped. There is no comparison between a grouping operation that generates groupings of network addresses and IP addresses that are merely displayed in a table… Hence, the IP addresses in table II of Niu are not even displayed because of similar distributions of traffic pattern probabilities and are not an example of generated groupings of network addresses with similar distributions of traffic pattern probabilities.” 
(b) Examiner answers: the arguments do not apply to the references (Shan and Lee) being used in the current rejection.

(a) Applicant argues: (see p. 3 middle): “A. Generating Groupings of Network Addresses to Define Security Policies… Second… However, the cited portions of Kirner clearly state using segmentation with access control policies to define groups of managed servers 130 that are subject to particular policies. Kirner merely defines groups of managed servers based on similar policies. Kirner does not disclose defining security policies based on a set of groupings of network addresses… Third… and certainly does not disclose grouping network addresses for the purpose of defining something based on the generated groupings.” 
(b) Examiner answers: the arguments do not apply to the references (Shan and Lee) being used in the current rejection.

(a) Applicant argues: (see p. 3 bottom): “B. Identifying Traffic Patterns Based on IPFIX Data and tcpdump Data… the cited references do not disclose or suggest identifying a set of traffic patterns based on at least one of IPFIX data and tcpdump data…The cited portion of Niu does not disclose using identified statistics associated with multiple flows to identify traffic patterns. Moreover, no portion of Niu discloses IPFIX data or tcpdump data in any context, or any other statistics associated with flows. Hence, Niu does not disclose or suggest any kind of statistics associated with flows used to identify a set of traffic patterns.” 
(b) Examiner answers: the arguments do not apply to the references (Rieke) being used in the current rejection.

(a) Applicant argues: (see p. 4 middle): “C. Statistics that Include Flow Direction, Source Port, and Destination Port, or Number of Bytes Exchanged, Number of Packets Exchanged, and Duration of the Flow… Nothing in this table describes a particular flow direction of the packet, a source port of the packet, or a destination port of the packet.” 
(b) Examiner answers: the arguments do not apply to the references (Bassett) being used in the current rejection.

(a) Applicant argues: (see p. 4 middle): “C. Statistics that Include Flow Direction, Source Port, and Destination Port, or Number of Bytes Exchanged, Number of Packets Exchanged, and Duration of the Flow… This has nothing to do with identifying traffic patterns, let alone using the information in this table to do so. Regardless, this number of bytes cited in table I refers to the number of bytes of a single packet. It has nothing to do with a number of bytes exchanged for a particular flow and has nothing to do with statistics that are used to identify traffic patterns.” 
(b) Examiner answers: the arguments do not apply to the references (Bassett) being used in the current rejection.

(a) Applicant argues: (see p. 4 middle): “D. Generating Groupings of Network Addresses Using K-Means Clustering… it is impossible for Kirner to then disclose that generating groupings of network
addresses includes using k-means clustering. No portion of Kirner discloses or suggests using k-means clustering in order to generate groupings of network addresses...” 
(b) Examiner answers: the arguments do not apply to the references (Bassett) being used in the current rejection.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SU-TING CHUANG whose telephone number is (408)918-7519.  The examiner can normally be reached on Monday - Thursday 8-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571)272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.C./Examiner, Art Unit 2122

 /BRIAN M SMITH/Primary Examiner, Art Unit 2122