Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is a reply to the application filed on 05/03/2021 with preliminary amendment filed on 07/22/2021, in which, claim(s) 1-20 are pending. Claim(s) 1, 10 and 16 are independent. Claim 1 is amended. Claims 2-20 are newly added. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/03/2021, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 05/03/2021 are accepted by The Examiner.

Claim Objections
Claims 4, 13 and 19 are objected to because of the following informalities:  
Claims 4, 13 and 19 limitations “the samples  of traffic” should be “[[the]] samples  of traffic” since the term “samples” is mentioned the very first time in the claims.
Appropriate correction is required.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. 
Claims 1-20 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
          Claims 1-20 of Patent 11,025,657.

Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 1-20 are anticipated by claims 1-20 of Patent 11,025,657.
Patent No. 11,025,657 (16/218,503)  
Instant Application No.(17/306,824) 
Claim 1. A method by a security analysis server implemented by one or more electronic devices to generate an updated traffic monitoring rule for monitoring traffic sent over database connections established between one or more database clients and one or more databases, wherein the database connections are monitored by a database agent communicatively coupled to the security analysis server, the method comprising: 
receiving, from the database agent because of a current configuration of the database agent, a count of an amount of traffic, rather than all the traffic, sent over each database connection in a first set of one or more of the database connections being monitored by the database agent; 
generating, in the security analysis server, an updated traffic monitoring rule to replace an existing traffic monitoring rule, wherein the updated traffic monitoring rule indicates a second set of one or more of the database connections being monitored by the database agent for which the database agent is to send a count of an amount of traffic, rather than all the traffic, sent over each database connection in the second set of one or more database connections to the security analysis server because the database connections in the second set of one or more database connections have been determined by the security analysis server to be of an application database connection type based on an analysis by the security analysis server of the counts of the amount of traffic sent over the first set of one or more database connections, wherein the application database connection type is a type of database connection over which application-generated queries are submitted, wherein the second set of one or more database connections is a different set than the first set of one or more database connections; and 
applying the updated traffic monitoring rule by sending instructions to the database agent to alter the current configuration so as to cause the database agent to 
send to the security analysis server the count of the amount of traffic, rather than all the traffic, sent over each database connection in the second set of one or more database connections to reduce the amount of traffic sent by the database agent to the security analysis server for the database connections in the second set of one or more database connections because the database connections in the second set of one or more database connections have been determined by the security analysis server to be of the application database connection type which is a type of database connection that is considered to be trusted and 
send to the security analysis server traffic sent over other database connections.
Claim 1. A method by a database agent implemented by one or more electronic devices that monitors database connections established between one or more database clients and one or more databases, wherein the database agent is communicatively coupled to a security analysis server, the method comprising:




sending, to the security analysis server because of a current configuration of the database agent, a count of an amount of traffic, rather than all traffic, sent over each database connection in a first set of one or more of the database connections being monitored by the database agent;


receiving, from the security analysis server, an instruction to send to the security analysis server a count of an amount of traffic, rather than all the traffic, sent over each database connection in a second set of one or more of the database connections being monitored by the database agent that have been determined by the security analysis server to be of an application database connection type and to send to the security analysis server traffic sent over other database connections; and 

















responsive to receiving the instruction, sending, to the security analysis server, the count of the amount of traffic, rather than all the traffic, sent over each database connection in the second set of one or more database connections and sending to the security analysis server traffic sent over the other database connections.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-4, 6-13 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Siva Kumar et al. (US 2016/0088000 A1) in view of Ginter et al. (US 2005/0015624 A1).
Regarding Claims 1, 10, and 16, Siva Kumar discloses A method by a database agent implemented by one or more electronic devices that monitors database connections established between one or more database clients and one or more databases, wherein the database agent is communicatively coupled to a security analysis server ([0030], “to monitor and collect security event data”, [0032], “Security event monitor 140 (as the database agent) may be implemented by a centralized server computer or multiple server computers configured to collect and store security event data that is generated based on activity of the networked devices”, “Security event monitor 140 may store security event data in storage system 150 (e.g. databases)… storage system 150 may be implemented by a distributed, scalable storage system configured to store massive amounts of data across a cluster of machines”), the method comprising:
sending, to the security analysis server because of a current configuration of the database agent, a count of an amount of traffic, rather than all traffic, sent over each database connection in a first set of one or more of the database connections being monitored by the database agent ([0032], “Security event monitor 140 (as the database agent)… to collect and store security event data that is generated based on (a first set of one or more of connections) activity of the networked devices”, [0039], “counts may be obtained by submitting queries to and/or running processes on storage system 150”, [0040], “to run queries against and/or processes on storage system 150 for obtaining counts”);
Siva Kumar does not explicitly teach but Ginter teaches 
receiving, from the security analysis server, an instruction to send to the security analysis server a count of an amount of traffic, rather than all the traffic, sent over each database connection in a second set of one or more of the database connections being monitored by the database agent that have been determined by the security analysis server to be of an application database connection type and to send to the security analysis server traffic sent over other database connections ([0134], “RTAP 212 may provide for collection, management, visualization and integration of a variety of different automated operations”, [0136], “each of the different agents may report data to RTAP 212 through use of the receiver 210”, [0094], “through (a second set of) one of the connections”, “Specific rules may be disabled or made more specific at particular sites if normal background traffic at the site is found to generate an unacceptable number of false positive alerts as a result of enacting particular rules.”, [0048], “a variety of networks or other type of communication connections”, [0070], “Agents of this second class may be used in monitoring input from third party equipment or applications or other activity about a system other than the system upon which the agent is executing. As described in more detail elsewhere herein, different types of agents of either class may be used in an embodiment to gather the different types of data”); and 
responsive to receiving the instruction, sending, to the security analysis server, the count of the amount of traffic, rather than all the traffic, sent over each database connection in the second set of one or more database connections and sending to the security analysis server traffic sent over the other database connections ([0094], “Specific rules may be disabled or made more specific at particular sites if normal background traffic at the site is found to generate an unacceptable number of false positive alerts as a result of enacting particular rules”, [0225], “for the events counted in the reporting interval”).
Siva Kumar and Ginter are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to send a count of the traffic from the first set of connections (as disclosed by Siva Kumar) and receive instructions for second set of connections (as taught by Ginter). The motivation/suggestion would have been for monitoring the performance, security and health of a system used in an industrial application (Ginter, Abstract).

Regarding Claims 2, 11, and 17, the combined teaching of Siva Kumar and Ginter teaches sending, to the security analysis server because of the current configuration of the database agent, traffic sent over a third set of one or more of the database connections being monitored by the database agent (Ginter, [0070], “Agents of this second class may be used in monitoring input from third party equipment or applications or other activity about a system other than the system upon which the agent is executing”).

Regarding Claims 3, 12, and 18, the combined teaching of Siva Kumar and Ginter teaches sending, to the security analysis server, a sample of traffic sent over each database connection in the first set of one or more database connections (Siva Kumar, [0029], “a small sample of exemplary security events, security event identifiers, and security event data that may be generated by one or more of user machines 110, server machines 120, and/or domain machines 130”).

Regarding Claims 4, 13, and 19, the combined teaching of Siva Kumar and Ginter teaches wherein the security analysis server uses the samples of traffic to determine connection attributes of each database connection in the first set of one or more database connections (Siva Kumar, [0029], “a small sample of exemplary security events, security event identifiers, and security event data (i.e. connection attributes) that may be generated by one or more of user machines 110, server machines 120, and/or domain machines 130”).

Regarding Claims 6, 15, and 20, the combined teaching of Siva Kumar and Ginter teaches wherein the instruction indicates the second set of one or more database connections using database connection identifiers (Ginter, [0022], “The second agent may report on an address binding of a physical device identifier to a network address if the physical device identifier of a component was not previously known”).

Regarding Claim 7, the combined teaching of Siva Kumar and Ginter teaches
sending, to the security analysis server along with the counts of the amount of traffic sent over the database connections in the first set of one or more database connections, database connection identifiers of the database connections in the first set of one or more database connections (Siva Kumar, [0044], “Logon session data for a logon session may include an identifier (e.g., machine name, IP address) for each machine that was accessed during the logon session, which can be correlated to a machine role for each accessed machine”).
Regarding Claim 8, the combined teaching of Siva Kumar and Ginter teaches 
responsive to detecting a new database connection, sending, to the security analysis server, traffic sent over the new database connection (Ginter, [0021], “When a number of open listen connections is above a second level, an event corresponding to a new component or unauthorized component may be determined”, i.e. the new traffic is sent).

Regarding Claim 9, the combined teaching of Siva Kumar and Ginter teaches 
wherein the counts of the amount of traffic sent over the database connections in the second set of one or more database connections encompass inbound traffic and outbound traffic (Ginter, [0084], “Per-interface incoming and outgoing network traffic, in kilobytes, for a reporting interval”).

Allowable Subject Matter
Claims 5 and 14 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and overcome the double patenting rejection issued in this office action since the prior arts taken individually or in combination fails to particular discloses, fairly suggest or render obvious the limitations of the claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497