DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continuation
This application is a continuation application of US 15/950,234 (filed on Apr. 11, 2018 – now US Patent No. 10,999,304). The prosecution history and references cited in the above application have been fully considered.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 4/20/2021, 9/21/2021, 3/15/2022, and 6/19/2022 are follows the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-25 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 and 39 of US Patent No. 10,999,304. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-19 and 39 of the conflicting patent contain every element of claims 1-25 of the instant application and thus anticipates the claims of the instant application. Therefore, claims 1-25 of the instant application are not patentably distinct from the earlier patent claims and is unpatentable over obvious-type double patenting. “A later patent claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus)." ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit on PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001). 
	Refer to the following comparison table between exemplary claims:
Instant application (17/175,720)
Conflicting patent (10,999,304)
1. A method, comprising: collecting data packets transmitted between multiple entities over a network; 
1. A method, comprising: collecting data packets transmitted between multiple entities over a network; 
grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections;
identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections;
generating sets of features from header information in the packets of the identified pairs of the connections;
generating sets of features for the identified pairs of the connections, wherein each of the features are selected from a list consisting of respective ports used during the first and the second connections, respective start times of the first and the second connections, respective end times of the first and the second connections, respective durations of the first and the second connections, respective volumes of the first and the second connections, respective reverse volumes of the first and the second connections, a source IP address for the first and the second connections, a destination IP address for the first and the second connections and a protocol for the first and the second connections; (Comment: the instant application is directed to the header of a packet, which is broader in scope than the conflicting limitations; network addresses are commonly found in headers as means for routing packets)
evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a bind shell attack;
evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a bind shell attack;
and generating an alert for the bind shell attack.
and generating an alert for the bind shell attack.


Instant application (17/175,720)
Conflicting patent (10,999,304)
12. A method, comprising: collecting data packets transmitted between multiple entities over a network; 
1. A method, comprising: collecting data packets transmitted between multiple entities over a network; 
grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong;
identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections;
identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections;
generating sets of features from the respective times of the identified pairs of the connections;
generating sets of features for the identified pairs of the connections, wherein each of the features are selected from a list consisting of respective ports used during the first and the second connections, respective start times of the first and the second connections, respective end times of the first and the second connections, respective durations of the first and the second connections, respective volumes of the first and the second connections, respective reverse volumes of the first and the second connections, a source IP address for the first and the second connections, a destination IP address for the first and the second connections and a protocol for the first and the second connections;
evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a bind shell attack;
evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a bind shell attack;
and generating an alert for the bind shell attack.
and generating an alert for the bind shell attack.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 7, 8, 11-16, 19, 20, 22, and 25 are rejected under 35 U.S.C. 103 as being unpatentable over US 2015/0341380 to HEO et al. (hereinafter, “HEO”) in view of Skormin, V. A. (hereinafter, “Skormin”), Anomaly-Based Intrusion Detection Systems Utilizing System Call Data, 2012 Mar 1.
As per claim 1: HEO discloses: A method, comprising: collecting data packets transmitted between multiple entities over a network (“The flow information collector 100 collects flow information of a control network and delivers the collected flow information to the flow classifier 110.” [HEO, ¶0025]); grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong (“The flow classifier 110 groups the flow using at least one of the source address, the service port, and the destination address of the flow of the control network…” [HEO, ¶0026]; “…flows are grouped according to flow information and flows of the same group are analyzed…” [HEO, ¶0027]; wherein flow information include transmission time [HEO, ¶0033]); identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections (“…messages transmitted and received between source and destination systems in the same group are packets executing the same function, in which a packet size, a packet transmission period, an interval between packets, protocols, and the like, between the systems have the same pattern.” [HEO, ¶0027]; each flow referring to a connection); generating sets of features from header information in the packets of the identified pairs of the connections (storing flow information which include a destination address, transmission time, a packet size, and the like – common information found in packet headers [HEO, ¶0033]); evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a (the flow information of a flow group is analyzed by an abnormal behavior analyzer to detect abnormal behavior [HEO, ¶0033]); and generating an alert for the (preventing an attack to the control system by detecting abnormal behavior [HEO, ¶0047]).
HEO does not disclose the attack to be a “bind shell attack.” However, the details of exactly how the sets of features are used to detect such an attack are not recited to distinguish a generic “evaluating…features” step from the method of HEO. Therefore, the method of HEO would have been capable of detecting any attack, including a “bind shell attack.” Bind shells are a well-known type of attack used in network intrusion and computer worms. According to [SKORMIN, pg. 11], it was observed that more than 60% of worms utilized a bind shell engine to propagate throughout a network. A bind shell engine opens a port and listens to the socket until an intruder is connected to the port. 
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to include detection of bind shell attacks in HEO. As stated in [SKORMIN, pg. 11], bind shell related attacks were common engines operating in computer worms. It would have been advantageous to include detection of as many types of network attacks as possible to provide the most optimal protection of a computer system.

As per claim 2: HEO in view of SKORMIN disclose all limitations of claim 1. Furthermore, HEO discloses: wherein a given feature comprises a port number on a given entity in a given connection (analyzing a service port of a flow of a flow group [HEO, ¶0037]).

As per claim 4: HEO in view of SKORMIN disclose all limitations of claim 2. Furthermore, HEO discloses: comprising generating additional sets of features from respective Internet Protocol (IP) addresses in the identified pairs of the connections, and wherein evaluating the features comprises evaluating the additional sets of features (analyzing a transmission time of a flow of the flow group [HEO, ¶0039]).

As per claim 7: HEO in view of SKORMIN disclose all limitations of claim 1. Furthermore, HEO discloses: wherein a given feature comprises an Internet Protocol (IP) address of a given entity in a given connection (analyzing a destination address of a flow of the flow group [HEO, ¶0036]).

As per claim 8: HEO in view of SKORMIN disclose all limitations of claim 1. Furthermore, HEO discloses: wherein a given feature comprises a protocol of a given connection (protocols are used to group flows [HEO, ¶0027]).

As per claim 11: Claim 11 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 11 is directed to a computer software product comprising a non-transitory computer-readable medium storing instruction corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 11.

As per claim 12: HEO discloses: A method, comprising: collecting data packets transmitted between multiple entities over a network (“The flow information collector 100 collects flow information of a control network and delivers the collected flow information to the flow classifier 110.” [HEO, ¶0025]); grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong (“The flow classifier 110 groups the flow using at least one of the source address, the service port, and the destination address of the flow of the control network…” [HEO, ¶0026]; “…flows are grouped according to flow information and flows of the same group are analyzed…” [HEO, ¶0027]; wherein flow information include transmission time [HEO, ¶0033]); identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections (“…messages transmitted and received between source and destination systems in the same group are packets executing the same function, in which a packet size, a packet transmission period, an interval between packets, protocols, and the like, between the systems have the same pattern.” [HEO, ¶0027]; each flow referring to a connection); generating sets of features from the respective times of the identified pairs of the connections (storing flow information which include a destination address, transmission time, a packet size, and the like [HEO, ¶0033]); evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a (the flow information of a flow group is analyzed by an abnormal behavior analyzer to detect abnormal behavior [HEO, ¶0033]); and generating an alert for the (preventing an attack to the control system by detecting abnormal behavior [HEO, ¶0047]).
HEO does not disclose the attack to be a “bind shell attack.” However, the details of exactly how the sets of features are used to detect such an attack are not recited to distinguish a generic “evaluating…features” step from the method of HEO. Therefore, the method of HEO would have been capable of detecting any attack, including a “bind shell attack.” Bind shells are a well-known type of attack used in network intrusion and computer worms. According to [SKORMIN, pg. 11], it was observed that more than 60% of worms utilized a bind shell engine to propagate throughout a network. A bind shell engine opens a port and listens to the socket until an intruder is connected to the port. 
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to include detection of bind shell attacks in HEO. As stated in [SKORMIN, pg. 11], bind shell related attacks were common engines operating in computer worms. It would have been advantageous to include detection of as many types of network attacks as possible to provide the most optimal protection of a computer system.

As per claim 13: HEO in view of SKORMIN disclose all limitations of claim 12. Furthermore, HEO discloses: wherein a given feature comprises a start time of a given connection (calculating the transmission time of a flow [HEO, ¶0039]).

As per claim 14: HEO in view of SKORMIN disclose all limitations of claim 13. Furthermore, HEO discloses: wherein an additional feature comprises a difference between the start times of the first and the second connections (comparing the transmission time of the flow with the transmission time of another flow [HEO, ¶0039]).

As per claim 15: HEO in view of SKORMIN disclose all limitations of claim 14. Furthermore, HEO discloses: wherein detecting the bind shell attack comprises detecting that the difference between the start times of the first and the second connections is within a specified range (determining if the transmission time is within a predetermined range of the transmission time of the other flow [HEO, ¶0039]).

As per claim 16: HEO in view of SKORMIN disclose all limitations of claim 14. Furthermore, HEO discloses: wherein an additional feature comprises an end time of a given connection (calculating the transmission time of a flow [HEO, ¶0039]).

As per claim 19: HEO in view of SKORMIN disclose all limitations of claim 12. Furthermore, HEO discloses: wherein a given feature comprise a duration of a given connection (analyzing a request/response time [HEO, ¶0033]).

As per claim 20: HEO in view of SKORMIN disclose all limitations of claim 19. Furthermore, HEO discloses: comprising generating additional sets of features from volumes of the identified pairs of the connections, and wherein evaluating the features comprises evaluating the additional features (a packet size of a flow of the flow group [HEO, ¶0040]).

As per claim 22: HEO discloses: A method, comprising: collecting data packets transmitted between multiple entities over a network (“The flow information collector 100 collects flow information of a control network and delivers the collected flow information to the flow classifier 110.” [HEO, ¶0025]); grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong (“The flow classifier 110 groups the flow using at least one of the source address, the service port, and the destination address of the flow of the control network…” [HEO, ¶0026]; “…flows are grouped according to flow information and flows of the same group are analyzed…” [HEO, ¶0027]; wherein flow information include transmission time [HEO, ¶0033]); identifying pairs of the connections having identical source and destination entities and times that are together within a specified time window, wherein each given pair of connections comprises first and second connections (“…messages transmitted and received between source and destination systems in the same group are packets executing the same function, in which a packet size, a packet transmission period, an interval between packets, protocols, and the like, between the systems have the same pattern.” [HEO, ¶0027]; each flow referring to a connection); generating sets of features from the respective volumes in the identified pairs of the connections (storing flow information which include a destination address, transmission time, a packet size, and the like [HEO, ¶0033]); evaluating, by a processor, the features in the pairs in order to detect a given pair of connections indicating a (the flow information of a flow group is analyzed by an abnormal behavior analyzer to detect abnormal behavior [HEO, ¶0033]); and generating an alert for the (preventing an attack to the control system by detecting abnormal behavior [HEO, ¶0047]).
HEO does not disclose the attack to be a “bind shell attack.” However, the details of exactly how the sets of features are used to detect such an attack are not recited to distinguish a generic “evaluating…features” step from the method of HEO. Therefore, the method of HEO would have been capable of detecting any attack, including a “bind shell attack.” Bind shells are a well-known type of attack used in network intrusion and computer worms. According to [SKORMIN, pg. 11], it was observed that more than 60% of worms utilized a bind shell engine to propagate throughout a network. A bind shell engine opens a port and listens to the socket until an intruder is connected to the port. 
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to include detection of bind shell attacks in HEO. As stated in [SKORMIN, pg. 11], bind shell related attacks were common engines operating in computer worms. It would have been advantageous to include detection of as many types of network attacks as possible to provide the most optimal protection of a computer system.

As per claim 25: HEO in view of SKORMIN disclose all limitations of claim 22. Furthermore, HEO discloses: wherein detecting the bind shell attack comprises detecting that the volume of data transmitted in the first connection in the given pair is less than a specified value (when a packet size is not within a predetermined range from the packet size of a different flow in the flow group, an abnormal behavior is detected at the source address).

Allowable Subject Matter
Claims 3, 5, 6, 9, 10, 17, 18, 21, 23, and 24 are currently not rejected by any prior arts. These claims contain subject matter that were not found in the cited prior arts of record. However, they remain rejected under double patenting as stated earlier in this Office Action. See the following section for other relevant prior arts.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2017/0374090: Network traffic is captured to be assessed on a per-flow basis to classify traffic and detect network attacks. See [0032]. The traffic flows may be grouped based on their sources, destinations, temporal characteristics, or a combination thereof. See [0037].
US 2011/0138463: Network flows are collected into groups by source address, destination address, source-destination address, and protocol ID and processes them into statistics, such as number of bytes/packets. The rate of change of the second statistics per unit time is analyzed to detect a DDoS attack. See [0041]-[0044].
N. Brownlee et al. Traffic Flow Measurement: Architecture. Request for Comments 2722. October 1999. (“A TRAFFIC FLOW is an artificial logical equivalent to a call or connection…” see pg. 10)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        11-02-2022