DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2. 	This is the initial office action that has been issued in response to patent application, 17/506,713, filed on 10/21/2021. Claims 1-23, as originally filed, are currently pending and have been considered below. Claim 1, 12 and 23 are independent claims.
Priority
3. 	The application claims priority of continuation application 16/621,655 filed on 01/30/2019.

Information Disclosure Statement
4. 	The information disclosure statement (IDS’s) submitted on
01/26/2022 and 06/19/2022 is in compliance with the provisions
of 37 CFR 1.97. Accordingly, the information disclosure
statement is being considered by the examiner.




Drawings
5. 	The drawings were received on 10/21/2021.  These drawings are accepted.

Double Patenting
6. 	The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.


	Claims 1-23 are provisionally rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-21 of co-pending applications U.S. Patent No. 16/261,655. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the co-pending application contains every element of claims of the instant application. This is a non-statutory obviousness type double patenting. 
Current Application No. 17/560,713
Co-pending Application 16/261,655
Claim 1:
A method, comprising: 


identifying, in data traffic transmitted between multiple nodes that communicate over a network, a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of communication ports on a given destination node by a given source node during a specified time period;

 identifying in the data traffic a group of high- traffic ports, comprising one or more of the communication ports that receive respective volumes of the data traffic that are in excess of a predefined threshold; 




















and upon detecting a port scan not comprising the access of any of the identified high-traffic ports, 





initiating a preventive action.

Claim 1:
A method, comprising: 


identifying, in data traffic transmitted between multiple nodes that communicate over a network, a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of communication ports on a given destination node by a given source node during a predefined time period; 

identifying in the data traffic a group of high- traffic ports, comprising one or more of the communication ports that receive respective volumes of the data traffic that are in excess of a predefined threshold; 

generating, for the identified port scans respective signatures indicative of the communication ports, other than the high-traffic ports, that were accessed in each of the port scans; 

computing a respective frequency of occurrence of each of the signatures over the set of the port scans; 

assembling a whitelist of the signatures for which the respective frequency of occurrence is greater than a predefined threshold; 





and upon detecting a port scan 
for which the respective signature is not on the whitelist, 

initiating a preventive action.



7. 	Claims 1, 5-12 and 16-23 are rejected under 35 U.S.C. 103 as being unpatentable over Wilken (US Patent Publication No. 2004/199793 A1) in view of Lai (US Patent Publication No. 2016/127390 A1) and further in view of Shi (US Patent Publication No. 2011/0035795 A1).

8. 	Regarding Claim 1, Wilken discloses, a method, comprising: identifying, in data traffic transmitted between multiple nodes that communicate over a network (Wilken, Abstract, the aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node.), 
identifying in the data traffic a group of high- traffic ports, comprising one or more of the communication ports that receive respective volumes of the data traffic that are in excess of a predefined threshold (Wilken, [0075], A collector 12 should handle relatively high rates of network traffic. As the network grows and traffic volume increases, additional collectors 12 can be deployed in appropriate locations to tap new network traffic. [0103], the scan detect process 70 will detect that the scanning host has initiated network communication with an unusual number of hosts.)
Wilken does not explicitly disclose the following limitations that Lai teaches: 
a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of communication ports on a given destination node by a given source node during a specified time period (Lai, [0097], the present disclosure provides at least one advancement in the technical field of detection of port scans in a network. This advancement is in addition to the traditional detection of port scans that are based on comparing a number of scans of ports within a given time period against a fixed threshold.); 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include a set of port scans with each port scan having access into the data traffic of communications on the given nodes to enhance security features.
Wilken and Lai does not explicitly disclose the following limitations that Shi teaches:
and upon detecting a port scan not comprising the access of any of the identified high-traffic ports, initiating a preventive action (Shi, [0012], a different signature may be generated for a second data flow whose packets store a different set of source and destination IP addresses than packets in the first data flow. Of course, those skilled in the art will appreciate that a data flow's signature).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include identification of the high-traffic port when the port scan does not comprise when initiating the action to enhance security features. 

9. 	Regarding Claim 5, Wilken, Lai and Shi disclose, the method according to claim 1, wherein detecting the port scan not comprising the access of any of the identified high-traffic ports comprises generating, for the identified port scans, respective signatures indicative of the communication ports, other than the high-traffic ports, that were accessed in each of the port scans (Wilken, [0109], The port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack. The port scan detection process knows which ports hosts communicate with, so it is unlikely that the port scan detection process would declare a port scan for normal traffic); 
computing a respective frequency of occurrence of each of the signatures over the set of the port scans (Wilken, [0109], The port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack. The port scan detection process knows which ports hosts communicate with, so it is unlikely that the port scan detection process would declare a port scan for normal traffic); 
Wilken and Lai does not explicitly disclose the following limitation that Shi teaches:
and detecting a port scan whose respective frequency is less than a predefined threshold (Shi, [0012], a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow. For example, assume each packet in a first data flow stores the same pair of source and destination IP address values. In this case, a signature for the first data flow may be generated based on the values of these source and destination IP addresses).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the predefined threshold of the port scan to enhance security features. 

10. 	Regarding Claim 6, Wilken, Lai and Shi disclose, the method according to claim 5, wherein computing the respective frequency of occurrence of each of the signatures over the set of the port scans comprises determining, for each given unique signature (Wilken, ¶[0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.), 
	Wilken and Lai does not explicitly disclose the following limitations that Shi teaches:
a count of scans matching the given unique signature (Shi ¶[0012], a dataflow is a stream of data packets that is communicated from a source node to a destination node .The hash table is typically organized as a table of linked lists, where each list may be indexed by the result of applying a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow); 
and wherein detecting the port scan whose respective frequency is less than the predefined threshold comprises detecting a port scan for which the count of scans for the respective signature is less than or equal to a specified number (Shi, [0029],  a large number of packets must be handled efficiently to avoid congestion at a gateway. The first method of the present invention is to accumulate information by reading the source and destination information of outgoing packets. Source nodes within the local area network which are sending to rapidly varying destinations are identified).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the count of the scans when detecting the ports of the respective signature are less or equal then threshold to enhance security features. 

11. 	Regarding Claim 7, Wilken, Lai and Shi disclose, the method according to claim 5, wherein computing the respective frequency of occurrence of each of the signatures over the set of the port scans comprises determining, for each given unique signature (Wilken, [0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.), 
Wilken and Lai does not explicitly disclose the following limitations that Shi teaches:
a count of unique source nodes in the scans matching the given unique signature (Shi, [0012], a dataflow is a stream of data packets that is communicated from a source node to a destination node .The hash table is typically organized as a table of linked lists, where each list may be indexed by the result of applying a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow); 
and wherein detecting the port scan whose respective frequency is less than the predefined threshold comprises detecting a port scan for which the following conditions apply to the respective signature: the count of the unique source nodes is less than or equal to a first value, and the count of the unique source nodes is greater than or equal to a second value (Shi, ¶[0029],  a large number of packets must be handled efficiently to avoid congestion at a gateway. The first method of the present invention is to accumulate information by reading the source and destination information of outgoing packets. Source nodes within the local area network which are sending to rapidly varying destinations are identified).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the count of the unique score and to identify if the unique score is greater or equal to the value to enhance security features. 

12. 	Regarding Claim 8, Wilken, Lai and Shi disclose, the method according to claim 5, wherein computing the respective frequency of occurrence of each of the signatures over the set of the port scans comprises determining (Wilken, [0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.), 
	Wilken and Lai does not explicitly disclose the following limitations that Shi teaches:
for each given unique signature, a count of unique destination nodes in the scans matching the given unique signature (Shi [0012], a dataflow is a stream of data packets that is communicated from a source node to a destination node. The hash table is typically organized as a table of linked lists, where each list may be indexed by the result of applying a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow); 
and wherein detecting the port scan whose respective frequency is less than the predefined threshold comprises detecting a port scan for which the following conditions apply to the respective signature: the count of the unique destination nodes is less than or equal to a first value, and the count of the unique destination nodes is greater than or equal to a second value (Shi, [0029], a large number of packets must be handled efficiently to avoid congestion at a gateway. The first method of the present invention is to accumulate information by reading the source and destination information of outgoing packets. Source nodes within the local area network which are sending to rapidly varying destinations are identified).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the count of the destination node to identify the count as equal or greater than the second value to enhance security features. 

13. 	Regarding Claim 9, Wilken, Lai and Shi disclose, the method according to claim 1, wherein the high-traffic port is associated with a given destination node (Wilken, Abstract, each node on the network to a record that stores information about traffic to or from the node, [0075], the network grows and traffic volume increases).  

14. 	Regarding Claim 10, Wilken, Lai and Shi disclose, the method according to claim 1, wherein initiating the preventive action comprises generating an alert for the given source node in the detected port scan (Wilken, [0141], the grouping process 200 continuously monitors communication patterns among the hosts and adjusts groups as computers are added and deleted from the network. In addition, the system flags policy violations, and raises alerts about potential security violations.).  

15. 	Regarding Claim 11, Wilken, Lai and Shi disclose, the method according to claim 1, wherein initiating the preventive action comprises restricting access of the given source node in the detected port scan to the network (Wilken, [0048], FIG. 1, an anomaly detection system 10 to detect anomalies and process anomalies into events is shown. The anomaly detection system 10 can be used to detect denial of service attacks (DoS attacks), unauthorized access attempts, scanning attacks, worm propagation, network failures, and addition of new hosts in a network.).

16. 	Regarding Claim 12, Wilken disclose, an apparatus, comprising: a network interface device coupled to a data network comprising multiple nodes that communicate via the network; and at least one processor configured: to identify, in data traffic transmitted between multiple nodes that communicate over a network (Wilken, Abstract, The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node.), 
to identify in the data traffic a group of high- traffic ports, comprising one or more of the communication ports that receive respective volumes of the data traffic that are in excess of a predefined threshold (Wilken, [0075], A collector 12 should handle relatively high rates of network traffic. As the network grows and traffic volume increases, additional collectors 12 can be deployed in appropriate locations to tap new network traffic. [0103], the scan detect process 70 will detect that the scanning host has initiated network communication with an unusual number of hosts.)
Wilken does not explicitly disclose the following limitations that Lai teaches:
a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of communication ports on a given destination node by a given source node during a specified time period (Lai, [0097], the present disclosure provides at least one advancement in the technical field of detection of port scans in a network. This advancement is in addition to the traditional detection of port scans that are based on comparing a number of scans of ports within a given time period against a fixed threshold.); 
 Wilken and Lai does not explicitly disclose the following limitations that Shi teaches:
and upon detecting a port scan not comprising the access of any of the identified high-traffic ports, to initiate a preventive action (Shi, [0012], a different signature may be generated for a second data flow whose packets store a different set of source and destination IP addresses than packets in the first data flow. Of course, those skilled in the art will appreciate that a data flow's signature).  

17. 	Regarding Claim 16, Wilken, Lai and Shi disclose, the apparatus according to claim 12, wherein a given processor is configured to detect the port scan not comprising the access of any of the identified high-traffic ports by generating, for the identified port scans, respective signatures indicative of the communication ports, other than the high-traffic ports, that were accessed in each of the port scans; computing a respective frequency of occurrence of each of the signatures over the set of the port scans (Wilken, ¶[0109], The port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack. The port scan detection process knows which ports hosts communicate with, so it is unlikely that the port scan detection process would declare a port scan for normal traffic); 
and detecting a port scan whose respective frequency is less than a predefined threshold (Shi, [0012], a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow. For example, assume each packet in a first data flow stores the same pair of source and destination IP address values. In this case, a signature for the first data flow may be generated based on the values of these source and destination IP addresses).  

18. 	Regarding Claim 17, Wilken, Lai and Shi disclose, the apparatus according to claim 16, wherein a given processor is configured to compute the respective frequency of occurrence of each of the signatures over the set of the port scans by determining, for each given unique signature (Wilken, [0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.), 
 	a count of scans matching the given unique signature (Shi [0012], a dataflow is a stream of data packets that is communicated from a source node to a destination node. The hash table is typically organized as a table of linked lists, where each list may be indexed by the result of applying a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow); 
and wherein a given processor is configured to detect the port scan whose respective frequency is less than the predefined threshold by detecting a port scan for which the count of scans for the respective signature is less than or equal to a specified number (Shi, [0029], a large number of packets must be handled efficiently to avoid congestion at a gateway. The first method of the present invention is to accumulate information by reading the source and destination information of outgoing packets. Source nodes within the local area network which are sending to rapidly varying destinations are identified). 

19. 	Regarding Claim 18, Wilken, Lai and Shi disclose, the apparatus according to claim 16, wherein a given processor is configured to compute the respective frequency of occurrence of each of the signatures over the set of the port scans by determining, for each given unique signature (Wilken, [0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.), 
a count of unique source nodes in the scans matching the given unique signature (Shi, [0012], a dataflow is a stream of data packets that is communicated from a source node to a destination node. The hash table is typically organized as a table of linked lists, where each list may be indexed by the result of applying a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow); 
and wherein a given processor is configured to detect the port scan whose respective frequency is less than the predefined threshold by detecting a port scan for which the following conditions apply to the respective signature: the count of the unique source nodes is less than or equal to a first value, and the count of the unique source nodes is greater than or equal to a second value(Shi, [0029],  a large number of packets must be handled efficiently to avoid congestion at a gateway. The first method of the present invention is to accumulate information by reading the source and destination information of outgoing packets. Source nodes within the local area network which are sending to rapidly varying destinations are identified).    

20. 	Regarding Claim 19, Wilken, Lai and Shi disclose, the apparatus according to claim 16, wherein a given processor is configured to compute the respective frequency of occurrence of each of the signatures over the set of the port scans by determining, for each given unique signature (Wilken, ¶[0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.), 
Wilken and Lai does not explicitly disclose the following limitation that Shi teaches:
a count of unique destination nodes in the scans matching the given unique signature (Shi, [0012], a dataflow is a stream of data packets that is communicated from a source node to a destination node. The hash table is typically organized as a table of linked lists, where each list may be indexed by the result of applying a conventional hash function to “signature” information. In this context, a signature is a set of values that remain constant for every packet in a data flow); 
and wherein a given processor is configured to detect the port scan whose respective frequency is less than the predefined threshold by detecting a port scan for which the following conditions apply to the respective signature: the count of the unique destination nodes is less than or equal to a first value, and the count of the unique destination nodes is greater than or equal to a second value (Shi, [0029],  a large number of packets must be handled efficiently to avoid congestion at a gateway. The first method of the present invention is to accumulate information by reading the source and destination information of outgoing packets. Source nodes within the local area network which are sending to rapidly varying destinations are identified).  

21. 	Regarding Claim 20, Wilken, Lai and Shi disclose, the apparatus according to claim 12, wherein the high- traffic port is associated with a given destination node (Wilken, Abstract, each node on the network to a record that stores information about traffic to or from the node, [0075], the network grows and traffic volume increases).  

22. 	Regarding Claim 21, Wilken, Lai and Shi disclose, the apparatus according to claim 12, wherein a given processor is configured to initiate the preventive action by generating an alert for the given source node in the detected port scan (Wilken, [0141], the grouping process 200 continuously monitors communication patterns among the hosts and adjusts groups as computers are added and deleted from the network. In addition, the system flags policy violations, and raises alerts about potential security violations.).  

23. 	Regarding Claim 22, Wilken, Lai and Shi disclose, the apparatus according to claim 12, wherein a given processor is configured to initiate the preventive action by restricting access of the given source node in the detected port scan to the network (Wilken, [0141], the grouping process 200 continuously monitors communication patterns among the hosts and adjusts groups as computers are added and deleted from the network. In addition, the system flags policy violations, and raises alerts about potential security violations.).  
  
24. 	Regarding Claim 23, Wilen discloses, a non-transitory computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer: to identify, in data traffic transmitted between multiple nodes that communicate over a network, a set of port scans, each of the port scans comprising an access, in the data traffic, of a plurality of communication ports on a given destination node by a given source node during a specified time period  (Wilken, Abstract, The aggregator device produces a connection table that maps each node on the network to a record that stores information about traffic to or from the node.); 
to identify in the data traffic a group of high- traffic ports, comprising one or more of the communication ports that receive respective volumes of the data traffic that are in excess of a predefined threshold (Wilken, [0075], A collector 12 should handle relatively high rates of network traffic. As the network grows and traffic volume increases, additional collectors 12 can be deployed in appropriate locations to tap new network traffic. [0103], the scan detect process 70 will detect that the scanning host has initiated network communication with an unusual number of hosts.); 
Wilken does not explicitly disclose the following limitations that Shi teaches:
and upon detecting a port scan not comprising the access of any of the identified high-traffic ports, to initiate a preventive action (Shi, [0012], a different signature may be generated for a second data flow whose packets store a different set of source and destination IP addresses than packets in the first data flow. Of course, those skilled in the art will appreciate that a data flow's signature).

25. 	Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Wilken (US Patent Publication No. 2004/199793 A1), Lai (US Patent Publication No. 2016/127390 A1) and Shi (US Patent Publication No. 2011/0035795 A1) and in view of Kommareddy (US Patent Publication No. 8397284 B2).
  
26. 	Regarding Claim 2, Wilken, Lai and Shi disclose, the method according to claim 1, wherein identifying the port scans comprises: identifying, in the data traffic (Wilken, [0059], the method uses adjustments of the intra-scan time for distinguishing between port scans and normal web traffic), 
	Wilken and Lai does not explicitly disclose the following limitations that Shi teaches
a set of pairs of the source and the destination nodes, each pair consisting of a given source node and a given destination node, and one or more of the communication ports accessed in the data traffic between the source and destination nodes in each pair; computing, for each pair in the set (Shi, [0012], stream of data packets that is communicated from a source node to a destination node), 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the modification in order to include a of sources and destination nodes with one or more communication ports in the data traffic between each pair of destination nodes.
Wilken, Lai and Shi does not explicitly disclose the following limitations Kommareddy teaches:
 a respective baseline level that is indicative of a first number of the communication ports that source nodes other than the given source node in the pair accessed on the given destination node during a first time period; computing, for each pair in the set (Kommareddy, Col. 24, lines 58-66, the average and standard deviation of the net increment is computed and their sum is used as the baseline against which the net increment due to aggregation can be measured. Increments of counters above the baseline are considered the outliers. It is to be noted that counters to which attacks are mapped will have increments during the entire duration of the attack, while other counters may have net increments for a few periods. The score of a counter is the net increment of the counter above the baseline), 
a respective test score that is indicative of a difference between a second number of the communication ports that the given source node in the pair accessed on the given destination node during a second time period and the baseline level (Kommareddy, Col.29, lines 20-26, the embodiments for the multiple gateway case described above computes the average and standard deviation over all entries in T(t) that have a positive value. These values are used as a baseline for calculating the instantaneous scores for counters in T for a period t. Instantaneous score of a counter is the counter score for the period for which it was computed and is added to the counter's actual score); 
and designating any of the pairs for which the test score is greater than a specified level as the port scans (Kommareddy, Col. 17, lines 49-54, A monitor's score threshold may be proportional to the average number of flows in its bin and the average flow rate of its flows. In certain embodiments, for simplicity, the invention may use a single value for the score threshold for all flows and monitors. In such an event, the score threshold used will be the maximum of the score thresholds at individual monitors.).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include baseline levels in a communication port that has source nodes in a destination node that will entitle test scores that will be greater than the levels of the port scans.

27. 	Regarding Claim 13, Wilken, Lai and Shi disclose, the apparatus according to claim 12, wherein a given processor is configured to identify the port scans by: identifying, in the data traffic (Wilken, [0059], the method uses adjustments of the intra-scan time for distinguishing between port scans and normal web traffic), 
	Wilken and Lai does not explicitly disclose the following limitations Shi teaches:
a set of pairs of the source and the destination nodes, each pair consisting of a given source node and a given destination node, and one or more of the communication ports accessed in the data traffic between the source and destination nodes in each pair (Shi, [0012], stream of data packets that is communicated from a source node to a destination node); 
Wilken, Lai and Shi does not explicitly disclose the following limitations Kommareddy teaches:
computing, for each pair in the set, a respective baseline level that is indicative of a first number of the communication ports that source nodes other than the given source node in the pair accessed on the given destination node during a first time period; computing, for each pair in the set (Kommareddy, Col. 24, lines 58-66, the average and standard deviation of the net increment is computed and their sum is used as the baseline against which the net increment due to aggregation can be measured. Increments of counters above the baseline are considered the outliers. It is to be noted that counters to which attacks are mapped will have increments during the entire duration of the attack, while other counters may have net increments for a few periods. The score of a counter is the net increment of the counter above the baseline), 
a respective test score that is indicative of a difference between a second number of the communication ports that the given source node in the pair accessed on the given destination node during a second time period and the baseline level (Kommareddy, Col.29, lines 20-26, the embodiments for the multiple gateway case described above computes the average and standard deviation over all entries in T(t) that have a positive value. These values are used as a baseline for calculating the instantaneous scores for counters in T for a period t. Instantaneous score of a counter is the counter score for the period for which it was computed and is added to the counter's actual score); 
and designating any of the pairs for which the test score is greater than a specified level as the port scans (Kommareddy, Col. 17, lines 49-54, A monitor's score threshold may be proportional to the average number of flows in its bin and the average flow rate of its flows. In certain embodiments, for simplicity, the invention may use a single value for the score threshold for all flows and monitors. In such an event, the score threshold used will be the maximum of the score thresholds at individual monitors.).  

27. 	Claim 3-4 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Wilken(US Patent Publication No. 2004/199793 A1), Lai (US 2016/127390 A1) and Shi (US Patent Publication No. 2011/0035795 A1) in view of Waxman(US Patent Publication No. 2006/0215627 A1)
  
28. 	Regarding Claim 3, Wilken, Lai and Shi disclose, the method according to claim 1, 
Wilken in view of Lai and Shi does not explicitly disclose the following limitations that Waxman teaches:
wherein the specified time period comprises multiple sub-periods comprising a set of first sub-periods and a second sub-period subsequent to the first sub-periods (Waxman, [0010], a first sub-period of time in the period of time. The method of operation includes the communications node selecting for signal processing a second signal, in a second channel in the plurality of channels, in a second sub-period of time in the period of time.); 
wherein the step of computing the respective frequency of occurrence of each of the signatures is performed on the port scans in the first sub- periods (Waxman, [0010], the communications node scanning a plurality of channels simultaneously during a period of time, with the communications node selecting for signal processing a first signal, in a first channel in the plurality of channels, in a first sub-period of time in the period of time); and wherein detecting the port scan is during the second sub-period (Waxman, [0010], the communications node selecting for signal processing a second signal, in a second channel in the plurality of channels, in a second sub-period of time in the period of time.).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include a set of sub-periods within a specified time period and to compute the port scans within the first and second sub-periods to enhance security features.

29. 	Regarding Claim 4, Wilken, Lai, Shi and Waxam disclose, he method according to claim 3, wherein each of the sub- periods have substantially identical time durations (Waxman, [0022], one sub-period of time may not temporally overlap with another sub-period of time). 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include the time durations of the sub-periods that are identical to enhance security features.

30. 	Regarding Claim 14, Wilken, Lai and Shi disclose, the apparatus according to claim 12, 
wherein a given processor is configured, in the first sub-periods, to perform the step of computing the respective frequency of occurrence of each of the signatures (Wilken, [0109], port scan detection process examines connection-based features of an anomaly rather than attempting to ascertain and develop a signature for a potential attack.),
Wilken, Lai and Shi does not explicitly disclose the following limitations that Waxman teaches:
wherein the specified time period comprises multiple sub-periods comprising a set of first sub-periods and a second sub-period subsequent to the first sub-periods (Waxman, [0010], a first sub-period of time in the period of time. The method of operation includes the communications node selecting for signal processing a second signal, in a second channel in the plurality of channels, in a second sub-period of time in the period of time.); 
and wherein a given processor is configured to detect the port scan during the second sub- period (Waxman, [0010], the communications node selecting for signal processing a second signal, in a second channel in the plurality of channels, in a second sub-period of time in the period of time.).  

31. 	Regarding Claim 15, Wilken, Lai, Shi and Waxam disclose, the apparatus according to claim 14, 
	Wilkem, Lai and Shi does not explicitly disclose the following limitations that Waxam teaches:
wherein each of the sub-periods have substantially identical time durations (Waxman, [0022], one sub-period of time may not temporally overlap with another sub-period of time).  









Conclusion
32. 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner, Art Unit 2433
	
/William J. Goodchild/Primary Examiner, Art Unit 2433