DETAILED ACTION
	This application has been examined. Claims 1-24 are pending. Claims 22-24 are submitted as new claims.
 
Making Final
Applicant's arguments filed 8/24/2022 have been fully considered but they are moot in view of the new grounds for rejection.
The claim amendments regarding -- ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’  --  clearly change the literal scope of the independent and dependent claims and/or the range of equivalents for such claims.  The said amendments alter the scope of the claims but do not overcome the disclosure by the prior art as shown below. 
 The Examiner is presenting new grounds for rejection as necessitated by the claim amendments and is thus making this action FINAL.
Response to Arguments
Applicant's arguments filed 8/24/2022 have been fully considered but they are moot in view of the new grounds for rejection. 
The Applicant presents the following argument(s) [in italics]:
… Brown fails to disclose or render obvious identifying an elephant flow responsive to determining whether a resource is deployed in a network edge, regardless of whether Brown is considered singularly or in combination with Gal.…
The Examiner respectfully disagrees with the Applicant.

In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
 	Gal is identifying a particular edge server in order to delivery the requested resource to the client.

The Applicant presents the following argument(s) [in italics]:
… Gal assumes that its edge server is deployed in the network edge. Gal does not, for example, identify a particular server and make a determination of whether or not this server is in the network edge…Gal fails to disclose or render obvious determining whether its edge server (the alleged resource of claim 1) is deployed in a network edge based on metadata…
The Examiner respectfully disagrees with the Applicant.
  	The Examiner notes wherein Gal is not limited to identifying any server.  Gal is identifying a particular edge server in order to delivery the requested resource to the client.

While Brown-Uppal-Pandian-Gal substantially disclosed the claimed invention Brown-Uppal does not disclose (re. Claim 1) ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’  
Dilley Column 6 Lines 45-55 disclosed wherein DNS service 112 provides edge-identifying information that identifies edges 106 that host requested tenant applications. A requesting endpoint 110 uses such edge-identifying information to send a message to an identified edge 106 to request access to a requested application hosted by the edge. In an example network workload management system 102, the edge-identifying information includes IP addresses returned by an external Domain Name System (DNS) service 112 operably coupled to the system 102.
Dilley disclosed (re. Claim 1) ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’ (Dilley-Column 6 Lines 45-55,DNS service 112 provides edge-identifying information that identifies edges 106 that host requested tenant applications. A requesting endpoint 110 uses such edge-identifying information to send a message to an identified edge 106 to request access to a requested application hosted by the edge. In an example network workload management system 102, the edge-identifying information includes IP addresses returned by an external Domain Name System (DNS) service 112 operably coupled to the system 102.)
Brown, Uppal and Dilley are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Dilley into Brown-Uppal.  The motivation for the said combination would have been to enable tenant workload management that steers requests for access to tenant applications to the most appropriate edges, such that external endpoints 110 can access the hosted applications with tenant-specified levels of performance.(Dilley-Column 7 Lines 10 )
Priority
	 The effective date of the claims described in this application is October 31, 2018.
Specification
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required.
Claims 1,12,19 recite limitations regarding ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’.
Upon inspection of the Applicant Specifications the Examiner does not find sufficient guidance regarding ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’. 
The claim or claims must conform to the invention as set forth in the remainder of the specification and the terms and phrases used in the claims must find clear support or antecedent basis in the description so that the meaning of the terms in the claims may be ascertainable by reference to the description.


 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2,12, 19,21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown (USPGPUB 2018/0316618) further in view of Uppal (US Patent 10469513) further in view of Pandian (USPGPUB 2020/0076853) further in view of Gal (USPGPUB 2018/0278688) further in view of Dilley (US Patent 10791168).
 
In regard to Claim 1
Brown Figure 13,Paragraph 44 disclosed collecting/storing statistical data on previously mentioned data flows as a whole or as determined by the domain name, and determining the most significant domain name(s) on a given network by analyzing the whole of the statistical data collected.  Brown Paragraph 45 disclose creating a mapping, or cache, of hostname and corresponding server IP addresses of a variety of data flows, even when application level packet data in the data flows is encrypted.
Brown Paragraph 52,57,76 disclosed wherein DNS spy 130 maps multiple hostname/IP address pairs to entries of the identification table by intercepting and inspecting multiple DNS responses. 

Brown disclosed (re. Claim 1) a computer-implemented method, comprising:   
identifying a resource deployed in a computer network, (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140, or both, (e.g., non-DNS data packets) and update the identification table based on characteristics of the intercepted packets, Paragraph 76, Rather than decrypting the data packets, in an embodiment, the transport manager 270 identifies the hostname of the content server 290 by extracting the IP address of the content server 290 from one of the data packets, accessing an information table stored in a storage 232, identifying an entry in the information table including the extracted IP address, and determining the hostname by reading the identified entry )  wherein discovery protocol data traffic from the resource is unencrypted; ( Brown- Paragraph 76, extracting the IP address of the content server 290 from one of the data packets. Paragraph 57, Because the DNS response is not encrypted, the DNS spy 130 extracts the hostname and the IP address from the DNS response without performing decryption. The Examiner notes wherein the extracted IP address is not decrypted and thus is equivalent to the claimed protocol traffic that is unencrypted ) 
receiving metadata associated with the discovery protocol data traffic; (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140, or both, (e.g., non-DNS data packets) and update the identification table based on characteristics of the intercepted packets )  
updating the computer network based at least in part on information included in the metadata; (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140, or both, (e.g., non-DNS data packets) and update the identification table based on characteristics of the intercepted packets )  
providing, to a client, a response;(Brown-Paragraph 94, DNS server 350 then generates a DNS response including a plurality of RRs that include the hostname and the IP address. The DNS server 350 transmits the DNS response to the source of the DNS request. For example, when the DNS request is transmitted from a client device, the DNS server 350 transmits the DNS response to the client device )  
While Brown substantially disclosed the claimed invention Brown does not disclose (re. Claim 1)   wherein the metadata includes a valid media access control (MAC) address and schedule, and a device universal unique identifier.
While Brown substantially disclosed the claimed invention Brown does not disclose (re. Claim 1) determining whether the resource is deployed in a network edge of the computer network, wherein the network edge is associated with end user client devices including the at least one client device.

While Brown substantially disclosed the claimed invention Brown does not disclose (re. Claim 1) authenticating a request from the client to access the resource using an encrypted protocol; and 
providing, to the client, access to the resource upon authentication, according to a resource attribute. 	Uppal Column 2 Lines 45-65 disclosed wherein request can be handled as erroneous or potentially malicious.
Uppal disclosed (re. Claim 1) authenticating a request from the client to access the resource using an encrypted protocol; (Uppal-Column 2 Lines 65, a router or computing device may determine whether a request to communicate with a network address should be considered valid, based on validity information encoded into the network address. Should the request be invalid (e.g., due to an expired TTL), the request can be handled as erroneous or potentially malicious, thus enabling the router or computing device to determine validity as a function of a network address, potentially without referencing external information regarding the request.)    and 
providing, to the client, access to the resource upon authentication, according to a resource attribute.(Uppal-Column 5 Lines 15-20, a DNS service and a destination computing device may work cooperatively to ensure that all client computing devices accessing the destination computing device are legitimate users of the DNS service. Such cooperation may assist, for example, in mitigating network attacks)  	Brown and Uppal are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Uppal into Brown.  The motivation for the said combination would have been to implement inclusion of validity information within a network address and enable computing devices to readily and efficiently distinguish legitimate from illegitimate traffic. (Uppal-Column 6 Lines 1-5)

While Brown-Uppal substantially disclosed the claimed invention Brown-Uppal does not disclose (re. Claim 1) wherein the metadata includes a valid media access control (MAC) address and schedule, and a device universal unique identifier.
While Brown-Uppal substantially disclosed the claimed invention Brown-Uppal does not disclose (re. Claim 1) determining whether the resource is deployed in a network edge of the computer network, wherein the network edge is associated with end user client devices including the at least one client device

Pandian Paragraph 60 disclosed a traffic sensor (such as, sensors 110a-c) is configured to capture data packets transmitted to and/or from a device in a network. A traffic sensor may be configured as a Test Access Point (TAP) or a Switched Port Analyzer (SPAN).
Pandian Paragraph 79 disclosed wherein attributes associated with a flow of a communication session may include any of: a source address (such as an IP address and/or a Media Access Control (MAC) address). 
Pandian disclosed (re. Claim 1) wherein the metadata includes a valid media access control (MAC) address (Pandian-Paragraph 79,  attributes associated with a flow of a communication session may include  a Media Access Control (MAC) address)  )  and schedule,(Pandian- Paragraph 132,a time at which data packets of the device were first captured by a sensor, and a time at which data packets of the device were last captured by a sensor)   and a device universal unique identifier.(Pandian-Paragraph 132,Paragraph 138, information associated with the device, including MAC address, manufacturer, operating system (OS) type, OS version, software version, Fully Qualified Domain Name (FQDN), DHCP hostname, device description, model name/number, serial number, current user, and Active Directory (AD) organizational unit. ) 
Brown, Uppal and Pandian are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Pandian into Brown.  The motivation for the said combination would have been to enable expected attribute values of a candidate device profile to be determined via supervised machine learning and/or unsupervised machine learning. An example machine learning algorithm is clustering. Attribute values detected over a particular time period may be input into the clustering algorithm. The clustering algorithm finds a certain number of cluster centers (also known as "centroids"). Each cluster center represents a different candidate device profile. The attribute values at a cluster center are expected values for the corresponding candidate device profile. Additionally, based on a distribution of the detected attribute values, a range of values surrounding a cluster center may also be included in the expected values for the corresponding candidate device profile. (Pandian-Paragraph 96)

Brown Paragraph 106 disclosed content traffic arising from content server 390 may deliver, transfer, transport, and/or otherwise provide media files and other content to network edge caches (not shown), which may deliver, transfer, transport, and/or otherwise provide the content to requesting devices )  
Brown-Uppal-Pandian disclosed (re. Claim 1) identifying a resource deployed in a computer network, wherein the resource provides discovery protocol data traffic comprising information about at least one client device accessing a server of the computer network (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140, or both, (e.g., non-DNS data packets) and update the identification table based on characteristics of the intercepted packets, Paragraph 76, Rather than decrypting the data packets, in an embodiment, the transport manager 270 identifies the hostname of the content server 290 by extracting the IP address of the content server 290 from one of the data packets, accessing an information table stored in a storage 232, identifying an entry in the information table including the extracted IP address, and determining the hostname by reading the identified entry )  

receiving metadata associated with the discovery protocol data traffic (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140, or both, (e.g., non-DNS data packets) and update the identification table based on characteristics of the intercepted packets, Figure 13,Paragraph 44,collecting/storing statistical data on previously mentioned data flows as a whole or as determined by the domain name, and determining the most significant domain name(s) on a given network by analyzing the whole of the statistical data collected,Paragraph 73, a data flow can be identified as an elephant flow by identifying a hostname associated with the data flow. When a data flow is identified as being to or from a host that has been previously known to be likely to generate elephant flows, the transport manager 270 identifies the data flow as an elephant flow))  


While Brown-Uppal substantially disclosed the claimed invention Brown-Uppal does not disclose (re. Claim 1) determining whether the resource is deployed in a network edge of the computer network, wherein the network edge is associated with end user client devices including the at least one client device
Gal Paragraph 26 disclosed when a client domain name IP address request arrives at the DNS server, the DNS server reviews the states of the edge servers and the location of the client to decide which edge server the client will be routed to. DNS servers can perform load balancing among the edge servers by returning different IP addresses for certain domain names and can also return IP addresses that are close to an end user in terms of latency.
Gal disclosed (re. Claim 1) determining whether the resource is deployed in a network edge of the computer network, wherein the network edge is associated with end user client devices including the at least one client device.( Gal Paragraph 26, when a client domain name IP address request arrives at the DNS server, the DNS server reviews the states of the edge servers and the location of the client to decide which edge server the client will be routed to. DNS servers can perform load balancing among the edge servers by returning different IP addresses for certain domain names and can also return IP addresses that are close to an end user in terms of latency.)
Brown, Uppal and Gal are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Gal into Brown-Uppal.  The motivation for the said combination would have been to enable a more consistent response time on the client-side for repeat domain name accesses, thereby improving the overall performance of the client-side systems by using the CDN system's resources in a more efficient manner that is centered on the client-side's performance needs. (Gal-Paragraph 34)

 	Brown-Uppal-Pandian-Gal disclosed (re. Claim 1) responsive to determining whether the resource is deployed in the network edge, (Gal- Paragraph 26, when a client domain name IP address request arrives at the DNS server, the DNS server reviews the states of the edge servers and the location of the client to decide which edge server the client will be routed to.)
generating a behaviour model for the server based at least in part on the discovery protocol data traffic; (Brown-Paragraph 73, a data flow can be identified as an elephant flow by identifying a hostname associated with the data flow. When a data flow is identified as being to or from a host that has been previously known to be likely to generate elephant flows, the transport manager 270 identifies the data flow as an elephant flow )  and
regulating access to the server responsive to the behaviour model (Brown-Paragraph 73, transport manager 270 will automatically identify a data flow between the content server 290 and the client device 210 as an elephant flow and pace the data flow) 

While Brown-Uppal-Pandian-Gal substantially disclosed the claimed invention Brown-Uppal-Pandian-Gal does not disclose (re. Claim 1) ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’  
Dilley Column 6 Lines 45-55 disclosed wherein DNS service 112 provides edge-identifying information that identifies edges 106 that host requested tenant applications. A requesting endpoint 110 uses such edge-identifying information to send a message to an identified edge 106 to request access to a requested application hosted by the edge. In an example network workload management system 102, the edge-identifying information includes IP addresses returned by an external Domain Name System (DNS) service 112 operably coupled to the system 102.
Dilley disclosed (re. Claim 1) ‘determining whether the resource is deployed in a network edge of the computer network based on the metadata’ (Dilley-Column 6 Lines 45-55,DNS service 112 provides edge-identifying information that identifies edges 106 that host requested tenant applications. A requesting endpoint 110 uses such edge-identifying information to send a message to an identified edge 106 to request access to a requested application hosted by the edge. In an example network workload management system 102, the edge-identifying information includes IP addresses returned by an external Domain Name System (DNS) service 112 operably coupled to the system 102.)
Brown, Uppal and Dilley are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Dilley into Brown-Uppal.  The motivation for the said combination would have been to enable tenant workload management that steers requests for access to tenant applications to the most appropriate edges, such that external endpoints 110 can access the hosted applications with tenant-specified levels of performance.(Dilley-Column 7 Lines 10 )

In regard to Claim 12
 Claim 12 (re. system) recites substantially similar limitations as Claim 1.  Claim 12 is rejected on the same basis as Claim 1.
In regard to Claim 19
 Claim 19 (re. non-transitory computer-readable medium) recites substantially similar limitations as Claim 1.  Claim 19 is rejected on the same basis as Claim 1.

In regard to Claim 2
Brown-Uppal-Pandian-Gal disclosed  (re. Claim 2) wherein identifying the resource deployed in the computer network (Brown-Paragraph 118, the characteristics are used by a transport manager to identify hostname/IP address pairs associated with relatively burdensome data flows. For example, the transport manager identifies entries including relatively large amounts of cumulative bytes as likely to be associated with elephant flows )   comprises determining that the resource is deployed in a network edge of the computing network (Brown-Paragraph 106, content server 390 may deliver, transfer, transport, and/or otherwise provide media files and other content to network edge caches (not shown), which may deliver, transfer, transport, and/or otherwise provide the content to requesting devices )  when the discovery protocol data traffic from the resource is unencrypted. (Brown- Paragraph 76, extracting the IP address of the content server 290 from one of the data packets. The Examiner notes wherein the extracted IP address is not decrypted and thus is equivalent to the claimed protocol traffic that is unencrypted ) 	In regard to Claim 21
Brown-Uppal-Pandian-Gal disclosed (re. Claim 21)   wherein the metadata also
includes a network address, a domain name for the resource, (Pandian-Paragraph 132,Paragraph 138, information associated with the device, including MAC address, manufacturer, operating system (OS) type, OS version, software version, Fully Qualified Domain Name (FQDN), DHCP hostname, device description, model name/number, serial number, current user, and Active Directory (AD) organizational unit. ) and a subnetwork address for an associate router.(Pandian-Paragraph 132, information associated with a connectivity of the device, including an identifier (ID) of a sensor that captured data packets transmitted to or from the device, an IP address of the device, a subnet of the device, a virtual local area network (VLAN) of the device, an access method of the device (wired or wireless), a time at which data packets of the device were first captured by a sensor, and a time at which data packets of the device were last captured by a sensor ) 

Claims 3-5 ,7,10-11,13-16,18,20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown (USPGPUB 2018/0316618) further in view of Uppal (US Patent 10469513) further in view of Pandian (USPGPUB 2020/0076853) further in view of Gal (USPGPUB 2018/0278688) further in view of Dilley (US Patent 10791168) further in view of BenShaul (USPGPUB 2002/0010798).

In regard to Claim 3,13,20
Brown-Uppal-Pandian-Gal disclosed  (re. Claim 3,13,20) wherein: receiving the metadata associated with the discovery protocol data traffic includes receiving a network address and a domain name for the resource; (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140, or both, (e.g., non-DNS data packets) and update the identification table based on characteristics of the intercepted packets, Paragraph 44, parsing the DNS responses to create a mapping between a content delivery network (CDN) server's internet protocol (IP) address(es) and the domain name based on the DNS responses  )  
updating the computer network based at least in part on the information included in the metadata (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses  )  includes parsing network addresses in the computer network and updating a domain name service with the domain name for the resource; (Brown- Paragraph 44, parsing the DNS responses to create a mapping between a content delivery network (CDN) server's internet protocol (IP) address(es) and the domain name based on the DNS responses )  
and providing, to the client, the response includes providing, to the client, the domain name for the resource (Brown-Paragraph 94, DNS server 350 then generates a DNS response including a plurality of RRs that include the hostname and the IP address. The DNS server 350 transmits the DNS response to the source of the DNS request. For example, when the DNS request is transmitted from a client device, the DNS server 350 transmits the DNS response to the client device )      	While Brown-Uppal-Pandian substantially disclosed the claimed invention Brown-Uppal-Pandian does not disclose (re. Claim 3,13,20) a service advertisement associated with the resource.

Benshaul Par. 171 certain domain names are translated to the IP address of the regional edge server 30. The additional domain names that are used may be znn-regionalX.com, where X stands for a number. This naming convention accommodates a set of regional servers that serve requests.
BenShaul disclosed (re. Claim 3,13,20) a service advertisement associated with the resource.( Benshaul Par. 171, certain domain names are translated to the IP address of the regional edge server 30. The additional domain names that are used may be znn-regionalX.com, where X stands for a number. This naming convention accommodates a set of regional servers that serve requests ,  Paragraph  148, responsive to one of the registrations, effecting a resolution of the DNS address resolution request in the regional DNS server, to define a network address, and communicating the network address from the regional DNS server to the client, Paragraph 176, Figure 4, a request is initiated from the client 14 and the resolution is finally returned from the client regional DNS server 22, as indicated by the notation (1, 4) )    The Examiner notes wherein communicating the DNS address resolution information , wherein the said resolution is returned to the requesting client,  is equivalent to a service advertisement associated with the resource.
Brown, Uppal and BenShaul are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine BenShaul into Brown-Uppal.  The motivation for the said combination would have been to enable content providers to define and carry out advanced services on the edges of the internet (BenShaul-Paragraph 31)

In regard to Claim 4,14
Brown-Uppal-BenShaul disclosed (re. Claim 4,14) wherein receiving the network address and the domain name for the resource comprises receiving a subnetwork address for a router associated with the resource  (Brown-Paragraph 52, DNS spy 130 is configured to intercept DNS responses sent from the DNS server 150 to the client device 110, and to generate and/or update an identification table based on hostname/IP address pairs in the DNS responses. The DNS spy 130 may also intercept other types of packets traversing the first network 120, the second network 140) and receiving a device universal unique identifier for the router.(BenShaul-Paragraph 171, in the region 32 certain domain names are translated to the IP address of the regional edge server 30. For example, the additional domain names that are used may be znn-regionalX.com, where X stands for a number. This naming convention accommodates a set of regional servers that serve requests for renamed URLs at their respective regions ) 
In regard to Claim 5,16
Brown-Uppal-BenShaul disclosed (re. Claim 5,16) wherein receiving the network address and the domain name for the resource comprises grouping the network addresses into a subnetwork and forming a subnetwork mask (BenShaul-Paragraph 171, in the region 32 certain domain names are translated to the IP address of the regional edge server 30. For example, the additional domain names that are used may be znn-regionalX.com, where X stands for a number. This naming convention accommodates a set of regional servers that serve requests for renamed URLs at their respective regions )  to monitor a usage of the network addresses. (Brown-Figure 13,Paragraph 44,collecting/storing statistical data on previously mentioned data flows as a whole or as determined by the domain name, and determining the most significant domain name(s) on a given network by analyzing the whole of the statistical data collected. Paragraph 73, a data flow can be identified as an elephant flow by identifying a hostname associated with the data flow. When a data flow is identified as being to or from a host that has been previously known to be likely to generate elephant flows, the transport manager 270 identifies the data flow as an elephant flow) 
In regard to Claim 7
Brown-Uppal-BenShaul disclosed (re. Claim 7) wherein receiving the network address and the domain name for the resource comprises mapping the network address to the domain name in response to the network address being accessed by a valid request from a client device. (Brown-Paragraph 44, parsing the DNS responses to create a mapping between a content delivery network (CDN) server's internet protocol (IP) address(es) and the domain name based on the DNS responses )   
 	In regard to Claim 10,18
Brown-Uppal-BenShaul disclosed (re. Claim 10,18)  further comprising enforcing a policy rule of the computer network.(Brown-Paragraph 100, processor 352 executes one or more policies 356 stored in the storage 354…the processor 352 executes program commands stored in the storage 354. ) 	In regard to Claim 11
Brown-Uppal-BenShaul disclosed (re. Claim 11) further comprising identifying popular servers out of a plurality of servers in the computer network based at least in part on a frequency of access to the plurality of servers (Brown-Paragraph 170 , granular statistics on all traffic with a specific domain can be used to determine the top n domains on a specified network )  and updating the domain name service with the popular servers. (BenShaul-Paragraph 171, in the region 32 certain domain names are translated to the IP address of the regional edge server 30. For example, the additional domain names that are used may be znn-regionalX.com, where X stands for a number. This naming convention accommodates a set of regional servers that serve requests for renamed URLs at their respective regions )
In regard to Claim 15
Brown-Uppal-BenShaul disclosed (re. Claim 15) wherein identifying the resource deployed in the computer network (Brown-Paragraph 118, the characteristics are used by a transport manager to identify hostname/IP address pairs associated with relatively burdensome data flows. For example, the transport manager identifies entries including relatively large amounts of cumulative bytes as likely to be associated with elephant flows )   comprises determining that the resource is deployed in a network edge of the computing network (Brown-Paragraph 106, content server 390 may deliver, transfer, transport, and/or otherwise provide media files and other content to network edge caches (not shown), which may deliver, transfer, transport, and/or otherwise provide the content to requesting devices )  when the discovery protocol data traffic from the resource is unencrypted. ( Brown- Paragraph 76, extracting the IP address of the content server 290 from one of the data packets. The Examiner notes wherein the extracted IP address is not decrypted and thus is equivalent to the claimed protocol traffic that is unencrypted )
  
Claims 6,17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown (USPGPUB 2018/0316618) further in view of Uppal (US Patent 10469513) further in view of Pandian (USPGPUB 2020/0076853) further in view of Gal (USPGPUB 2018/0278688) further in view of Dilley (US Patent 10791168) further in view of BenShaul (USPGPUB 2002/0010798) further in view of Wang (US 2017/0318040) further in view of Achilles (US 2006/0236227) further in view of what was well-known in the networking art.

In regard to Claim 6,17
While Brown-Uppal-BenShaul substantially disclosed the claimed invention Brown-Uppal-BenShaul does not disclose (re. Claim 6,17) wherein receiving the network address and the domain name for the resource comprises issuing a warning to a system server in response to domain name exhaustion being reached.
Wang Paragraph 20,Paragraph 22 disclosed wherein the switch 13 monitors that the IP addresses are allocated for the client terminals and monitors the IP addresses in the address pool of the DHCP server are maliciously exhausted by the insecure client terminal.  After the switch 13 monitors that the IP addresses are allocated for the client terminals 11 and 12 coupled to the ports 131 and 132 thereof, the switch 13 may execute the method for defending the DHCP attack, identify the insecure client terminal 11, and take corresponding measures, thus effectively avoiding the problem that the normal client terminal 12 cannot acquire an IP address and cannot access the network because the IP addresses in the address pool of the DHCP server are maliciously exhausted by the insecure client terminal 11. 	Wang disclosed (re. Claim 6,17)  monitoring for network conditions indicating wherein domain name exhaustion is being reached.(Wang-Paragraph 20,Paragraph 22,   After the switch 13 monitors that the IP addresses are allocated for the client terminals 11 and 12 coupled to the ports 131 and 132 thereof, the switch 13 may execute the method for defending the DHCP attack, identify the insecure client terminal 11, and take corresponding measures, thus effectively avoiding the problem that the normal client terminal 12 cannot acquire an IP address and cannot access the network because the IP addresses in the address pool of the DHCP server are maliciously exhausted by the insecure client terminal 11. The Examiner notes wherein the switch 13 monitors that the IP addresses are allocated for the client terminals and monitors the IP addresses in the address pool of the DHCP server are maliciously exhausted by the insecure client terminal.  )   	Brown, Uppal and Wang are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Wang into Brown-Uppal.  The motivation for the said combination would have been to effectively avoid the occurrence of such situation wherein an malicious attacker can control one or more client terminals to spoof a large number of MAC addresses to request for a large number of IP addresses, with the result that the IP addresses in the address pool of the DHCP server are quickly exhausted, and the DHCP server has no allocable IP addresses to allocate for a normal client terminal, so the normal client terminal cannot acquire the IP address and cannot access the network.  (Wang-Paragraph 20)
While Brown-Uppal-Wang substantially disclosed the claimed invention Brown-Uppal-Wang does not disclose (re. Claim 6,17) issuing a warning to a system server in response to domain name exhaustion being reached.
  Achilles Paragraph 13, Paragraph 18 disclosed detecting that a number of unassigned content identifiers in the set of unassigned content identifiers has been reduced below a threshold value due to selection and assignment of unassigned content identifiers to successively received or encountered content portions.
Achilles disclosed (re. Claim 6,17)  issuing a warning to a system server in response to domain name exhaustion being reached. (Achilles-Paragraph 44, At some threshold level, the content manager 150 can briefly halt processing of content portions 103 (e.g. the markup parser 115 can cache XML content for a brief period) while the recover operation 152 completes.  The Examiner notes where the Achilles domain names and content identifiers are equivalent to the Wang IP addresses in the address pool of the DHCP server that are maliciously exhausted by the insecure client terminal ).
The Examiner notes wherein Achilles does not explicitly disclose a warning message.  
 	Official Notice (see MPEP 2144.03) is taken that at the time of the invention it would have been well-known in the networking art to issue a warning message for threshold conditions.  In the context of the Brown-Uppal-Wang-Achilles it would have been obvious to send a warning message regarding the detected Achilles threshold level in order that the system administrators are made aware of the conditions while Achilles is executing the recover operation.

Brown, Uppal,Wang and Achilles are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Achilles into Brown-Uppal-Wang.  The motivation for the said combination would have been to avoid a situation in which the set of available numeric identifiers is not large enough to represent all content portions uniquely such that the Wang IP addresses in the address pool of the DHCP server are maliciously exhausted by the insecure client terminal. In other words, as more and more different text strings are encountered and converted to content identifiers, the set of available content identifiers become smaller and smaller. Eventually, a situation can arise in which there are no more content identifiers available for assignment as numeric identifiers to individual respectively unique content portions such as text strings (e.g. tags or URIs). (Achilles-Paragraph 13)
Claims 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown (USPGPUB 2018/0316618) further in view of Uppal (US Patent 10469513) further in view of Pandian (USPGPUB 2020/0076853) further in view of Gal (USPGPUB 2018/0278688 ) further in view of BenShaul (USPGPUB 2002/0010798) further in view of Dunn (USPGPUB 2014/0330948).

In regard to Claim 8
Brown-Uppal-Pandian-Gal disclosed  (re. Claim 8)   parsing the network addresses in the computer network (Brown-Paragraph 44, parsing the DNS responses to create a mapping between a content delivery network (CDN) server's internet protocol (IP) address(es) and the domain name based on the DNS responses  )  
While Brown-Uppal substantially disclosed the claimed invention Brown-Uppal does not disclose (re. Claim 8) setting bindings between new domain names and the network addresses with a pre-selected refresh interval. 	Dunn Paragraph 26 disclosed periodically replenishing the pool of partially initialized service domains to ensure that a partially initialized service domain is available upon demand from one of the guest domains.
Dunn disclosed (re. Claim 8) setting bindings between new domain names and the network addresses with a pre-selected refresh interval.( Dunn-Paragraph  26, periodically replenishing the pool of partially initialized service domains to ensure that a partially initialized service domain is available upon demand from one of the guest domains ) 
Brown, Uppal and Dunn are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Dunn into Brown-Uppal.  The motivation for the said combination would have been to enable virtualization system 500 to be selectively configured to handle service domains 518 that are no longer needed and thus improve scalability of conventional virtualization implementations (Dunn-Paragraph 73)

Claims 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown (USPGPUB 2018/0316618) further in view of Uppal (US Patent 10469513) further in view of Pandian (USPGPUB 2020/0076853) further in view of Gal (USPGPUB 2018/0278688) further in view of BenShaul (USPGPUB 2002/0010798) further in view of Pereira (USPGPUB 2019/0089721).
In regard to Claim 9
Brown-Uppal-Pandian-Gal disclosed (re. Claim 8)   parsing the network addresses in the computer network . (Brown-Paragraph 44, parsing the DNS responses to create a mapping between a content delivery network (CDN) server's internet protocol (IP) address(es) and the domain name based on the DNS responses  )  

While Brown-Uppal-BenShaul substantially disclosed the claimed invention Brown-Uppal-BenShaul does not disclose (re. Claim 9) recycling at least one of the network addresses with a new domain name.
 	Pereira Paragraph 108 disclosed reusing words at the beginning and end of domains, utilize/concatenate a combination of three or more from their dictionaries to generate each domain, then typically reuse each of the words that are sometimes used for a middle word in the domain.
Pereira disclosed (re. Claim 9) recycling at least one of the network addresses with a new domain name. (Pereira-Paragraph 108,reusing words at the beginning and end of domains, utilize/concatenate a combination of three or more from their dictionaries to generate each domain, then typically reuse each of the words that are sometimes used for a middle word in the domain.)
Brown, Uppal and Pereira are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Pereira into Brown-Uppal.  The motivation for the said combination would have been to implement detection of algorithmically generated domains based on a dictionary and  performing community detection using the graph to identify the malicious dictionary.(Pereira-Paragraph 36) 

Claims 22-24 is/are rejected under 35 U.S.C. 103 as being unpatentable over Brown (USPGPUB 2018/0316618) further in view of Uppal (US Patent 10469513) further in view of Pandian (USPGPUB 2020/0076853) further in view of Gal (USPGPUB 2018/0278688) further in view of Dilley (US Patent 10791168) further in view of Muddu (USPGPUB 2002/0010798). 
In regard to Claim 22
While Brown-Uppal-Pandian-Gal substantially disclosed the claimed invention 
Brown-Uppal-Pandian-Gal does not disclose (re. Claim 22) wherein generating the
behaviour model comprises: based on the discovery protocol data traffic, associating the server with a group of users having a role shared in common among the users.  
 	Muddu Column 90 Lines 50-65 disclosed wherein system may initially determine that a particular entity is a member of a particular node cluster, or that the entity normally interacts with an entity that is a member of the node cluster. A cluster may represent a group of users who all tend to access the same set of devices on the network, for example. Subsequently a decision engine may detect that the particular user in that group has engaged in activity that represents a divergence from the identified cluster, such as a user in the cluster accessing a device that is not among those normally accessed by users in his cluster. In response to detecting this divergence, the decision engine can determine that the user's activity represents an anomaly, or perhaps even a threat.
 	Muddu disclosed (re. Claim 22) wherein generating the behaviour model comprises: based on the discovery protocol data traffic, associating the server with a group of users having a role shared in common among the users (Muddu-Column 81 Lines 50-55, a user profile box 4720 indicating Department in the organization (e.g., “Sales”), information concerning Similar Users,Column 90 Lines 50-65,system may initially determine that a particular entity is a member of a particular node cluster, or that the entity normally interacts with an entity that is a member of the node cluster. A cluster may represent a group of users who all tend to access the same set of devices on the network)
 	Brown, Uppal and Muddu are analogous art because they present concepts and practices regarding packet data flows and resource access control.  At the time of the effective filing date of the claimed invention it would have been obvious to combine Muddu into Brown-Uppal.  The motivation for the said combination would have been to enable detecting that the particular user in that group has engaged in activity that represents a divergence from the identified cluster, such as a user in the cluster accessing a device that is not among those normally accessed by users in his cluster. (Muddu-Column 91 Lines 1-5)

In regard to Claim 23
Brown-Uppal-Pandian-Gal-Muddu disclosed (re. Claim 23) wherein generating the behaviour model further comprises: based on the discovery protocol data traffic, associating the server with a sequence of accesses among a group of servers.( Muddu Column 90 Lines 50-65,system may initially determine that a particular entity is a member of a particular node cluster, or that the entity normally interacts with an entity that is a member of the node cluster. A cluster may represent a group of users who all tend to access the same set of devices on the network. Subsequently a decision engine may detect that the particular user in that group has engaged in activity that represents a divergence from the identified cluster, such as a user in the cluster accessing a device that is not among those normally accessed by users in his cluster. In response to detecting this divergence, the decision engine can determine that the user's activity represents an anomaly, or perhaps even a threat.)
In regard to Claim 24
Brown-Uppal-Pandian-Gal-Muddu disclosed (re. Claim 24) wherein:
the at least one client is associated with a group of users; (Muddu-Column 81 Lines 50-55, a user profile box 4720 indicating Department in the organization (e.g., “Sales”), information concerning Similar Users,Column 90 Lines 50-65,system may initially determine that a particular entity is a member of a particular node cluster, or that the entity normally interacts with an entity that is a member of the node cluster. A cluster may represent a group of users who all tend to access the same set of devices on the network) 
 	the behaviour model identifies a clustering of accesses by the users to the server;(Muddu-Column 91 Lines 1-5, detect that the particular user in that group has engaged in activity that represents a divergence from the identified cluster, such as a user in the cluster accessing a device that is not among those normally accessed by users in his cluster. In response to detecting this divergence, the decision engine can determine that the user's activity represents an anomaly, or perhaps even a threat.)
and
the one or more processors further execute the instructions to cause the system to: determine that the clustering is a deviation from a baseline; (Muddu-Column 91 Lines 1-5, detect that the particular user in that group has engaged in activity that represents a divergence from the identified cluster, such as a user in the cluster accessing a device that is not among those normally accessed by users in his cluster. In response to detecting this divergence, the decision engine can determine that the user's activity represents an anomaly, or perhaps even a threat.) and
generate a notice of the deviation responsive to the determination that the clustering is a deviation from the baseline.( Muddu-Column 90 Lines 45, ways for the administrator to receive alert and to understand relevant information in order to make an educated decision.)


Conclusion

Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Please refer to the enclosed PTO-892 form.
 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

 Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944.  The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


	/GREG C BENGZON/           Primary Examiner, Art Unit 2444