DETAILED ACTION
The instant application having Application No. 16/893854 filed on June 5, 2020 is presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner Notes
A series of interviews were held between the Applicant and the Examiner to discuss amendments to put the case in condition for allowance. The received amendments were slightly different than what the Examiner had proposed and expected. Upon receiving the slightly different amendments an updated search was performed that revealed the May reference as shown below.

Oath/Declaration
The applicant’s oath/declaration has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63.

Information Disclosure Statement
As required by M.P.E.P. 609(C), the applicant’s submission of the Information Disclosure Statement is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609(C), a copy of the PTOL-1449 initialed and dated by the examiner is attached to the instant office action.

Drawings
The applicant’s drawings submitted are acceptable for examination purposes.

Claim Rejections - 35 USC § 112
Claims 1, 8, and 15 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The claims recite “determining that a plurality of nodes of a network generate data corresponding to a pattern…”; however, the specification and Figure 3 recite “determining a plurality of selected nodes of the network for generating synthetic data corresponding to the pattern…”. In other words, the current claims determine that nodes generate data while the specification and Figure 3 determine which nodes will generate the data.
Claims 2-7, 9-14, and 16-20 are rejected for the same reasons as recited above and for being dependent on a previously rejected base claim.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 5, 8, 12, 15, and 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by May (US 2015/0281277).

As per claims 1, 8, and 15, May discloses A computer-implemented method comprising: 
determining that a plurality of nodes of a network generate data corresponding to a pattern, the pattern associated with expected behavior of the plurality of nodes (May, paragraph 58, teaches receiving and analyzing network usage and interactions to determine trends and patterns of multiple users in the system. Therefore, it must be determined that each user device has generated this data that is received and analyzed.); 
causing each of the plurality of nodes to generate a portion of the data corresponding to the pattern (May, paragraph 58, teaches receiving and analyzing network usage and interactions to determine trends and patterns of multiple users in the system. Therefore, this data that’s received must have been generated by the user devices. May, paragraph 58, additionally teaches generating a client reputation score based on the expected behavior and actual behavior based on the trends/patterns.); 
comparing actual behavior of the plurality of nodes with the expected behavior (May, paragraph 58, teaches generating a client reputation score that is a comparison of the expected behavior of the users versus the actual determined behavior based on the network trends/patterns.); and 
when the actual behavior does not correspond to the expected behavior, generating an alert that at least one of the plurality of nodes is non-conforming (May, Figure 11 and paragraph 95, teaches comparing the client reputation score to a threshold and assigning a grade/category to the user and then assigning a policy to the user based on the user grade/category. May, paragraphs 70-75, teaches that the client reputation score and the assigned grade/policy is based on the risk that the user presents to the system and the policy can block or limit a risky user’s access to the system. May, paragraph 73, additionally recites “a user with a higher grade such as D2 may have more restrictions being imposed thereon by means of an appropriate policy allocation, due to higher level of undesired network activity”. Therefore, when the network activity of a user is not the expected network activity, a policy can be put onto that user to block the user’s network activity, which is considered as alerting that the user has unexpected network activity.) 
Claim 15 recites the additional limitations of a processor; and a memory including instructions that, when executed by the processor, cause the processor to … (May, paragraphs 31-32, teaches a processor and memory.)

As per claims 5, 12, and 19, May discloses wherein the pattern corresponds to at least one of a DDoS attack, a MAC address spoofing, a port knock, or normal traffic (May, paragraph 58, teaches receiving and analyzing network usage and interactions to determine trends and patterns of multiple users in the system. The network usage of most user’s will be normal traffic patterns.) 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 4, 11, and 18 as best understood are rejected under 35 U.S.C. 103 as being unpatentable over May in view of Ichikawa (US 6307837).

As per claims 4, 11, and 18, May discloses … a port of at least one node of the plurality of nodes … to generate a respective portion of the data corresponding to the pattern (May, paragraph 98, teaches that each device contains a port. May, paragraph 58, teaches receiving and analyzing network usage and interactions to determine trends and patterns of multiple users in the system.) 
However, May does not specifically teach selecting a port of at least one node of the plurality of nodes from which to generate a respective portion of the data corresponding to the pattern.
Ichikawa discloses selecting a port of at least one node of the plurality of nodes from which to generate a respective portion of the data corresponding to the pattern (Ichikawa, col. 22 lines 7-19, teaches selecting a transmission port to transmit network packets.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Ichikawa with the teachings of May. May teaches monitoring user traffic to determine if the users are conforming to expected user behavior or not. Ichikawa teaches selecting a port to transmit the network traffic on. Therefore, it would have been obvious to select the port that the network traffic will be sent on to allow for the selection of an appropriate port based on speeds or content. 

Claims 6 and 13 as best understood are rejected under 35 U.S.C. 103 as being unpatentable over May in view of Finn (US 2011/0158112).

As per claims 6 and 13, May discloses wherein a packet of the pattern (May, paragraph 58, teaches receiving and analyzing network usage and interactions to determine trends and patterns of multiple users in the system.)
However, May does not specifically teach that a packet … includes a flag indicating the packet is a synthetic packet. 
Finn discloses a packet … includes a flag indicating the packet is a synthetic packet (Finn, paragraph 39, teaches that each packet includes an OpCode that indicates if the data is user data (non-synthetic data) or synthetic data.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Finn with the teachings of May. May teaches monitoring user traffic to determine if the users are conforming to expected user behavior or not. Finn teaches using an OpCode to distinguish between user data and synthetic data. Therefore, it would have been obvious to use a flag/indicator to distinguish between user data and synthetic data to be considered as conforming to the expected user behavior or not. 

Claims 7, 14, and 20 as best understood are rejected under 35 U.S.C. 103 as being unpatentable over May in view of Turnbull (US 2013/0312097).

As per claims 7, 14, and 20, May discloses when the actual behavior corresponds to the expected behavior, generating an alert that at least one of the plurality of nodes is conforming (May, paragraph 58, teaches generation a client reputation score that is a comparison of the expected behavior of the users versus the actual determined behavior based on the network trends/patterns. May, Figure 11 and paragraph 95, teaches comparing the client reputation score to a threshold and assigning a grade/category to the user and then assigning a policy to the user based on the user grade/category. May, paragraphs 70-75, teaches that the client reputation score and the assigned grade/policy is based on the risk that the user presents to the system and the policy can block or limit a risky user’s access to the system. May, paragraph 73, additionally recites “a user with a higher grade such as D2 may have more restrictions being imposed thereon by means of an appropriate policy allocation, due to higher level of undesired network activity”. Therefore, when the network activity of a user is not the expected network activity, a policy can be put onto that user to block the user’s network activity, which is considered as alerting that the user has unexpected network activity. Additionally, when the network activity of a user corresponds with expected network activity a less stringent policy will be put into place to not further limit the users network activity, which is considered as an alert that the user is performing within the normal expected network behavior.)
However, May does not specifically teach wherein the alert that the plurality of nodes are conforming includes providing information to a presentation module.
Turnbull discloses wherein the alert that the plurality of nodes are conforming includes providing information to a presentation module (Turnbull, claims 16 and 27, teaches displaying the reputation scores of the user devices to an administrator.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Turnbull with the teachings of May. May teaches monitoring user traffic to determine if the users are conforming to expected user behavior or not and generating a corresponding reputation score. If the users are not conforming to the expected behavior a policy is added to limit the network access of that particular user. May additionally teaches manually adjusting the user’s policy (as in May paragraphs 67, 76, 81, and 85). Turnbull teaches displaying the reputation score for the administrator. Therefore, it would have been obvious to have displayed the user reputation scores to the administrator to allow the administrator to monitor and adjust the user reputation scores and policies. 

Allowable Subject Matter
Claims 2, 9, and 16 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims as well as overcoming the 35 USC 112 Rejection. The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “capturing network traffic data and associated data using at least a first sensor of a first virtual machine of the network, a second sensor of a first server hosting the first virtual machine, and a third sensor of a first networking device connected to the first server; determining a plurality of patterns in the network traffic data and the associated data; and causing respective data corresponding to each of the plurality of patterns to be generated over a specified period of time". The closest prior art of record includes:
May (US 2015/0281277) – teaches receiving and analyzing network usage and interactions to determine trends and patterns of multiple users in the system. May also teaches generating a client reputation score that is a comparison of the expected behavior of the users versus the actual determined behavior based on the network trends/patterns and applying an appropriate policy for the user based on the reputation score.
Zakas (US 2006/0026669) – teaches capturing network traffic using a sensor.
Curtiss (US 8779921) – teaches receiving network data and comparing the received data to known malicious signatures/patterns to determine if the network traffic is malicious or not.
Ouderkirk (US 2006/0274659) – teaches selecting which agents in a network will perform a particular activity.
However, the combination of limitations as currently claimed cannot be found in the cited prior art of record.
Claims 3, 10, and 17 are objected to for the same reasons as cited above and for being dependent on a previously objected to base claim.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Shaffer (US 2007/0019618) – teaches a flag to indicate that traffic is synthetic voice traffic.
Kelley (US 2004/0054680) – teaches using indicators to show that a synthetic transaction is beginning and ending.
Tuomenoksa (US 2002/0023210) – teaches selecting a TCP port.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498