DETAILED ACTION
This Final Office Action is in response to amendment filed on 10/25/2022.
Claims 1-4, 7-9, 11, and 17-19 have been amended. Claims 6, 14 and 20 have been cancelled. Claims 1-5, 7-13 and 15-19 remain pending in the application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed on 05/31/2022 are accepted.

Response to Amendment 
Applicant’s claims amendments has overcome the objections to claims 1-4, 6-8, 11 and 18-20 previously set forth in the Non-Final Office Action mailed on 07/28/2022. Examiner notes that the objection to claim 5 has not been addressed by the applicant. Therefore, the objection to claim 5 previously set forth in the Non-Final Office Action mailed on 07/28/2022 is maintained.
The Double Patenting rejection previously set forth in the Non-Final Office Action mailed on 07/28/2022 is withdrawn in light of an approved terminal disclaimer, in view of US Patent US 10,402,589 B1 and US Patent US 11,379, 612 B2, filed on 11/02/2022.
Applicant’s claims amendments has overcome the USC 112 (a) and USC 112(b) rejections previously set forth in the Non-Final Office Action mailed on 07/28/2022.

Response to Arguments filed on 10/25/2022
Response to 35 U.S.C. § 103 Rejection
Applicant stated “claims 6, 14, and 20 were rejected as being obvious over Galbreath in view of Olson, further in view of U.S. Patent Application Publication No. 2014/0181186 by Stevens et al. (hereinafter "Stevens"), further in view of U.S. Patent Application Publication No. 2018/0011643 by Calder et al. (hereinafter "Calder"). The rejection contends Calder teaches selecting data storage options for security, fast storage, and fault tolerance. Applicant respectfully suggests there is no motivation to combine the references as suggested in the rejection. As made explicit in Calder, the system and method is for "backing up data to storage," more specifically, "automatic backup operations include storing in an entry of a catalog data structure, data identifying a backup data object transmitted to a selected storage node, and data identifying the selected storage node to which the backup data object of the entry was transmitted." (Abstract). Applicant respectfully suggests a person of ordinary skill in the art would not consider the teaching of Calder, as the disclosure of Calder would be generally understood to be addressing a different problem (management of data backups) than the problem addressed by the claimed invention (real-time updating and/or generation of rules responsive to identification of malicious data requests). This is supported by the difference in classification of Calder (G06F11) with the other references (H04L63, H04L43, and H04L67, respectively). Accordingly, Applicant respectfully suggests there is no motivation to combine Calder with the combination of Galbreath, Olson, and Stevens, and therefore claims 6, 14, and 20 are patentable over the combination of Galbreath, Olson, and Stevens, as it is noted that combination does not teach every limitation of those claim. Independent claims 1, 9, and 17 are amended to include the limitation of those claims. Accordingly, Applicant respectfully suggests the independent claims, as amended, are patentable over the cited prior art that may be properly combined. Their dependent claims, which recite further differentiating features, are similarly patentable and require no additional discussion.
	Examiner respectfully disagrees. Examiner asserts that the combination of the above cited prior arts teach the claimed invention recited in amended independent claims. Examiner further asserts that the problem addressed by the instant application argued above “(real-time updating and/or generation of rules responsive to identification of malicious data requests)” is addressed by Galbreath in view of Olson as described in the rationale in the rejection below. Calder is relied upon to address optimizing storage performance in the claimed limitation of an active rule facilitating a router to choose between storage options including secure areas for storage of types of data, faster storage locations for access, and storage with fault-tolerant features. While Calder, having different classification from the instant application, discloses achieving a different objective in the abstract from the main objective presented in the instant application, however, Calder solves the same problem of optimizing storage performance addressed in the limitation, as disclosed by Calder in [0069] “an optimum target storage node may be selected having the best storage node-defined parameters for the selection criteria without regard to a cost parameter in some embodiments. Thus, a storage node of the filtered pool of candidate storage nodes which has been narrowed as described in connection with FIGS. 5a, 5b, providing the best combination of, for example, security, retrieval speed and data durability, ranked in that order, may be automatically selected in automated storage target selection for data backup in accordance with the present description.”, where this is consistent with the instant application in [0028] “Further embodiments of the invention are directed to a method of optimizing performance of and securing cloud storage and databases… indicating storage requirements for at least one of security, access speed, or fault tolerance”. Therefore, a person of ordinary skill in the art before the effective filing date of the claimed invention would be able consider the teaching of Calder with the motivation of optimizing storage performance by automatically selecting a storage node of a plurality of candidate storage nodes as a function of a plurality of selection criteria, as explicitly recognized by (Abstract, [0069] and throughout).
Conclusion: Galbreath in view of Olson, Stevens and Calder disclose the limitations of independent claims 1, 9 and 17 and render claims’ limitations obvious before the effective filing date of the claimed invention.

Claim Objections
Claim 5 is objected to because of the following informalities:  Claim 5 recites “The server of claim 1….”. While the independent claim 1 recites “A storage intelligence server”, while it is understood that the server in the dependent claim refers to the “storage intelligence server’, however, replacing the “The server of claim...” with “The storage intelligence server of claim...” would definitively clarify the dependent claim limitations. 
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 5, 7-11, 13, 15-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Galbreath et. al. (US 20170063793 A1), hereinafter Galbreath, in view of Olson et. al. (US 9893972 B1), hereinafter Olson, Stevens et. al. (US 20140181186 A1), and Calder et. al. (US 20180011643 A1), hereinafter Calder.
	
Regarding claim 1 (Currently Amended), Galbreath teaches a storage intelligence server for updating rules for at least one of a firewall and a router, comprising: a processor; and a non-transitory memory storage device positioned in communication with the processor, the non-transitory memory storage device having software stored thereon, the software being operable to define (Galbreath discloses a collector server 120 (Figure 4 400) to update rules for an agent process in a network server 100, [0022] “…the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions”, [0025] “FIG. 1 is a block diagram illustrating an embodiment of a system for web application security. In the example shown, network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100. Collector server 120 determines instructions (e.g., rules, watch lists, security problems, etc.) and updates network server 100 (e.g., an agent in network server 100). The instructions are used by the agent to determine whether any given request is a security problem.” Further disclosed in [0024], where the agent process and the network server 100 in Figure 1 corresponds to the at least one of firewall and router, where the server 400 processes operations on data disclosed in [0028], which indicates a processor and a memory to process data):
a collector component configured to receive trace data related to data requests from agent applications executing on computerized devices (Galbreath discloses the collector server receiving request information, i.e. trace data, from an agent executing on the network server 100 in Figure 1, [0022] “…in the event that the request looks like an attack, then information is uploaded to a collector server… data is aggregated from multiple agents and session identifiers… data is aggregated from multiple agents… the system attacks are distributed, so aggregating data collection across multiple agents”, [0024] “the agent sends relevant information about the request(s) to a collector server for further analysis.”, where the agents are an application process executed on multiple servers , [0028] “Collector server 400 receives information regarding requests from multiple agents monitoring multiple web servers”, where the user makes a request/query utilizing a web application as disclosed in [0021-22] and further discloses, for distributed attacks, request information from multiple agents are collected and aggregated, for analysis of requests, where one agent can be construed as an agent application executed on one server); 
a storage component within which the trace data is stored ([0028] “FIG. 4 is a block diagram illustrating an embodiment of a collector server…collector server 400 comprises collector server 120 of FIG. 4. In the example shown, collector server 400 includes detection engine 402. Collector server 400 receives information regarding requests from multiple agents monitoring multiple web servers. Collector server 400 receives encrypted and redacted information from an agent. The information is decrypted and annotated (e.g., with information on where it came from—for example, country information, hostname information, etc.). The information is used to determine rules and/or instructions that are provided to the agent enabling quick decisions for the in-line module. Detection engine 402 determines patterns of request from multiple agents. Detection engine 402 detects attack patterns and provides updates to rules and/or instructions to block the attacks.”, where the receiving and annotation of the request information indicates storing the request information in order to process such information and update rules); 
an analytics component configured to analyze the trace data to identify a malicious data request [in real-time], defining an identified malicious data request (Galbreath [0024] “Asynchronously, after identifying malicious signals in request(s), the agent sends relevant information about the request(s) to a collector server for further analysis…When an attack is identified, the collector server generates an updated list of rules and/or instructions for the agent to consult when making decisions on inbound requests.”, [0022] “…the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions”, [0025] “FIG. 1 is a block diagram illustrating an embodiment of a system for web application security. In the example shown, network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100. Collector server 120 determines instructions (e.g., rules, watch lists, security problems, etc.) and updates network server 100 (e.g., an agent in network server 100). The instructions are used by the agent to determine whether any given request is a security problem”, [0028]  “Detection engine 402 detects attack patterns and provides updates to rules and/or instructions to block the attacks.”, where the detection engine of the collector server identifies an attack pattern corresponding to a malicious pattern); and 
a controller component having stored thereon a plurality of rules, the controller component being configured to: at least one of update a rule of the plurality of rules or generate a new rule for inclusion in the plurality of rules responsive to the identified malicious data request, defining an active rule; and transmit the active rule to at least one of the firewall and the router (Galbreath [0024] “Asynchronously, after identifying malicious signals in request(s), the agent sends relevant information about the request(s) to a collector server for further analysis. For performance and privacy reasons this step is not done by the in-line module and the full request information is not sent to the collector server. When an attack is identified, the collector server generates an updated list of rules and/or instructions for the agent to consult when making decisions on inbound requests. Visibility is provided to a web application server administrator or other user via dashboards. Also, alerts are sent to a number of services (e.g., monitoring services). In addition, an API implementation of the dashboards enables feeding into existing internal logging and security information and event management (SIEM) systems.”, [0022] “…the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions” [0022] further discloses creating a rule, [0025] “FIG. 1 is a block diagram illustrating an embodiment of a system for web application security. In the example shown, network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100. Collector server 120 determines instructions (e.g., rules, watch lists, security problems, etc.) and updates network server 100 (e.g., an agent in network server 100). The instructions are used by the agent to determine whether any given request is a security problem. An administrator using administrator system 140 is able to monitor security issues for network server 100 via customer administration server 110 that shows on a dashboard security statistics derived from data received from network server 100.”, where  the updated rules by the collector server, i.e. storage intelligence server, is provided to the agent).  
Galbreath discloses the aforementioned limitations, and further discloses [0022] “ the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions)”, and further in [0024], where data analysis to identify attack, malicious pattern, and a decision are performed in less than 1 ms, which can be construed as real time, however, Galbreath does not explicitly disclose that the analysis is performed in real time.
an analytics component configured to analyze the trace data to identify a data request in real-time (Olson Col. 6 line 43-54 “With both I/O metrics from the storage volumes 134 and the client computing device 150, I/O metric service 140 processes statistics to intertwine the I/O metrics from both entities and understand the relationship of the I/O request with the I/O request's resulting downstream behavior at the storage volumes 134”, Col. 6 line 62-67 and Col. 7 line 1-8 “…traces and spans can be associated with the performance of network 120 so that the I/O request behavior within network 120 also is tracked. I/O metrics from all entities and the interdependent relationships indicated by the primary, secondary, and tertiary identifiers may be processed further in the I/O metric service 140 for further analysis and evaluation of the entire performance of the storage volumes 134 and I/O requests generally within the network topology 100. This approach may allow statistics to be determined for networks with high-volume transaction rates (e.g., I/O requests) so that more detailed and real-time data may be processed at the I/O metric service 140, without the overhead of existing statistics collection at a client computing device 150.”, analysis further disclosed in Col. 7 line 33-51 e.g. defining and identifying a congested path of a data request, Col. 8 line 23-28 “The I/O metric service 140 further includes the data processing component 204, which processes the aggregated I/O metric information into overall statistics. The I/O metric service 140 also includes an I/O metric processing component 206, which publishes the processed, aggregated I/O metric information (e.g., as overall statistics).”, where the processing components in Figure 2 corresponds to the analysis part).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath to incorporate the teaching of Olson to utilize the above feature, with the motivation of continually collecting statistics while reducing the overhead of existing statistics collection at a client computing device 150, as recognized by (Olson Col. 8 line 23-28).
Galbreath in view of Olson teaches discloses the aforementioned limitations, where Galbreath discloses transmitting updated/created rule from the collector server to the network server such that an agent application of the network server makes a decision based on the updated/created rule. However, Galbreath in view of Olson do not explicitly disclose the below limitation.
Stevens discloses wherein the active rule is configured to facilitate the router inserting a tag into a data request received thereby that chooses between storage options (Stevens Figure 9, CDN server 302 routing/forwarding requests to cloud storages, corresponding to router, utilized for optimizing performance in providing scalable architecture, offload for the underlying API origins, and a measure of attack protection, [0119] “the VAA layer described above can be implemented in a CDN server 302 by using information in a metadata file 302 a to define certain information”, [0120] “The use of dynamic control information for a VAA-type functions can be advantageous in that… providing a scalable architecture. The VAA layer also provides offload for the underlying API origins, and a measure of attack protection (e.g., against DDOS attacks).”, [0064] “…cloud-provider and/or cloud provider's cloud-customer can configure or update the database.”, [0121] “a given request to an API can be evaluated in a given CDN server 302 in stages, using various components:… [0125] Request Decoration : adds headers to request for use in forwarding…”, where header corresponds to tag, i.e. adding header corresponds to inserting a tag/header, consistent with the instant application [0015] where “Storage Router identifies or inserts tags/headers that are associated with storage requests that allow it to choose between storage options”, [0137] “Request decoration can involve adding headers or other information to the client request prior to sending it to the API origin. As with other processing, request decoration can be driven by dynamic control information which in FIG. 12 is in the form of a request decoration policy. This policy can provide data and/or logic that instructs the CDN server 302 how to decorate a client request before forwarding it to a particular API origin in the CDN platform. For example, the decoration policy can supply appropriate headers to add to the request (e.g., given the particular API endpoint and particular data from the request), and/or can append additional identity information as to who is requesting service, information about the CDN server 302 that processed the client request for tracking or auditing purposes and so on. The request can also be decorated with signatures from the CDN server 302 to indicate successful validation, authentication, and/or authorization, so that this signature can be verified later by the API origin.”, the added header/information indicates authentication/validation, i.e. indicates security, which consequently enable responding to the request).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath in view of Olson to incorporate the teaching of Stevens to utilize the above feature, with the motivation of evaluating requests for use in forwarding, providing a scalable architecture, offloading, and measure of attack protection ., as recognized by (Stevens [0120-0121, 0137] and throughout).
While Galbreath in view of Olson and Stevens disclose the aforementioned limitations, where Stevens discloses attaching/inserting a header to the request at the CDN server 302, enabling the forwarding of the request with decoration/headers in forwarding to a particular destination from among the destinations as illustrated in Figure 9 [0137] “This policy can provide data and/or logic that instructs the CDN server 302 how to decorate a client request before forwarding it to a particular API origin in the CDN platform. For example, the decoration policy can supply appropriate headers to add to the request (e.g., given the particular API endpoint and particular data from the request)”, however, Galbreath in view of Olson and Stevens do not disclose choosing between storage options including secure storage, faster storage or fault tolerance features. 
Calder discloses active rule facilitating a router to choose between storage options including secure areas for storage of types of data, faster storage locations for access, and storage with fault-tolerant features (Calder discloses in [0035-0036], a storage controller 4 in Figure 2, which automatically selects an optimal storage node 10a-d, when a data backup request is initiated, 
upon receiving a backup initiation request, where the selection is based on user parameter rules and storage parameter rules, i.e. active rules, enabling the storage controller to choose between storage options with feature including: storage with security level/feature for secured data, e.g. secret government level, HIPPA, storage with speed level/feature, e.g. speed for accessing stored data, and storage with durability/reliability level/feature, e.g. data durability may be quantified as a function of the number of backups and geographical separation of the backup, with percentage of reliability, interpreted as fault tolerance, where storage fault tolerance is related to a how reliable a storage is in performing a function given a malfunction/fault occurred, as illustrated in Figures 2 and 4A-B and [0038-0042], [0083-0084] further discloses the node selection logic of the storage controller in Figure 2, monitors, e.g. transactionally, the user data usage associated with the backup storage node, and subsequently update the user parameter such that the controller storage automatically update the storage node utilized for backup operation when the back request is initiated, where history of data is tracked for analysis to eventually perform the selection, [0095] discloses that if parameters/rules have changed, the prior selection of a storage node may be re-evaluated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath in view of Olson and Stevens to incorporate the teaching of Calder to utilize the above feature, with the motivation of automatically selecting a storage node of a plurality of candidate storage nodes as a function of a plurality of selection criteria, as recognized by (Abstract and throughout).

Claim 9 (Currently Amended) is directed to a method, associated with the server claimed in claim 1. Claim 9 is similar in scope to claim 1, and is therefore rejected with the same rationale and motivation as claim 1. 

Regarding claim 2 (Currently Amended), Galbreath in view of Olson, Stevens and Calder teaches the storage intelligence server of claim 1 wherein the trace data is asynchronous trace data (Galbreath [0024] “Asynchronously, after identifying malicious signals in request(s), the agent sends relevant information about the request(s) to a collector server for further analysis. ”).  

Claim 10 (Original) is directed to a method, associated with the server claimed in claim 2. Claim 10 is similar in scope to claim 2, and is therefore rejected with the same rationale and motivation as claim 2. 

Regarding claim 3 (Currently Amended), Galbreath in view of Olson, Stevens and Calder teaches the storage intelligence server of claim 1 wherein the trace data is received by the collector component via a pathway other than a pathway through which the data requests were [[was]] transmitted to one of the firewall and the router (Galbreath discloses the request information is received and collected by the collector server 120 from the agent at the network server 100, and multiple agents, which is a different path through which the request is transmitted from the user system 130 to the agent, firewall, in the network server 100, [0025] “network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100.”). 

Claim 11 (Currently Amended) is directed to a method, associated with the server claimed in claim 3. Claim 11 is similar in scope to claim 3, and is therefore rejected with the same rationale and motivation as claim 3.

Regarding claim 5 (Original), Galbreath in view of Olson, Stevens and Calder teaches the server of claim 1 further comprising transmitting information about at least one of the trace data, the identified malicious data request, and the active rule to a monitoring dashboard (Galbreath [0024] “Asynchronously, after identifying malicious signals in request(s), the agent sends relevant information about the request(s) to a collector server for further analysis. For performance and privacy reasons this step is not done by the in-line module and the full request information is not sent to the collector server. When an attack is identified, the collector server generates an updated list of rules and/or instructions for the agent to consult when making decisions on inbound requests. Visibility is provided to a web application server administrator or other user via dashboards. Also, alerts are sent to a number of services (e.g., monitoring services). In addition, an API implementation of the dashboards enables feeding into existing internal logging and security information and event management (SIEM) systems.”, [0027] “customer administration server 300 comprises dashboard 302 and API 304. Customer administration server 300 receives monitoring information from an agent and/or from a collector server regarding web requests handled by a web server. Dashboard 302 displays monitoring information to an administrator. API 304 enables access to monitoring information. In various embodiments, monitoring information is provided to a logging facility, security management system, event management system, or any other appropriate system or facility.”).  
Claims 13 (Original) and 19 (Currently Amended) are directed to a method and server, respectively, associated with the server claimed in claim 5. Claims 13 and 19 are similar in scope to claim 5, and are therefore rejected with the same rationale and motivation as claim 5.

Regarding claim 7 (Currently Amended), Galbreath in view of Olson, Stevens and Calder teaches the storage intelligence server of claim 1 
Galbreath does not explicitly disclose the below limitation.
Olson discloses wherein the trace data comprises one or more of a span and a trace (Olson Col. 3 line 63-67 “…the agent is configured to aggregate the I/O metrics after using the traces, spans, and subspans to collect various timers and relationship information indicating the performance of I/O operations, or I/O requests generally.”, Col. 6 line 21-26 “FIG. 1, the storage volume network 130 stores these I/O metrics in a ring buffer within the storage volume network 130 using primary and secondary identifiers to identify these I/O metrics and further aggregate them…these primary and secondary identifiers may be referred to as traces and spans respectively.”, Col. 6 line 43-50 “…spans are associated with the receiving end of the I/O request, that is, a client computing device 150 has spans associated with the response from its initial I/O request. With this approach, an agent at client computing device 150 collects and aggregates I/O metrics to be forwarded to I/O metric service 140. With both I/O metrics from the storage volumes 134 and the client computing device 150, I/O metric service 140 processes statistics to intertwine the I/O metrics from both entities and understand the relationship of the I/O request with the I/O request's resulting downstream behavior at the storage volumes 134.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath to incorporate the teaching of Olson to utilize the above feature, with the motivation of analyzing performance of the requests, as recognized by (Olson Col. 3 line 63-67).
  
Claim 15 (Original) is directed to a method, associated with the server claimed in claim 7. Claim 15 is similar in scope to claim 7, and is therefore rejected with the same rationale and motivation as claim 7. 

Regarding claim 8 (Currently Amended), Galbreath in view of Olson, Stevens and Calder teaches the storage intelligence server of claim 1 wherein the agent applications are executed by one of a client computerized device, a load balancer, a proxy server, or an application server (Galbreath discloses the collector server receiving request information, i.e. trace data, from an agent executing on the network server 100 in Figure 1, [0022] “…in the event that the request looks like an attack, then information is uploaded to a collector server… data is aggregated from multiple agents and session identifiers… data is aggregated from multiple agents… the system attacks are distributed, so aggregating data collection across multiple agents”, [0024] “the agent sends relevant information about the request(s) to a collector server for further analysis.”, where the agents are an application process executed on multiple servers , [0028] “Collector server 400 receives information regarding requests from multiple agents monitoring multiple web servers”, where the user makes a request/query utilizing a web application as disclosed in [0021-22] and further discloses, for distributed attacks, request information from multiple agents are collected and aggregated, for analysis of requests, where one agent can be construed as an agent application executed on one server).
Claim 16 is directed to a method, associated with the server claimed in claim 8. Claim 16 is similar in scope to claim 8, and is therefore rejected with the same rationale and motivation as claim 8. 
 
Regarding claim 17 (Currently Amended), Galbreath teaches a storage intelligence server for updating rules for at least one of a firewall and a router, comprising: a processor; and a non-transitory memory storage device positioned in communication with the processor, the non-transitory memory storage device having software stored thereon, the software being operable to define (Galbreath discloses a collector server 120 (Figure 4 400) to update rules for an agent process in a network server 100, [0022] “…the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions”, [0025] “FIG. 1 is a block diagram illustrating an embodiment of a system for web application security. In the example shown, network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100. Collector server 120 determines instructions (e.g., rules, watch lists, security problems, etc.) and updates network server 100 (e.g., an agent in network server 100). The instructions are used by the agent to determine whether any given request is a security problem.” Further disclosed in [0024], where the agent process on the network server 100 in Figure 1 corresponds to the firewall, where the server 400 processes operations on data disclosed in [0028], which indicates a processor and a memory to process data):
a collector component configured to receive asynchronous trace data related to data requests from agent applications executing on computerized devices (Galbreath discloses the collector server receiving request information, i.e. trace data, from an agent executing on the network server 100 in Figure 1, [0022] “…in the event that the request looks like an attack, then information is uploaded to a collector server… data is aggregated from multiple agents and session identifiers… data is aggregated from multiple agents… the system attacks are distributed, so aggregating data collection across multiple agents”, [0024] “Asynchronously, after identifying malicious signals in request(s),  the agent sends relevant information about the request(s) to a collector server for further analysis.”, where the agents are an application process executed on multiple servers, [0028] “Collector server 400 receives information regarding requests from multiple agents monitoring multiple web servers”, where the user makes a request/query utilizing a web application as disclosed in [0021-22] and further discloses, for distributed attacks, request information from multiple agents are collected and aggregated, for analysis of requests, where one agent can be construed as an agent application executed on one server), 
the asynchronous trace data being received via a pathway other than a pathway through which the data requests were [[was]] transmitted to one of the firewall and the router (Galbreath discloses the request information is Asynchronously received and collected by the collector server 120 from the agent at the network server 100, as disclosed in [0024], which is a different path through which the request is transmitted from the user system 130 to the agent, firewall, in the network server 100, [0025] “network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100.”); 3METHOD AND SYSTEM FOR SECURING CLOUD STORAGE AND DATABASES FROM INSIDER THREATS AND OPTIMIZING PERFORMANCE 
a storage component within which the asynchronous trace data is stored (Galbreath [0028] “FIG. 4 is a block diagram illustrating an embodiment of a collector server…collector server 400 comprises collector server 120 of FIG. 4. In the example shown, collector server 400 includes detection engine 402. Collector server 400 receives information regarding requests from multiple agents monitoring multiple web servers. Collector server 400 receives encrypted and redacted information from an agent. The information is decrypted and annotated (e.g., with information on where it came from—for example, country information, hostname information, etc.). The information is used to determine rules and/or instructions that are provided to the agent enabling quick decisions for the in-line module. Detection engine 402 determines patterns of request from multiple agents. Detection engine 402 detects attack patterns and provides updates to rules and/or instructions to block the attacks.”, where the Asynchronously receiving, as disclosed in [0024], and annotation of the request information indicates storing the request information in order to process such information and update rules); and 
an analytics component configured to analyze the asynchronous trace data to identify a malicious data request [in real-time], defining an identified malicious data request (Galbreath [0024] “Asynchronously, after identifying malicious signals in request(s), the agent sends relevant information about the request(s) to a collector server for further analysis…When an attack is identified, the collector server generates an updated list of rules and/or instructions for the agent to consult when making decisions on inbound requests.”, [0022] “…the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions”, [0025] “FIG. 1 is a block diagram illustrating an embodiment of a system for web application security. In the example shown, network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100. Collector server 120 determines instructions (e.g., rules, watch lists, security problems, etc.) and updates network server 100 (e.g., an agent in network server 100). The instructions are used by the agent to determine whether any given request is a security problem”, [0028]  “Detection engine 402 detects attack patterns and provides updates to rules and/or instructions to block the attacks.”, where the detection engine of the collector server identifies an attack pattern corresponding to a malicious pattern); 
a controller component having stored thereon a plurality of rules, the controller component being configured to: at least one of update a rule of the plurality of rules or generate a new rule for inclusion in the plurality of rules responsive to the identified malicious data request, defining an active rule; and transmit the active rule to at least one of the firewall and the router (Galbreath [0024] “Asynchronously, after identifying malicious signals in request(s), the agent sends relevant information about the request(s) to a collector server for further analysis. For performance and privacy reasons this step is not done by the in-line module and the full request information is not sent to the collector server. When an attack is identified, the collector server generates an updated list of rules and/or instructions for the agent to consult when making decisions on inbound requests. Visibility is provided to a web application server administrator or other user via dashboards. Also, alerts are sent to a number of services (e.g., monitoring services). In addition, an API implementation of the dashboards enables feeding into existing internal logging and security information and event management (SIEM) systems.”, [0022] “…the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions” [0022] further discloses creating a rule, [0025] “FIG. 1 is a block diagram illustrating an embodiment of a system for web application security. In the example shown, network server 100 receives a request (e.g., from a user using user system 130). The request is processed or not by network server 100. An in-line module and agent determine whether the request is a security problem. Information regarding security problem requests is sent to collector server 120 from network server 100. Collector server 120 determines instructions (e.g., rules, watch lists, security problems, etc.) and updates network server 100 (e.g., an agent in network server 100). The instructions are used by the agent to determine whether any given request is a security problem. An administrator using administrator system 140 is able to monitor security issues for network server 100 via customer administration server 110 that shows on a dashboard security statistics derived from data received from network server 100.”, where  the updated rules by the collector server, i.e. storage intelligence server, is provided to the agent).  
Galbreath discloses the aforementioned limitations, and further discloses [0022] “ the agent makes fast decisions based on rules provided by a collector server, thus it can make rapid (e.g., less than 1-2 ms decisions)”, and further in [0024], where data analysis to identify attack, malicious pattern, and a decision are performed in less than 1 ms, which can be construed as real time, however, Galbreath does not explicitly disclose that the analysis is performed in real time.
an analytics component configured to analyze the trace data to identify a data request in real-time (Olson Col. 6 line 43-54 “With both I/O metrics from the storage volumes 134 and the client computing device 150, I/O metric service 140 processes statistics to intertwine the I/O metrics from both entities and understand the relationship of the I/O request with the I/O request's resulting downstream behavior at the storage volumes 134”, Col. 6 line 62-67 and Col. 7 line 1-8 “…traces and spans can be associated with the performance of network 120 so that the I/O request behavior within network 120 also is tracked. I/O metrics from all entities and the interdependent relationships indicated by the primary, secondary, and tertiary identifiers may be processed further in the I/O metric service 140 for further analysis and evaluation of the entire performance of the storage volumes 134 and I/O requests generally within the network topology 100. This approach may allow statistics to be determined for networks with high-volume transaction rates (e.g., I/O requests) so that more detailed and real-time data may be processed at the I/O metric service 140, without the overhead of existing statistics collection at a client computing device 150.”, analysis further disclosed in Col. 7 line 33-51 e.g. defining and identifying a congested path of a data request, Col. 8 line 23-28 “The I/O metric service 140 further includes the data processing component 204, which processes the aggregated I/O metric information into overall statistics. The I/O metric service 140 also includes an I/O metric processing component 206, which publishes the processed, aggregated I/O metric information (e.g., as overall statistics).”, where the processing components in Figure 2 corresponds to the analysis part).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath to incorporate the teaching of Olson to utilize the above feature, with the motivation of continually collecting statistics while reducing the overhead of existing statistics collection at a client computing device 150, as recognized by (Olson Col. 8 line 23-28).
Galbreath in view of Olson teaches discloses the aforementioned limitations, where Galbreath discloses transmitting updated/created rule from the collector server to the network server such that an agent application of the network server makes a decision based on the updated/created rule. However, Galbreath in view of Olson do not explicitly disclose the below limitation.
Stevens discloses wherein the active rule is configured to facilitate the router inserting a tag into a data request received thereby that chooses between storage options (Stevens Figure 9, CDN server 302 routing/forwarding requests to cloud storages, corresponding to router, utilized for optimizing performance in providing scalable architecture, offload for the underlying API origins, and a measure of attack protection, [0119] “the VAA layer described above can be implemented in a CDN server 302 by using information in a metadata file 302 a to define certain information”, [0120] “The use of dynamic control information for a VAA-type functions can be advantageous in that… providing a scalable architecture. The VAA layer also provides offload for the underlying API origins, and a measure of attack protection (e.g., against DDOS attacks).”, [0064] “…cloud-provider and/or cloud provider's cloud-customer can configure or update the database.”, [0121] “a given request to an API can be evaluated in a given CDN server 302 in stages, using various components:… [0125] Request Decoration : adds headers to request for use in forwarding…”, where header corresponds to tag, i.e. adding header corresponds to inserting a tag/header, consistent with the instant application [0015] where “Storage Router identifies or inserts tags/headers that are associated with storage requests that allow it to choose between storage options”, [0137] “Request decoration can involve adding headers or other information to the client request prior to sending it to the API origin. As with other processing, request decoration can be driven by dynamic control information which in FIG. 12 is in the form of a request decoration policy. This policy can provide data and/or logic that instructs the CDN server 302 how to decorate a client request before forwarding it to a particular API origin in the CDN platform. For example, the decoration policy can supply appropriate headers to add to the request (e.g., given the particular API endpoint and particular data from the request), and/or can append additional identity information as to who is requesting service, information about the CDN server 302 that processed the client request for tracking or auditing purposes and so on. The request can also be decorated with signatures from the CDN server 302 to indicate successful validation, authentication, and/or authorization, so that this signature can be verified later by the API origin.”, the added header/information indicates authentication/validation, i.e. indicates security, which consequently enable responding to the request).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath in view of Olson to incorporate the teaching of Stevens to utilize the above feature, with the motivation of evaluating requests for use in forwarding, providing a scalable architecture, offloading, and measure of attack protection ., as recognized by (Stevens [0120-0121, 0137] and throughout).
While Galbreath in view of Olson and Stevens disclose the aforementioned limitations, where Stevens discloses attaching/inserting a header to the request at the CDN server 302, enabling the forwarding of the request with decoration/headers in forwarding to a particular destination from among the destinations as illustrated in Figure 9 [0137] “This policy can provide data and/or logic that instructs the CDN server 302 how to decorate a client request before forwarding it to a particular API origin in the CDN platform. For example, the decoration policy can supply appropriate headers to add to the request (e.g., given the particular API endpoint and particular data from the request)”, however, Galbreath in view of Olson and Stevens do not disclose choosing between storage options including secure storage, faster storage or fault tolerance features. 
Calder discloses active rule facilitating a router to choose between storage options including secure areas for storage of types of data, faster storage locations for access, and storage with fault-tolerant features (Calder discloses in [0035-0036], a storage controller 4 in Figure 2, which automatically selects an optimal storage node 10a-d, when a data backup request is initiated, 
upon receiving a backup initiation request, where the selection is based on user parameter rules and storage parameter rules, i.e. active rules, enabling the storage controller to choose between storage options with feature including: storage with security level/feature for secured data, e.g. secret government level, HIPPA, storage with speed level/feature, e.g. speed for accessing stored data, and storage with durability/reliability level/feature, e.g. data durability may be quantified as a function of the number of backups and geographical separation of the backup, with percentage of reliability, interpreted as fault tolerance, where storage fault tolerance is related to a how reliable a storage is in performing a function given a malfunction/fault occurred, as illustrated in Figures 2 and 4A-B and [0038-0042], [0083-0084] further discloses the node selection logic of the storage controller in Figure 2, monitors, e.g. transactionally, the user data usage associated with the backup storage node, and subsequently update the user parameter such that the controller storage automatically update the storage node utilized for backup operation when the back request is initiated, where history of data is tracked for analysis to eventually perform the selection, [0095] discloses that if parameters/rules have changed, the prior selection of a storage node may be re-evaluated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath in view of Olson and Stevens to incorporate the teaching of Calder to utilize the above feature, with the motivation of automatically selecting a storage node of a plurality of candidate storage nodes as a function of a plurality of selection criteria, as recognized by (Abstract and throughout).

Claims 4, 12 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Galbreath et. al. (US 20170063793 A1), hereinafter Galbreath, in view of Olson et. al. (US 9893972 B1), hereinafter Olson, , Stevens et. al. (US 20140181186 A1), and Calder et. al. (US 20180011643 A1), hereinafter Calder, and further in view of Wang et. al. (US 20180262521 A1), hereinafter Wang.

Regarding claim 4 (Currently Amended), Galbreath in view of Olson, Stevens and Calder teaches the storage intelligence server of claim 1 
Galbreath in view of Olson, Stevens and Calder disclose the aforementioned limitations. Galbreath further discloses aggregating data collection of request information, trace data, across multiple agents, however, Galbreath in view of Olson, Stevens and Calder do not disclose the below limitation.
Wang discloses wherein the analytics component analyzes the trace data using at least one of a machine learning model, a deep learning model, and an artificial intelligence model (Wang discloses analysis of data information utilizing neural network algorithm to detect malicious characteristics, [0048] “…the neural network algorithm is used to establish the analysis model. The neural network algorithm automatically captures an attack and calculates the probability of triggering, and sends it to the analysis model for calculating the characteristic probability of the behavior characteristic. The invention combines the defense rule base with the user's access behavior to automatically calculate the probability of each access request and triggering the defense rules. Recalculation needs enough time and a large amount of data for analysis. In general, offline detection or bypass detection is adopted firstly, and then the learning simulation is performed through the analysis model. After the characteristic probability is calculated, a series of defense rules are specifically generated, and the defense rule base is updated and corrected. According to the new defense rule base to identify and intercept malicious characteristics, regular learning and training can reduce false alarm rate greatly.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Galbreath in view of Olson, Stevens and Calder to incorporate the teaching of Wang to utilize the above feature, with the motivation of reducing false alarm rate greatly, as recognized by (Wang [0048]).
  
Claims 12 (Original) and 18 (Currently Amended) are directed to a method and server, respectively, associated with the server claimed in claim 4. Claims 12 and 18 are similar in scope to claim 4, and are therefore rejected with the same rationale and motivation as claim 4. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705. The examiner can normally be reached Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BASSAM A NOAMAN/Examiner, Art Unit 2497