DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.  According to applicant's arguments filed on 07/28/2022, independent claims 23, 30 and 37 have been amended hereby acknowledged.

3. Applicant argues that the prior art of record does not disclose the newly amended features of independent claim 23 which recites in part: “classify, based on application of a machine model to the patterns of network traffic for the computing resource instance, behavior of the computing resource instance with respect to a security threat of a particular type; and take action, in response to classification of the behavior of the computing resource instance as malicious with respect to the security threat, to mitigate the security threat.”.

4. Examiner would like to point out that, the independent claims are rejected under 102 (a)(2), and the new 102 reference Di Pietro (2016/0028753) in Para:0055 and Para:0089-0090 teaches the above claimed limitation (see, the rejection below).

                                                              Double Patenting
5.    The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP §§ 706.02(l) (1) -706.02(l) (3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based e-Terminal Disclaimer may be filled out completely online using web-screens. An e-Terminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about e-Terminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-l.jsp.

6. Claims 23, 26-27, 30, 33-34, 37 and 40-41 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1, 7, 10 and 18-19 of U.S. Patent No 10,320,813. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the Patent contain every element of the claims of the instant application and as such anticipate the claims of the instant application.

"A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi 759 F.2d at 896, 225 USPQat651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness- type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). " ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).

Claim Rejections - 35 USC § 102
7. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

8. Claim(s) 23,26, 30, 33, 37 and 40 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Di Pietro (US Pub.No.2016/0028753).

 9.  Regarding claims 23, 30 and 37 Di Pietro teaches a system, a method and a non-transitory computer-readable media comprising: a plurality of compute nodes of a network comprising two or more compute nodes that host respective virtual computing resource instances, each compute node comprising at least one processor and a memory; and a security threat detection and mitigation platform, implemented on the network and configured to:
receive one or more indications of patterns of network traffic received by, or sent from, one of the computing resource instances of the network (Para:0078 and Para:0089-0090 teaches determine the network traffic pattern received from the nodes. For example, in Fig.9A  node 31 will determine that the traffic patterns received from nodes 41-42 as diverged from its local traffic model, indicating that the traffic pattern has potentially changed); 

classify, based on application of a machine model to the patterns of network traffic for the computing resource instance, behavior of the computing resource instance with respect to a security threat of a particular type (Fig.11, Para:0081-0083 teaches classifying the network  traffic to detect attack. Para:Fig.13 and Para:0089-0090 teaches model the traffic patterns and detect traffic pattern change by compare the observed traffic to its machine learning traffic model. Para:0092 teaches identifying the attack type);

and take action, in response to classification of the behavior of the computing resource instance as malicious with respect to the security threat, to mitigate the security threat (Para:00055 teaches a network attack being detected and reported within network 100. Any or all of the nodes/devices 200 shown may execute a learning machine process (e.g., learning machine process 248) that is configured to detect potential network attacks, such as a DoS attack, using a machine learning classifier. Assume for illustrative purposes that an attack node/device launches an attack targeted at node 42, as shown in FIG. 5A. As a result of the attack, the performance of the communication link between nodes 42 and 31 may change (e.g., by affecting the amount of packet loss along the link, by increasing number of requests originating from node 42, by increasing delays, etc.). In such a case, the learning machine process executed by node 31 may analyze the changes and determine that a potential attack has been detected, as shown in FIG. 5B. In response, as shown in FIG. 5C, node 31 may generate and send an alert 508 to a supervisory device such as the network FAR/Root, NMS, or other such device via which corrective measures may be taken (e.g., by alerting a human operator of the potential attack, instituting routing changes, etc.). As will be appreciated, alerts and other corrective measures may also be initiated by any other node in addition to that of node 31, such as node 42, other neighbors of node 42, etc).

10.    Regarding claims 26, 33 and 40 Di Pietro teaches the system, the method and the non-transitory computer readable media, wherein the machine model being trained is a new machine model (Para: 0030-Para:0032 teaches machine model being trained is a new machine model).

11.    Regarding claims 33 and 40 Di Pietro teaches the method and the non-transitory computer readable media, wherein the machine model being trained is an already existing machine model (Para: 0030-0032 the model is a machine learning model as such it is constantly updated).

Claim Rejections - 35 USC § 103
12. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

13. Claims 24-25, 31-32 and 38-39 are rejected under 35 U.S.C. 103 as being unpatentable over Di Pietro (US Pub.No.2016/0028753) as applied to claims 23,30 and 37 above and further in view of Korsunsky (US Pub.No.2011/0214157).

14.    Regarding claims 24, 31 and 38 Di Pietro teaches all the above claimed limitations but does not expressly teach the system, the method and the non-transitory computer readable media wherein  the security threat detection and mitigation platform is configured to perform said classify behavior of the computing resource instance without knowledge of content of packets in the network traffic.

Korsunsky teaches the security threat detection and mitigation platform is configured to perform said classify behavior of the computing resource instance without knowledge of content of packets in the network traffic (Para: 0020-0021 teaches analyze the patterns in the data flow. Para: 0163 -0164 teaches the network behavior of the data flow, which includes a connection time, an inter-connection time, a request time, a response time, a count of a number of bytes in a connection of the packet header).

Therefore, it would have been obvious to one of the ordinary skill in the art at the time of the invention was filed to modify Di Pietro to include  the security threat detection and mitigation platform is configured to perform said classify behavior of the computing resource instance without knowledge of content of packets in the network traffic  as taught by Korsunsky such a setup would give a predictable result of detecting abnormal traffic pattern in the computing network.

15.    Regarding claims 25, 32 and 39 Di Pietro teaches all the above claimed limitations but does not expressly teach the system, the method and the non-transitory computer readable media, wherein the security threat detection and mitigation platform is configured to train the machine model to distinguish malicious behavior in network traffic based on one or more features of interest including packet size, packet frequency, or ratio of inbound packets to outbound packets.

Korsunsky  teaches distinguish malicious behavior in network traffic based on one or more features of interest including packet size, packet frequency, or ratio of inbound packets to outbound packets  (Para: 0163-0166 teaches the abnormal pattern is recognized based on the packet size).

Therefore, it would have been obvious to one of the ordinary skills in the art at the time of the invention was filed to modify Di Pietro to include  distinguish malicious behavior in network traffic based on one or more features of interest including packet size, packet frequency, or ratio of inbound packets to outbound packets as taught by Korsunsky such a setup would give a predictable result of detecting abnormal traffic pattern in the computing network.

16. Claims 27,29, 34,36 and 41are rejected under 35 U.S.C. 103 as being unpatentable over Di Pietro (US Pub.No.2016/0028753) as applied to claims 23,30 and 37 above and r in view of Cruz Mota (US Pub.No.2016/0028754).

17. Regarding claims 27, 34 and 41 Di Pietro teaches all the above claimed limitations but does not expressly teach the system, the method and the non-transitory computer readable media, wherein the security threat detection and mitigation platform is to create, based on data used in an erroneous classification of behavior, a white list feature or inference engine rule indicating that an instance of the corresponding erroneously-classified behavior is malicious unless a flag is set to indicate that an instance is permitted.

Cruz Mota teaches the security threat detection and mitigation platform is to create, based on data used in an erroneous classification of behavior, a white list feature or inference engine rule indicating that an instance of the corresponding erroneously-classified behavior is malicious unless a flag is set to indicate that an instance is permitted (Para:0033 teaches learning machine process 248 will be an attack detection classifier that classifies network traffic or conditions into either an " attack" category or a "normal operation" category, based on learned behavior of the network.. Fig.7 and Para: 0095-0097 teaches the device causes the traffic data clusters to be segregated into a set of one or more attack-related clusters and into a set of one or more clusters related to normal traffic. The one or more cluster-based attack detectors will label each cluster as either attack-related or normal traffic. These labels will then be used to segregate the corresponding traffic for each cluster into the attack-related set and normal traffic set. In response to identifying the attack-related traffic, the device will take any number of mitigation measures, such as dropping the attack-related traffic). 

Therefore, it would have been obvious to one of the ordinary skill in the art at the time of the invention was filed to modify Di Pietro to include  create, based on data used in an erroneous classification of behavior, a white list feature or inference engine rule indicating that an instance of the corresponding erroneously-classified behavior is malicious unless a flag is set to indicate that an instance is permitted as taught by Cruz Mota teaches such a setup would give a predictable result of classifying the network traffic based on a set of rules and will help to detect potential attack.

18.  Regarding claims 29 and 36 Di Pietro teaches all the above claimed limitations but does not expressly teach the system and the method, wherein the security threat detection and mitigation platform is to create, via application of machine learning techniques, a hyperplane that separates (a) a cluster of instances exhibiting behavior that was previously being classified as malicious based on one traffic pattern from (b) all other clusters of instances and a particular instance that was previously in that cluster.

Cruz Mota teaches the system and the method, wherein the security threat detection and mitigation platform is to create, via application of machine learning techniques, a hyperplane that separates (a) a cluster of instances exhibiting behavior that was previously being classified as malicious based on one traffic pattern from (b) all other clusters of instances and a particular instance that was previously in that cluster  (Figs.4-6, Para: 0061 and Para:0091 teaches once trained, a cluster-based attack detector 410 will analyze the corresponding clusters, to label each cluster as either " attack-related" or " normal traffic." In other words, one of attack detectors 410 will segregate the analyzed clusters into a set 412 of attack-related clusters (e.g., the clusters that signaled an attack) and a set 414 of normal traffic clusters (e.g., the clusters that were considered safe by attack detector 410). For example, assume that final classification 408 indicates that an HTTP Slow Loris type of attack has been detected using the aggregated set of traffic data. If cluster process 249 uses mean-shift clustering to divide the set of traffic data into clusters A-D, it may provide aggregated metrics for these clusters to an attack detector 410 that has been specifically configured to detect HTTP Slow Loris attacks. In response, attack detector 410 will analyze and label each cluster accordingly, to form sets 412-414 (e.g., clusters A-C contain normal traffic, but cluster D relates to an HTTP Slow Loris attack).

Therefore, it would have been obvious to one of the ordinary skill in the art at the time of the invention was filed to modify Di Pietro to include create, via application of machine learning techniques, a hyperplane that separates (a) a cluster of instances exhibiting behavior that was previously being classified as malicious based on one traffic pattern from (b) all other clusters of instances and a particular instance that was previously in that cluster as taught by Cruz Mota teaches such a setup would give a predictable result of classifying the network traffic based on a set of rules and will help to detect potential attack. 

19. Claims 28, 35 and 42 are rejected under 35 U.S.C. 103 as being unpatentable over Di Pietro (US Pub.No.2016/0028753) as applied to claims 23, 30 and 37 above and in view of Schmidtler (US Pub.No.2015/0033341).

20.    Regarding claims 28, 35 and 42 Di Pietro teaches all the above claimed limitations but does not expressly teach the system, the method and the non-transitory computer readable media, wherein the security threat detection and mitigation platform is to retrain, based on an override of a classification decision that identifies an observed pattern as not being associated with a malicious attack, the machine model to recognize a difference between malicious and benign traffic patterns.

Schmidtler teaches the security threat detection and mitigation platform is to retrain, based on an override of a classification decision that identifies an observed pattern as not being associated with a malicious attack, the machine model to recognize a difference between malicious and benign traffic patterns (Para:0004 and Para:0024-0026 teaches by creating trained models in the threat identification system, the threat identification system will automatically detect threats that have evolved and changed over time and that have never been observed by the threat identification system. In one example, feature vectors representing information associated with instances of data may be generated and sent to a classifier to determine a threat assessment score for the feature vectors. The threat assessment score may be determined by utilizing information from the threat assessment models. The threat assessment score may facilitate automatically determining whether the instance of data is a threat or not. For example, when the threat assessment score is above a predetermined threshold, this may indicate that the instance of data is a threat. In some cases, the classifier may not determine whether a threat exists or not based on the threat assessment score. As such, the threat assessment score may be reviewed by a third-party source to determine whether a threat exists or not. When the third-party source determines whether a threat exists or not, the feature vector and determined threat may be sent back to the threat assessment models for retraining. As such, the threat assessment models are consistently retrained to identify changed and evolved types of threats automatically. The threat assignment information and threat assessment scores will be disseminated to a computing device, such as an endpoint, to protect the endpoint from potential threats. In another case, the threat assignment information and threat assessment scores will be disseminated to a database for storage and/or a published white/black-list).

Therefore, it would have been obvious to one of the ordinary skills in the art at the time of the invention was filed to modify Di Pietro to include retrain, based on an override of a classification decision that identifies an observed pattern as not being associated with a malicious attack as taught by Schmidtler such a setup would determine the threat and protect the endpoint devices from the threat.

                                                               Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DEREENA T CATTUNGAL whose telephone number is (571)270-0506.  The examiner can normally be reached on Mon-Fri: 7:30 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DEREENA T CATTUNGAL/Primary Examiner, Art Unit 2431