DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 11/17/2022 has been entered. Claims 1, 3, 6-7, 9, 11, 13, 16-17, 19 are currently amended. Claims 1-20 are pending in the application.
Response to Amendments
The objection to specification has been withdrawn in light of applicant amendment to the Specification filed 11/17/2022.
The objection of claims 6-7, 9, 16-17, 19 due to informalities has been withdrawn in light of applicant’s amendment to the claims; and the objection of claim 11 has been withdrawn also in light of applicant’s opinion.
The rejection of claims 1, 3, 11, 13 under 35 USC 102 has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s argument, see pg. 9-10 of the Remarks filed 11/17/2022 regarding claims rejected under 35 USC 102/103 have been fully considered. Examiner agrees with applicant that reference Beauchesne does not specifically teach the amended limitation underlined reciting “processing the metadata into time series data”, and “analyzing the time series data”. The rejection of claims 1, 3, 11, 13 under 35 USC 102 has been withdrawn. However, upon updated search, reference Mhatre has been found to teach the amended feature. Therefore, examiner asserts applicant’s argument regarding rejections under 35 USC 103 in the Remarks is moot in view of the new ground of rejection under 35 USC 103 presented in the current office action with incorporation of prior art Mhatre.
Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3, 11, 13 are rejected under 35 U.S.C. 103 as being unpatentable over  Beauchesne et al (US20180077178A1, hereinafter, " Beauchesne"), in view of Mhatre et al (US20190149560A1, hereinafter", Mhatre").
Regarding claim 1, Beauchesne teaches:
A method (Beauchesne, discloses method and system for identifying malicious payloads, see [Abstract]), comprising:
collecting, in a closed network, raw network traffic from one or more devices in
the closed network (Beauchesne, [0020] the detection engine 106 operates by performing unsupervised machine learning using data about the network traffic within the network 102 ... In this manner, the disclosed invention provides an approach to identify, in real time, the use of malicious payloads, such as for example, those used in rootkit or code injection attacks inside enterprise networks (i.e. closed network which is network 102). And [0030] At module 130, data from the network traffic is collected);
extracting metadata from the raw network traffic (Beauchesne, [0026] Perform metadata extraction of the client-server sessions. And [0030] In particular, every internal network communication session is processed through a parsing module and a set of metadata is extracted);
processing the metadata [into time series data] (Beauchesne, [0030] At module 130, data from the network traffic is collected, and metadata processing is performed upon that data);
analyzing [the time series data] after the metadata has been processed (Beauchesne, [0038] At module 134, the system performs detection of suspicious activity with regards to payload deliveries. The metadata for network traffic is analyzed against the models developed by the learning module to identify anomalies from the normal, baseline behavior); (see Mhatre below for the teachings of limitations bracket)
and based on the analyzing, determining whether or not an actual attack or attack threat is present in the closed network (Beauchesne, [0056] A determination is made at 306 whether the calculated score is within a defined threshold. If the pair of client-server sequences differ more than the specified similarity score, then the session containing the exchange is flagged as a potentially malicious payload (i.e. actual attack or attack threat) at 308).
	While Beauchesne teaches processing the metadata and analyzing but does not specifically teach processing the metadata into time series data and analyzing the time series data, in the same field of endeavor Mhatre teaches:
	processing the metadata into time series data (Mhatre, discloses method and system for detecting threat in network communication by analyzing time series vectors representing metadata of network communication, see [Title]/[Abstract] and claims 1, 20. And [0030] The time series relay detection engine 122 extracts metadata from network traffic and creates metadata sessions by identifying and organizing a source and destination for hosts in the network. A metadata time series representation of the session is created for a session. Also see Fig. 3 step 306), 
	analyzing the time series data (Mhatre, [0047] An analyzer module 410 may employ a categorization unit 411 that uses the metadata to categorize the flows into one or more known network attribute criteria and time-series vector generator 412 to create quantitative abstractions of the metadata that capture actor behavior. The analyzer module 410 may comprise at least a categorization unit 411, a time-series vector generator 412, and a vector comparison module 415).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mhatre in the method and system for detecting malicious payloads of Beauchesne by extracting metadata from network traffic and creating time series vector representing metadata for analysis. This would have been obvious because the person having ordinary skill in the art would have been motivated for detection of malicious relay and jump-system using network behavioral analysis on time series metadata (Mhatre, [Abstract], [0006], [0030]).

Regarding claim 11, claim 11 is a non-transitory storage medium claim that encompasses limitations that are similar to those of method claim 1. Therefore, claim 11 is rejected with same rationale and motivation as applied against claim 1. In addition, Beauchesne teaches: a non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors (Beauchesne, discloses method and system for identifying malicious payloads, see [Abstract]. And [0064] computer system 1400 performs specific operations by processor 1407 executing one or more sequences of one or more instructions contained in system memory 1408. Such instructions may be read into system memory 1408 from another computer readable/usable medium, such as static storage device 1409).

Regarding claim 3, similarly claim 13, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11, 
The combination of Beauchesne-Mhatre further teaches: wherein analysis of the time series data is performed using an Al/ML model (Beauchesne, [0020] As described in more detail below, the detection engine 106 operates by performing unsupervised machine learning using data about the network traffic within the network 102. And [0038] The metadata for network traffic is analyzed against the models developed by the learning module to identify anomalies from the normal, baseline behavior). Examiner notes, Beauchesne teaches analyzing metadata using machine learning and Mhatre further teaches analyzing time series metadata, therefore, it is obvious the combination of Beauchesne-Mhatre teaches analyzing time series metadata using machine learning.

Claims 2, 12 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Hlady et al (WO2018220426A1, hereinafter, “Hlady”).
Regarding claim 2, similarly claim 12, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Hlady in the same field of endeavor teaches:
wherein the method is performed by a VNF pod on an edge node of the closed network (Hlady, discloses method and system for packet processing in distributed VNF, see [Title] and [Abstract]. And in particular, [0003] A VNF may be implemented at various parts of a network, such as … and a provider edge (PE) router (i.e. edge node). And [0088] At reference 506, the first processing unit processes a packet in the traffic flow based on the packet processing rule. The first processing unit identifies the packet as in the traffic flow based on the packet/frame header of the packet).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hlady in the method and system for detecting malicious payloads of Beauchesne-Mhatre by implementing VNF with a provider edge router. This would have been obvious because the person having ordinary skill in the art would have been motivated for processing the network traffic packets with edge router in a distributed VNF as efficient load balancing for packet processing (Hlady, [Abstract], [0003-0004]).

Claims 4, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Litjens et al (WO20200256706A1, hereinafter, “Litjens”).
Regarding claim 4, similarly claim 14, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Litjens in the same field of endeavor teaches:
wherein the closed network is a 5G CBRS network (Litjens, [Abstract] An apparatus such as a domain proxy implemented in an edge cloud of a private enterprise network includes a processor configured to aggregate traffic for Citizens Broadband radio Service (i.e. 5G CBRS) Devices (CBSDs) in a private enterprise network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Litjens in the method and system for detecting malicious payloads of Beauchesne-Mhatre by processing traffic in 5G CBRS private enterprise network. This would have been obvious because the person having ordinary skill in the art would have been motivated for enhanced network availability for private enterprise networks in shared spectrum systems (Litjens, [Abstract]).

Claims 5, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Wood et al (US20090290492A1, hereinafter, “Wood”).
Regarding claim 5, similarly claim 15, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Wood in the similar field of endeavor teaches:
wherein the extracted metadata comprises TCP headers (Wood, discloses method for indexing network traffic meta-data, [Abstract]. And [0048] The analysis module 302 may analyze (e.g., check, verify, etc.) the packet 250 having a header 202 and a payload 204 in a flow of the data through a network. The type module 304 may classify (e.g., identify) the header 202 of the packet 250 to associated category (e.g., …, TCP header, etc.). The classification module 306 may determine an algorithm (e.g., a suitable logical technique) to extract the meta-data 206 having information relevant to network traffic visibility based on the type of the header (e.g., …, TCP header, etc.)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wood in the method and system for detecting malicious payloads of Beauchesne-Mhatre by extracting meta-data having information relevant to network traffic by classifying header of the packet including TCP header. This would have been obvious because the person having ordinary skill in the art would have been motivated to extract meta-data having information relevant to network traffic visibility based on type of header for indexing network traffic meta-data (Wood, [Abstract], [0005]).

Claims 6, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Dubois et al (US20200329072A1, hereinafter, “Dubois”).
Regarding claim 6, similarly claim 16, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11, wherein the determining indicates that an attack or attack threat is present in the closed network (see Beauchesne’s teachings shown for claim 1, claim 11 respectively), 
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Dubois in the same field of endeavor teaches:
and the method further comprises transmitting instructions to devices in the closed network not to accept calls from the one or more devices which initiated the attack or present the attack threat (Dubois, discloses method for utilizing threat data for network security, see [Title]. And [Abstract] Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic (i.e. not to accept calls) from the source of the attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubois in the method and system for detecting malicious payloads of Beauchesne-Mhatre by receiving threat intelligence data associated with potential threat and further using firewall rule with firewall device to block traffic from source of attack. This would have been obvious because the person having ordinary skill in the art would have been motivated to utilize threat data or information to configure components of the network against network attacks (Dubois, [Abstract], [0002]).

Claims 7, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Burns et al (US9584482B1, hereinafter, “Burns”).
Regarding claim 7, similarly claim 17, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Burns in the same field of endeavor teaches:
wherein the one or more devices in the closed network were authorized to join the closed network, and one of the devices comprises an loT device (Burns, discloses control access of IoT devices on a private network, and [Abstract] The control service uses this information to open a connection between the requesting application and the IoT device having the requested API, and via this connection. And [Claim 1] A system for securing access to internet-of-things (IoT) devices on a private network, … wherein the configuration module is further configured to prompt the user to allow the IoT service to have access to a new API that becomes available on a second IoT device that joins the private network or that becomes available on the first IoT device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Burns in the method and system for detecting malicious payloads of Beauchesne-Mhatre by secure access to IoT devices on a private network. This would have been obvious because the person having ordinary skill in the art would have been motivated to configure and allow restricted access to IoT devices without the burden and complexity of manually adding all these devices to the private network (Dubois, [Abstract], [0002]).

Claims 8, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Anderson et al (US20210194894A1, hereinafter, “Anderson”).
Regarding claim 8, similarly claim 18, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Anderson in the same field of endeavor teaches:
wherein the actual attack or attack threat comprises, respectively, a DOS attack or DOS attack threat (Anderson, discloses method of traffic analysis on metadata in a software-defined network, see [Title]/[Abstract]. And [0012] The switch forms telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet. And [0032] traffic analysis process 248 may assess captured telemetry data (e.g., captured by telemetry capture process 249) regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are associated with malware in the network, such as a particular family of malware applications. Example forms of traffic that can be caused by malware may include, …, traffic that is part of a network attack, such as a zero day attack or denial of service (DoS) attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Anderson in the method and system for detecting malicious payloads of Beauchesne-Mhatre by traffic analysis on traffic metadata to determine whether traffic flows are associated with malware such as DoS attack. This would have been obvious because the person having ordinary skill in the art would have been motivated to employ supervised or unsupervised machine learning models to analyze the traffic flows against malware (Anderson, [Abstract], [0002-0003], [0012]).

Claims 9, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Smith (US20150326589A1, hereinafter, “Smith”).
Regarding claim 9, similarly claim 19, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Smith in the same field of endeavor teaches:
further comprising identifying the one or more devices in the closed network which initiated the attack or present the attack threat (Smith, discloses method for reducing impact of malicious activity on operations of a WAN, see [Title]/[Abstract]. And [0019] metadata describing characteristics of an attack may be distributed among the Service Providers, who in response may implement measures to prevent their network elements and users from being used to implement a denial-of-service (DoS) or distributed denial-of-service (DDoS) type of attack. And [0090] the Security Service System(s) may be configured to analyze the metadata provided by the protocol to identify infected attack vector devices, and in response to provide a report to the Service Provider device that identifies the infected attack vector devices that are connected to (and provided services by) that Service Provider device).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Smith in the method and system for detecting malicious payloads of Beauchesne-Mhatre by analyzing metadata to identify infected attack vector devices. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the infected devices due to DDoS attack for reducing impact of malicious activity in the WAN network (Smith, [Abstract]).

Claims 10, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Beauchesne-Mhatre combination as applied to claim 1, 11 respectively, further in view of Huang et al (US20190140904A1, hereinafter, “Huang”).
Regarding claim 10, similarly claim 20, Beauchesne-Mhatre combination teaches the method as recited in claim 1, the non-transitory storage medium as recited in claim 11,
While the combination of Beauchesne-Mhatre does not explicitly teach the following limitation(s), Huang in the similar field of endeavor teaches:
wherein the raw network traffic is collected by way of a data plane through which all the raw network traffic passes (Huang, discloses network slicing method by obtaining metadata information of traffic flows, see [Abstract]. And [0054] the App-aware analysis module may obtain metadata information of traffic flows from a data plane, and output a classification policy according to the metadata information. And [0062] Operation S210 may be executed by the App-aware analysis module shown in FIG. 1. Specifically, the App-aware analysis module may collect metadata information of multiple traffic flows in a network from a data plane in a distributed manner. Herein, the App-aware analysis module may periodically collect metadata information of a traffic flow from the data plane).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Huang in the method and system for detecting malicious payloads of Beauchesne-Mhatre by collecting metadata information of traffic flows from a data plane. This would have been obvious because the person having ordinary skill in the art would have been motivated to collect traffic metadata information from data plane for further data processing for efficient network performance (Huang, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Rajasekharan et al (US20190042744A1) discloses method for detecting onset of ransomware attack by determining whether detected anomalous file backup activity is correlated in time. File description metadata for each of the computing devices is also accessed and analyzed to identify files in the computing devices that are anomalous to other files in the computing devices. A determination whether a ransomware attack has begun is based on a determination that the detected anomalous file backup activity of at least some of the computing devices is correlated in time. 
Wei et al (CN110958257A) discloses method and system for capturing the attack event according to the attack event obtaining flow metadata feature corresponding to the attack event.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL M LEE/Examiner, Art Unit 2436   

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436