Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 11 is objected to because of the following informalities:  Claims 11 is a system claim that is dependent on claim 1 which recites of a computer program product and not a system. For the purpose of examination claim 11 is being interpreted as dependent on claim 9 and reciting features similar to those of claim 3.  Appropriate correction is required. 

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitations uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: 
“a payload monitor configured to” in claims 9, 10, and 16.
“a network monitor configured to” in claims 9, 10, 11, 12, and 14.
Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. See specification [Para. 0036, 0038, 0044] for payload monitor, specification [Para. 0036, 0038, 0044] for network monitor as well. 
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recites sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim 6 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 6 recites the limitation "the host".  There is insufficient antecedent basis for this limitation in the claim. For the purpose of examination this limitation is being interpreted as “a host”.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 4-6, 9, 12, 13, and 14 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by RICHARDS (US-20170265076-A1).
Regarding claim 1, RICHARDS teaches “A computer program product including one or more non-transitory machine- readable mediums encoded with instructions that when executed by one or more processors cause a process to be carried out for detecting abnormal or malicious activity in a point-to-point or packet-switched data communication network, the process comprising:” ([RICHARDS, para. 0011] “The present invention, as disclosed and described herein, in one aspect thereof comprise a system for providing continuous automated verification of user identity and intent includes at least one server for communicating with a network and at least one network interface card associated with the at least one server for providing access to data flow through the network. A processor within each of the at least one server implements a first processing node and a second processing node for monitoring, prior to granting at least one user access to a network, at the first processing node associated with the network, a mirrored live-data flow of a live-data flow passing through the first processing node in a non-intrusive manner that does not affect the live-data flow passing through the first processing node.”) ([RICHARDS, para. 0068] “The ingestor node 110 is able to ingest and process mirrored network traffic 204 at network speeds. Each of the ingestor nodes 110 and semantic nodes 112 use in-memory database architectures, C++ programming language and commodity servers and operating systems.”) ([RICHARDS, para. 0061] “Referring now to the drawings, and more particularly to FIG. 1, there is illustrated the operational environment of the network live-data, real-time analysis system 102 (“the System”) according to the present disclosure. ARCHITECTURE: A system and methodology results in the ability to integrate an application and its relational language processing (example: SQL) in parallel and in real-time operational unity with network signaling, packet or data content (“network traffic”) as it is in transmission (“live-data”) and to make situational deductions and to take action on that live-data as it is being transmitted between points within a network.”) ([RICHARDS, para. 0064] “The System 102 enables concurrent analysis and deduction of relationships and probabilities as Events occur and are transmitted as network traffic 104, thus allowing deductive parallel operations with the concurrently occurring network traffic and its operations. The System 102 does not reside within a data center that operates on a sequence of post event analytical functions; rather it is architected as a larger network topology operating non-intrusively and in parallel to the network traffic 104.”) ([RICHARDS, para. 0016] “FIG. 4 is a system block diagram for a network live-data, real time data analysis system monitoring packet data transmissions;”) ([RICHARDS, para. 0112] “with respect to network security applications, the system methodology enables analysis of live-data network traffic for the purpose of identifying malicious content or agents as they enter the network at any determined location or between two or more points, in applications, packets, on devices or network elements.”) tapping a link in the network to obtain a separate, logical copy of a data stream transmitted from a node of the network in parallel with transmission of the data stream through the network; ([RICHARDS, para. 0065] “Within a network topology, the system is able to use one or more virtual machines (a virtual machine is any segmented computing context such as, for example, Processes, Threads, Virtual Machines, Containers, micro services, Network Function Virtualization, etc.) as data collection devices (“ingestor node(s)”) connected non-intrusively to network elements that provide a port mirror to non-intrusively ingest network traffic (“live-data source”) to dynamically and continuously decode signaling, packet or data content (“network traffic”), and action such identifiable selected network traffic to trap and generate immediate alerts, and additionally pass through all or such selected subject matter for further processing simultaneously with and live to the network traffic event remaining open or in transit …. The system 102 is in two parts, consisting of one or more ingestor nodes 110 and one or more semantic nodes 112. The ingestor node 110 enables a non-intrusive, direct mirroring of network traffic 104 and its content, and provides protocol decoding, data extraction, and prescribed Event alert capabilities. The ingestor node also feeds an assigned semantic node 112 with such prescribed traffic as required. The ingestor node 110 non-intrusively undertakes its analysis and alerts while a particular Event is occurring or in transmission.”) ([RICHARDS, para. 0070] “Referring now to FIG. 3, there is a flow chart illustrating the operation of the system 102. The data flow is mirrored at step 302. Next at step 304, the ingestor node 110 ingests a mirrored copy of the network traffic provided by the live-data source. Using mobile network traffic as an example, the ingest VM 902 writes the network traffic into an allocated time dependent buffer (TDB) at step 306.”) decoding a communication protocol encoded in the logical copy of the data stream to obtain payload or link data from the data stream; ([RICHARDS, para. 0065] “The ingestor node 110 enables a non-intrusive, direct mirroring of network traffic 104 and its content, and provides protocol decoding, data extraction, and prescribed Event alert capabilities.”) ([RICHARDS, para. 0070] “The protocol decoder commences decoding at step 308 the contents of the TDB to find the protocol required. In the case of SS7 network traffic, there are many protocols. The decoder checks for these protocols, such as ISUP or TCAP/MAP protocols. If found, the decoder continues to decode, and retrieves any required information that may be present, such as a phone number. The process is granular in that it decodes small portions of the TDB rapidly to identify specific requirements before proceeding to decode the next set of requirements or the entire contents of the TDB. The decoded contents are passed to packet sniper for analysis in accord with a set of criteria for action at step 310.”) analyzing the payload data to detect abnormal or malicious activity; ([RICHARDS, para. 0070] “The decoded contents are passed to packet sniper for analysis in accord with a set of criteria for action at step 310.”) ([RICHARDS, para. 0073] “A packet sniper 410 within the ingestor node 110 monitors for the occurrence of particular conditions or packet combinations as defined by the semantic node 112 use cases. The information monitored for by the packet sniper 410 is controlled by a semantic node and in-memory database 412 which provides application specific parameters, traps and alerts that are to be monitored for and provided by the semantic node 112.”) ([RICHARDS, para. 0082] “The packet sniper 718 compares the decoded data to certain conditions of interest as indicated by the prescribed rules provided by the semantic node 112 or by deduced conditions determined by the contextual data and feedback loop/learning loop undertaken by the semantic node 112. The packet sniper 718 provides positive indications 720 upon detection of these conditions. On completion of its search, each packet sniper 718 releases its previously allocated TDB to the ingestor node memory manager for use by other parallel current tasks or future operations that could be requested or introduced to the ingestor node 110. The TDB allows a no-lock, variable time latency multiprocessing of each packet by the ingestor node 110, and, the capability for locked operation in the eventuality of write functions being required to change the contents of packets. The packet sniper 718 further counts the number of packets that are received from the decoder 708 and provides this as a packet count indication 722. The packet count 722 is used to verify live event network traffic flow with post event network traffic records, providing a network transmission integrity check for network operations.”) and in response to detecting abnormal or malicious activity, initiating a remedial action. ([RICHARDS, para. 0071] “Once a particular prescribed condition is detected, the ingestor node 110 sends an alert to the semantic node 112 or undertakes a preset action at step 312. This action could be to send a prescribed alert to network elements to truncate or trap and redirect that particular network traffic to other systems, including the semantic node, for processing. Such processing may include change of content, copy of content or to create interdiction schemes for further network traffic of a like nature. All decoded network traffic is sent at step 314 to the semantic node 112 wherein such particular use case rules associated with any detected conditions is applied to the data.”) ([RICHARDS, para. 0074] “This information may be monitored for using particular statistical models implemented within the semantic node and in-memory database 412 and may additionally use additional contextual data from outside databases 414. The information within the semantic node and in-memory database 412 controls the operation of a rules engine 416 that generates the appropriate responses to information detected by the packet sniper 410 and generates various responses thereto such as email alerts 418, visualization outputs 420, configuration parameters 422 and framework queries 424.”). 

Regarding claim 9, this claim recites a system claim reciting features similar to those in claim 1. Therefore, claim 9 is rejected in a similar manner as in the rejection of claim 1. RICHARDS further teaches of a “system for detecting abnormal or malicious activity … ([RICHARD, para. 0011] “The present invention, as disclosed and described herein, in one aspect thereof comprise a system for providing continuous automated verification of user identity and intent includes at least one server for communicating with a network and at least one network interface card associated with the at least one server for providing access to data flow through the network. A processor within each of the at least one server implements a first processing node and a second processing node for monitoring, prior to granting at least one user access to a network, at the first processing node associated with the network, a mirrored live-data flow of a live-data flow passing through the first processing node in a non-intrusive manner that does not affect the live-data flow passing through the first processing node.”) and notify a host of the network of the detected abnormal or malicious activity in the payload or link data.” ([RICHARDS, Para. 0071] “Once a particular prescribed condition is detected, the ingestor node 110 sends an alert to the semantic node 112 or undertakes a preset action at step 312. This action could be to send a prescribed alert to network elements to truncate or trap and redirect that particular network traffic to other systems, including the semantic node, for processing. Such processing may include change of content, copy of content or to create interdiction schemes for further network traffic of a like nature. All decoded network traffic is sent at step 314 to the semantic node 112 wherein such particular use case rules associated with any detected conditions is applied to the data.”) ([RICHARDS, Para. 0074] “The System 102 has the ability to process data from the network traffic 104 at gigabit speeds. The ingestor node 110 filters, decodes, undertakes prescribed alerts and feeds selective or all network traffic into the semantic node 112.”) ([RICHARDS, para. 0069] “The semantic node 112 provides rules engine functionalities 210, visualization functionality 212, and command and control framework 214 to provide for an application use case execution. The rules engine 210, visualization 212 and command and control 214 provide a manner for analyzing the received data according to a particular use case.”)


Regarding claims 4 and 12, RICHARDS teaches all limitations of claims 1 and 9. RICHARDS further teaches “wherein initiating remedial action includes notifying a host of the network of the detected abnormal or malicious activity in the payload or link data, and wherein the process further comprises causing the host to respond to the notification of the detected abnormal or malicious activity.” ([RICHARDS, para. 0069] “The semantic node 112 provides rules engine functionalities 210, visualization functionality 212, and command and control framework 214 to provide for an application use case execution. The rules engine 210, visualization 212 and command and control 214 provide a manner for analyzing the received data according to a particular use case.”) ([RICHARDS, para. 0071] “Once a particular prescribed condition is detected, the ingestor node 110 sends an alert to the semantic node 112 or undertakes a preset action at step 312. This action could be to send a prescribed alert to network elements to truncate or trap and redirect that particular network traffic to other systems, including the semantic node, for processing. Such processing may include change of content, copy of content or to create interdiction schemes for further network traffic of a like nature. All decoded network traffic is sent at step 314 to the semantic node”) ([RICHARDS, para. 0082] “Network traffic of interest is flagged and sent to the semantic node 112 for application based processing. Selected or all network traffic flows to the application relevancy filter 724 within the semantic node 112; these are provided for longer term storage or transferred to legacy data or discard 726. Relevant network traffic is passed to the application rules engine 728 for further analysis to determine the actions required based upon the detected data.”)  ([RICHARDS, para. 0083] “The contextual update with live-data events and actions at 732 enable the creation of visualization and notifications of live-data alerts and other metrics to provide necessary notifications at step 738. The contextual update with live-data events and actions 732 also provides information for storage and application specific static and dynamic statistical model 740 and provides information to the activity and packet count journal 742. They also enable adjustment to the conditions, rules and actions which are passed back to ingestor node 110 and packet sniper 718 to provide dynamic and deducted additions to those prescribed by the use case.”) ([RICHARDS, para. 0125] “Referring now to FIG. 21, there is illustrated the manner in which the system may be used to provide real-time live-data usage verification and notification …… define thresholds of data usage for alerts based upon live customer activity. Responsive to these thresholds, notification triggers are provided to carrier messaging systems enabling further action by the subscribers to interact with the carrier …… when various notification levels are reached as determined at inquiry step 2104, a notification is provided to the carrier messaging system at step 2106. The carrier generates messages to the customer at step 2108, enabling a customer response at step 2110. Customer responses may range from upgrading their plan, blocking further data usage, shifting remaining data to shared devices or instantly adding data amounts to their device, etc.”).

Regarding claims 5 and 13, RICHARDS teaches all limitations of claims 1 and 9. RICHARDS further teaches “wherein the process further comprises storing the payload or link data in a First-in, first-out (FIFO) buffer or other storage device.” ([RICHARDS, para. 0070] “Referring now to FIG. 3, there is a flow chart illustrating the operation of the system 102. The data flow is mirrored at step 302. Next at step 304, the ingestor node 110 ingests a mirrored copy of the network traffic provided by the live-data source. Using mobile network traffic as an example, the ingest VM 902 writes the network traffic into an allocated time dependent buffer (TDB) at step 306.”).


Regarding claims 6 and 14, RICHARDS teaches all limitations of claims 1 and 9. RICHARDS further teaches “wherein initiating remedial action includes sending the payload or link data to the host for further analysis.” ([RICHARDS, para. 0130] “The role of the semantic node is shown in FIG. 24. The semantic node deductive processes 2410 and 2411 access the network topology bitmap 2303 and compare cell tower outage trigger dates with regard to the need for an action. Should action be required, process 2413 deduces the current and historic presence relationship of mobile devices to the triggered cell tower address and accesses prescribed notification content data 2417. Step 2414 builds the required notification and embeds any prescribed or dynamically available additional information based on customer status, carrier events or sentiment-analysis feedback. Step 2415 sends the completed message to the carrier notification gateway for transmission to the selected mobile device(s) or other communication endpoints and additionally sends notification metrics for live-data display 2305. Step 2416 sends a copy of the notification output to a journal 2419 for later analysis.”) ([RICHARDS, para. 0069] “The semantic node 112 provides rules engine functionalities 210, visualization functionality 212, and command and control framework 214 to provide for an application use case execution. The rules engine 210, visualization 212 and command and control 214 provide a manner for analyzing the received data according to a particular use case.”). ([RICHARDS, para. 0067] “The System 102 has the ability to process data from the network traffic 104 at gigabit speeds. The ingestor node 110 filters, decodes, undertakes prescribed alerts and feeds selective or all network traffic into the semantic node 112. The semantic node 112 undertakes application specific use case tasks including situational analysis, contextual reasoning and deductive processing according to rules”) ([RICHARDS, para. 0071] “Once a particular prescribed condition is detected, the ingestor node 110 sends an alert to the semantic node 112 or undertakes a preset action at step 312. This action could be to send a prescribed alert to network elements to truncate or trap and redirect that particular network traffic to other systems, including the semantic node, for processing. Such processing may include change of content, copy of content or to create interdiction schemes for further network traffic of a like nature. All decoded network traffic is sent at step 314 to the semantic node 112 wherein such particular use case rules associated with any detected conditions is applied to the data.”) ([RICHARDS, para. 0082] “Network traffic of interest is flagged and sent to the semantic node 112 for application based processing. Selected or all network traffic flows to the application relevancy filter 724 within the semantic node 112; these are provided for longer term storage or transferred to legacy data or discard 726. Relevant network traffic is passed to the application rules engine 728 for further analysis to determine the actions required based upon the detected data.”)   ([RICHARDS, para. 0108] “Referring now to FIG. 13, there is provided an illustration of the operation of a semantic node 112 …… the information may be stored within a journal 1322 for later or further analysis.”)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over RICHARDS in view of BLOCHER (US-20160205069-A1), hereinafter RICHARDS-BLOCHER.
Regarding claims 2 and 10, RICHARDS teaches all limitations of claims 1 and 9. Furthermore, this claim recites features similar to those of claim 1. Therefore, claim 2 is rejected in a similar manner as in the rejection of claim 1.
However, RICHARDS does not teach of a “second data stream” and “second payload”. In analogous teaching, BLOCHER teaches “second data stream” and “second data stream” ([BLOCHER, para. 0064] “FIG. 3 depicts a variant of the system in FIG. 2, in which, in addition to the outgoing data traffic at the second interface 22, the incoming data stream at the first interface 21 is also duplicated and output to a line to the monitoring unit 24 by an additional outputting unit 31. The outputting units 25 and 31 may be situated directly at the network gateway unit 23, resulting in that no further components that could change the data stream are contained in the network gateway unit 23.”) ([BLOCHER, para. 0065] “The data stream output from the first interface 21 is compared with the data stream from the second interface 22 in the comparison unit 32. For example, the data stream from the second interface 22 may be forwarded to the comparison unit 32 via the checking unit 26. The comparison unit 32 is connected to the communication unit 27. If a difference is detected between the data stream from the first interface 21 and the data stream from the second interface 22, the communication unit 27 transmits a warning message 28 to the network gateway unit 23. The connection between the monitoring unit 24 and the network gateway unit 23 may be in the form of a wired connection or else a wireless connection or a logical connection.”) ([BLOCHER, para. 0066] “All of the described and/or depicted features may be combined with one another within the scope of this disclosure. The monitoring unit may be in the form of a separate component or may be integrated with the network gateway unit.”) ([BLOCHER, para. 0062] “data stream at the second interface is duplicated and output to a separate line by an outputting unit 25. The output data stream is forwarded to the checking unit 26 of the monitoring unit 24 and is checked for impermissible data traffic there. In this case, the address fields in the header of the data packet, for example, may be checked for impermissible origin or destination addresses, or the port number may be compared with permissible port numbers. If the useful contents of the data packet are present in unencrypted form (e.g., in plain text), the contents of the packets may also be checked for suspicious or impermissible patterns, and the data packet may be prevented from being forwarded even before the checking of the data packet is concluded”).
Thus, given the teaching of BLOCHER, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of second data stream as taught by BLOCHER into the teaching of detecting abnormal or malicious activity within a network as taught by RICHARDS. One of ordinary skill in the art would have been motivated to do so because BLOCHER recognizes the need to filter malicious traffic. (BLOCHER, para. 0009] “The present embodiments may obviate one or more of the drawbacks or limitations in the related art. For example, the present embodiments provide a method, a device, and a system that reliably filter impermissible data traffic in a transition to a security-relevant data network and provides data integrity in the security-relevant data network in the case of a defective security network gateway unit. In this case, the present embodiments provide absence of a reaction of the security network gateway unit (e.g., additional data packets may not be introduced into the security network by the security network gateway unit).”).

Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over RICHARDS-BLOCHER, in view of DRIES (US-20060268939-A1).
Regarding claims 3 and 11, RICHARDS-BLOCHER teach all limitations of claims 1 and 2. However, RICHARDS-BLOCHER does not teach “interleaving the first payload or link data from the logical copy of the first data stream with the second payload or link data from the logical copy of the second data stream to obtain interleaved payload or link data; and analyzing the interleaved payload or link data to detect the abnormal or malicious activity.” 
In analogous teaching DRIES teaches “interleaving the first payload or link data from the logical copy of the first data stream with the second payload or link data from the logical copy of the second data stream to obtain interleaved payload or link data; and analyzing the interleaved payload or link data to detect the abnormal or malicious activity.”  ([DRIES, para. 0001] “The present invention relates to a data merge unit, a method of producing an interleaved data stream, a network analyser and a method of analysing a network.”) ([DRIES, para. 0003] “An important requirement of a network analyser is to be able to merge the two channels into a single interleaved data stream. The single interleaved data stream is then used for processing by analyser logic associated with the analyser. One type of communications network is known as Etherchannel, which uses up to eight Ethernet (or Gigabit Ethernet) channels in parallel for resiliency and load sharing. There is a requirement to analyse the traffic on these channels within such networks which again requires a method of merging channels into a single interleaved data stream. It is possible for a network to be operated using any required (or possible) number of channels. This merging of data into an interleaved data stream may be done using a data merge unit, often associated with a network analyser.”) ([DRIES, para. 0023] “According to a fourth aspect of the present invention, there is provided a method of analysing a network, the method comprising; producing an interleaved data stream of complete data frames received on two or more input channels from a network to be analysed, according to the method of the third aspect of the present invention; providing said interleaved data stream to logic to analyse said data stream; and; analysing said data stream, thereby analysing the network.”) ([DRIES, para. 0035] “These data frames are then transferred to the channel merge function unit 6 from which a single interleaved data stream consisting of complete data frames is output to the common logic functions 8 of the network analyser 2. These logic functions may be any logic functions that may be desired or required by the network analyser 2. Examples include, amongst others, network monitoring, intrusion detection and prevention”).
Thus, given the teaching of DRIES, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of interleaving data as taught by DRIES into the teaching of detecting abnormal or malicious activity within a network as taught by RICHARDS-BLOCHER. One of ordinary skill in the art would have been motivated to do so because DRIES recognizes the merging data frames while also reducing system bandwidth requirements. ([DRIES, para. 0011] “The data merge unit enables complete data frames from a number of input channels to be merged into an interleaved data stream at full line rate. ….. Thus, the data merge unit according to the present invention enables other system bandwidth requirements to be considerably lower. ”).

Claims 7 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over RICHARDS in view of LANNING (US-20070266183-A1).
Regarding claims 7 and 15, RICHARDS teaches all limitations of claims 1 and 9. However, RICHARDS does not teach “wherein the tapping is carried out using a Low Voltage Differential Signaling (LVDS) component of the network.”.
In analogous teaching, LANNING teaches “wherein the tapping is carried out using a Low Voltage Differential Signaling (LVDS) component of the network.” ([LANNING, Para. 0003] “The present invention relates to analyzing signals between a host and a device by tapping the bus. More particularly, embodiments of the invention relate to sampling the bus in preparation for analysis of data on the bus.”) ([LANNING, Para. 0018] “The tap therefore taps the bus and the pod can then sample the signals provided by the tap to produce sampled data. Because the pod knows what kind of tap is attached and what kind of protocol is operative on the system under test, the pod can decode the sampled data into bytes, words, commands, and the like in accordance with the protocol. The decoded data is then provided to the analyzer for analysis.”) ([LANNING, Para. 0023] “The pod can connect to the tap in at least two different ways. First, the tap board or tap can connect directly with the connector or through a cable. To insure signal integrity, LVDS (Low Voltage Differential Signaling) signaling may be used. Embodiments of the invention incorporate LVDS signaling in the tap”) ([LANNING, claim 17] “further comprising receiving the raw data from the tap as low voltage differential signals.”).
Thus, given the teaching of LANNING, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of Low Voltage Differential Signaling (LVDS) as taught by LANNING into the teaching of detecting abnormal or malicious activity within a network as taught by RICHARDS. One of ordinary skill in the art would have been motivated to do so because LANNING recognizes the benefits of tapping and obtaining data. ([LANNING, para. 0003] “The present invention relates to analyzing signals between a host and a device by tapping the bus. More particularly, embodiments of the invention relate to sampling the bus in preparation for analysis of data on the bus.”) ([LANNING, para. 0005] “The captured data can then be analyzed to help resolve many problems and improve network communications or to improve communications between a host and a device.”).

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over RICHARDS in view of PARKER (US-20120233311-A1).
Regarding claims 8 and 16, RICHARDS teaches all limitations of claims 1 and 9. However, RICHARDS does not teach “wherein the tapping includes tapping a physical layer of the network to obtain the data stream.”
In analogous teaching, PARKER teaches “wherein the tapping includes tapping a physical layer of the network to obtain the data stream.” ([PARKER, para. 0012] “FIG. 1 is a diagram of an example environment 100 in which systems and/or methods described herein may be implemented. As shown in FIG. 1, environment 100 may include a group of user devices 110-1, . . . , 110-J (where J≧1) (hereinafter referred to collectively as “user devices 110” and individually as a “user device 110”), a base station 120, a content distribution system (CDS) 130”) ([PARKER, para. 0017] “CDS 130 may monitor packets associated with traffic flows being transported to and/or from service provider network 150. CDS 130 may, based on the monitoring, determine whether a traffic anomaly, associated with a traffic flow, is detected. CDS 130 may, for example, obtain traffic metrics from packets associated with the traffic and may use the traffic metrics to identify the anomaly. CDS 130 may obtain the traffic metrics at one or more of the seven OSI network layers, such as at the physical layer (e.g., layer 1)”) ([PARKER, claim 12] “A computing device associated with a service provider network, the computing device comprising: one or more processors to: monitor traffic, that is traveling to or from the service provider network, to obtain traffic metrics, associated with the traffic, that corresponds to one or more network layers, where the one or more network layers include at least one of a physical layer”).
Thus, given the teaching of PARKER, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of obtaining data from the physical layer as taught by PARKER into the teaching of detecting abnormal or malicious activity within a network as taught by RICHARDS. One of ordinary skill in the art would have been motivated to do so because PARKER recognizes the need to  detect anomalies in real-time. ([PARKER, para. 0002] “Traffic conditions and/or anomalies that are not detected and/or remedied may cause congestion, service disruption, and/or damage to occur within the service provider networks.”) ([PARKER, para. 0010] “Systems and/or methods, described herein, may enable traffic (e.g., packets), associated with a service provider network, to be monitored in order to identify an anomaly, associated with the traffic, using traffic steering and/or real-time analytics techniques.”).

Claims 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over RICHARDS in view of MOZUMDAR (US-20200267171-A1), hereinafter RICHARDS-MOZUMDAR.
Regarding claim 17, this claim is a system claim that recites features similar to those of claims 1 and 9. Therefore, claim 17 is rejected in a similar manner as in the rejection of claims 1 and 9. 
However, RICHARDS does not teach of the network being a “SpaceWire Network”.
In analogous teaching, MOZUMDAR teaches of “SpaceWire Network” ([MOZUMDAR, para. 0029] “FIG. 2 illustrates an example communication bus system 200 for detecting communication anomalies on a serial communication bus in accordance with some embodiments of the present disclosure. System 200 can be implemented on various serial communication buses such as, but not limited to, MIL-STD-1553, CAN, SpaceWire, and FireWire. System 200 can prevent malicious attacks by detecting communication anomaly before any real harm can be effectuated to any component of the system. Once the anomaly is detected, system 200 can prevent the communication anomaly from reaching any of the remote terminals. Alternatively, system 200 can prevent the remote terminals from executing the anomalous communication message/command. System 200 can include a notification module (not shown) configured to provide instant alert to a command center that could take appropriate action to rectify the anomalous command.”) ([MOZUMDAR, para. 0030] “Similar to communication bus system 100, bus system 200 can include bus 105, bus controller 110, a plurality of remote terminals 115 a through 115 n, and bus monitor 120. However, bus system 200 also includes a communication anomaly detection module 205 that is configured to monitor commands from bus controller 110 and/or data being transmitted over bus 105. Anomaly detection module 205 can be an additional component (subsystem) of bus monitor 120 or can be a standalone module as shown in FIG. 2. In some embodiments, anomaly detection module 205 can include a statistical model trained to recognize communication anomalies based at least on the probability distribution of patterns of one or more commands. The statistical model employed by anomaly detection module 205 can be stochastic model such as a Markov chain that describes a sequence of possible commands in which the probability of each command depends on the occurrence of a group of one or more commands.”) ([MOZUMDAR, para. 0039] “to train anomaly detection module 205 to detect communication anomalies on a system using a SpaceWire system, the training data set should comprise data from one or more systems using a SpaceWire communication bus.”) ([MOZUMDAR, para. 0057] “Once a sufficient amount of data is collected, it can be statistically analyzed and segmented, as described in block 310, by data segmentation module 920. In some embodiments, data segmentation module 920 can segment the training data into a plurality of segments based on a statistical function of time intervals. Pattern recognition module 930 can be configured to identify patterns and non-patterns in each data segment as described in block 315. Pattern recognition module 930 can include hashing algorithms (e.g., hash map) and neural networks (e.g., recurrent neural network) configured to identify patterns and non-patterns in each data segment.”) ([MOZUMDAR, para. 0029] “Once the anomaly is detected, system 200 can prevent the communication anomaly from reaching any of the remote terminals. Alternatively, system 200 can prevent the remote terminals from executing the anomalous communication message/command. System 200 can include a notification module (not shown) configured to provide instant alert to a command center that could take appropriate action to rectify the anomalous command.”).
Thus, given the teaching of MOZUMDAR, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of SpaceWire network as taught by MOZUMDAR into the teaching of detecting abnormal or malicious activity within a network as taught by RICHARDS. One of ordinary skill in the art would have been motivated to do so because MOZUMDAR recognizes the need to provide improved security in a communication bus ([MOZUMDAR, para. 0002] “Providing adequate networking security can be challenging because network components such as a serial communication bus can have multiple vulnerabilities that can be compromised in such a way that can affect the performance and safety of the network. Security countermeasures can be employed to prevent hacking attacks from taking place, or to minimize and/or record the effect of such hacking attacks.”) ([MOZUMDAR, para. 0007] “The present disclosure further describes a method for detecting a communication anomaly. The method includes: monitoring commands transmit from a bus controller to one or more remote terminals”).

Regarding claim 18, RICHARDS-MOZUMDAR teach all limitations of claim 17. RICHARDS further teaches “wherein the one or more processors are further configured to execute instructions stored in the memory to tap a link in the … network to obtain the logical copy of the data stream transmitted from the node of the … network in parallel with transmission of the data stream through the … network.” ([RICHARDS, claim 1] “a processor within each of the at least one server, the processor implementing a first processing node and a second processing node for: monitoring, prior to granting at least one user access to a network, at the first processing node associated with the network, a mirrored live-data flow of a live-data flow”) ([RICHARDS, para. 0061] “Referring now to the drawings, and more particularly to FIG. 1, there is illustrated the operational environment of the network live-data, real-time analysis system 102 (“the System”) according to the present disclosure. ARCHITECTURE: A system and methodology results in the ability to integrate an application and its relational language processing (example: SQL) in parallel and in real-time operational unity with network signaling, packet or data content (“network traffic”) as it is in transmission (“live-data”) and to make situational deductions and to take action on that live-data as it is being transmitted between points within a network.”) ([RICHARDS, para. 0064] “The System 102 enables concurrent analysis and deduction of relationships and probabilities as Events occur and are transmitted as network traffic 104, thus allowing deductive parallel operations with the concurrently occurring network traffic and its operations. The System 102 does not reside within a data center that operates on a sequence of post event analytical functions; rather it is architected as a larger network topology operating non-intrusively and in parallel to the network traffic 104.”) ([RICHARDS, para. 0065] “The system 102 is in two parts, consisting of one or more ingestor nodes 110 and one or more semantic nodes 112. The ingestor node 110 enables a non-intrusive, direct mirroring of network traffic 104 and its content, and provides protocol decoding, data extraction, and prescribed Event alert capabilities. The ingestor node also feeds an assigned semantic node 112 with such prescribed traffic as required. The ingestor node 110 non-intrusively undertakes its analysis and alerts while a particular Event is occurring or in transmission.”)
However, RICHARDS does not teach of a “SpaceWire network”.
MOZUMDAR teaches of “SpaceWire network”, the same rejection and motivation as used in claim 17, applies.

Regarding claim 19, RICHARDS-MOZUMDAR teach all limitations of claim 17. Furthermore, this claim recites features similar to those in claim 4. Therefore, claim 19 is rejected in a similar manner as in the rejection of claim 4.

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over RICHARDS-MOZUMDAR in view of LANNING (US-20070266183-A1).

Regarding claim 20, RICHARDS-MOZUMDAR teach all limitations of claim 17. Furthermore, this claim recites features similar to those in claim 7. Therefore, claim 20 is rejected in a similar manner as in the rejection of claim 20. 


The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
EDMISON (US 20180331912 A1): This prior art teaches of virtually tapping network traffic using a virtual packet broker to deliver a plurality of network packets to an appliance to be analyzed, including receiving, by the packet broker, the plurality of network packets from virtual network interfaces, replicating, by the packet broker, the plurality of network packets, transmitting, by the packet broker, the plurality of network packets to a packet tunnel and transmitting, by the packet tunnel, the plurality of network packets from the packet tunnel to the appliance for processing.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434