Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-28 of U.S. Patent No. 11,165,814 Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of US 11,165,814 substantially anticipate all of the current claims at issue.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 5-8, 12-15, 19, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Porras US 6,704,874 in view of Ahmed US 9,483,742.



As per claims 1, 8, 15, 20. Porras teaches A method for monitoring network traffic on one or more networks using one or more network monitoring computers (NMCs), wherein the one or more NMCs include one or more processors that execute instructions to perform actions, comprising: providing one or more scores based on one or more threat assessments that are associated with one or more anomaly classes and which are associated with one or more types of anomalous activity; (Column 3 lines 30-40; 55-60) (sensors) (Column 4 line 52 to Column 5 line 47 (attack type, score and threat assessment)
Porras teaches employing the one or more anomaly classes, the one or more scores, and one or more characteristics of the one or more anomaly classes to determine one or more triage models, Porras teaches modifying the one or more scores based on the one or more triage models and historical information associated with the one or more anomaly classes, wherein the one or more modified scores are associated with the one or more anomaly classes; and providing a report that includes one or more other scores based on detection of one or more types of anomalous activity associated with the one or more anomaly classes in the monitored network traffic.  
(Column 5 lines 10-27, line 55 to Column 6 line 32, Column 6 line 58 to Column 7 line 18, Column 8 36-67) (teaches using history of attacks to update user preferences).  Porras teaches weighted values with a defined range of values Figure 3, Column 6 line 61 to Column 7 line 18)  (weighted, user defined priority values) 

Ahmed teaches  anomaly classes, scores characteristics to determined triage models and modifying models based on historical information (Column 1 line 55 to Column 2 line 25; Column 2 lines 40-57; Column 3 line 33 to Column 4 line 25; Column 5 lines 1-27; Column 6 lines 10-59)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the properties of Ahmed with the previous system because it helps increase the accuracy of the triage model.

As per claims 5, 12, 19. Porras teaches The method of Claim 1, further comprising: evaluating at least one of one or more impacts, one or more harms, or one or more anomalous activity costs based on the historical information; and generating the one or more triage models based on the evaluation.  (Column 5 line 55 to Column 6 line 27) (reports of past incidents)

As per claims 6, 13,  Ahmed teaches The method of Claim 1, further comprising: monitoring activity of the user; and employing one or more of the monitored user activity or one or more characteristics of the user to modify the one or more triage models.  (Column 2 lines 30-56) (teaches an algorithm which takes source IP/source user into consideration when determining anomalous activity)

As per claims 7, 14. Ahmed teaches The method of Claim 1, further comprising: monitoring other network traffic on one or more other networks for other anomalous activity; and modifying the one or more triage models based on the other anomalous activity.  (Column 5 lines 3-27; Column 6 lines 30-60) (traffic properties used to modify triage models due to anomalous activities)


Claim(s) 2, 9, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Porras US 6,704,874 in view of Ahmed US 9,483,742 in view of Jordan US 2018/0375893.

As per claims 2, 9,16. Jordan teaches The method of Claim 1, wherein the plurality of separately weighted factors further comprising: including two or more of a risk of harm by a threat, a sophistication of the threat, or a likelihood of occurrence of the threat.  [0004][0016][0020][0030] (teaches that the factors include risk of harm and occurrence) 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the factors of Joran with the previous combination because it improvs report customization for the user.

Claim(s) 3, 10, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Porras US 6,704,874 in view of Ahmed US 9,483,742 in view of Ryan Jr US 10,198,667.

As per claims 3, 10, 17. Ryan Jr teaches The method of Claim 1, further comprising: employing the one or more other scores to associate the report with one or more of content, a delivery method to the user or a delivery destination for the user.  (Column 2 lines 4-22; Column 4 lines 19-45) (alert score, threshold, associate with content and delivering to user)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the alert of Ryan Jr with the previous combination because it helps improve security.

Claim(s) 4, 11, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Porras US 6,704,874 in view of Ahmed US 9,483,742 in view of Gonzalez US 2016/0301624

As per claims 4, 11, 18. Gonzalez teaches The method of Claim 1, further comprising: providing one or more agents for a portion of a group of entities on the one or more networks; and employing the one or more agents to capture information for the monitored network traffic communicated by the portion of the group of entities, wherein at least one agent is deactivated based on an amount of information that is captured.  [0081][0083] (teaches deactivation of resources that are no longer needed or required)
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the management of Gonzalez with the previous combination to increase resource usage efficiency.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439