DETAILED ACTION
This office action is in response to the original application filed on December 11, 2020.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claims 1-20 have been cancelled.

Claims 21-40 are pending.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 21-40 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,887,327. Although the claims at issue are not identical, they are not patentable distinct from each other because the instant application and ‘327 are directed to a methods and systems for enforcing threat policy actions based on network addresses of host threats.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 21-23, 25-32, and 34-40 are rejected under 35 U.S.C. 103 as being unpatentable over Samadani (US Pub. No. 2018/0131705) in view of Yadav (US Pub. No. 2016/0359872).

	As per claim 21 Samadani discloses:
A method, comprising: receiving, by a device, host threat feed information associated with endpoint hosts communicating with a network; (paragraph 4 of Samadani, various embodiments include methods that may be implemented on a processor of a network device for protecting computing devices from non-benign activity. Various embodiments may include receiving a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow, determining one or more characteristics of the first network traffic flow associated with the non-benign behavior) and (paragraph 30 of Samadani, non-benign or malicious activities may include, for example, activities causing the leakage of an International Mobile Equipment Identity (IMEI) of the computing device, activities tracking the computing device location, an unexpected or atypical connection for a particular application or for a particular type of communication, communication with a malicious server, communication activity typically associated with malware, or any other activity that may negatively affect a computing device).
Tagging, by the device, at least one host threat, of a plurality of host threats, identified by the host threat feed information, with at least one particular identification of a plurality of particular identifications, (paragraph 4 of Samadani, receiving a second network traffic flow from a non-monitoring computing device, and determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow) and (paragraph 8 of Samadani, comparing one or more traffic features of the second network traffic flow with one or more traffic features associated with the non-benign activity, determining whether the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation, and associating the malicious activity tag and the second network traffic flow in response to determining that the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation).
The at least one particular identification being based on one of: a media access control (MAC) address, session information, or a hardware identifier associated with one of the endpoint hosts; (paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Monitoring, by the device, host threat traffic across the network based on the at least one particular identification.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 531 of Yadav, as a network system monitors traffic to detect security threats, the most effective attacks attempt to compromise the monitoring system first. In a system that contains multiple “sensors” reporting traffic flows from various nodes around the network, an attacker might attempt to create fake sensors to manipulate reports in order to mask illegitimate traffic or overwhelm the system with false reports).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by monitoring the network traffic (see paragraph 531 of Yadav).

As per claim 22 Samadani in view of Yadav discloses:
The method of claim 21, further comprising: providing information associated with the host threat traffic to a management device to prevent duplicate analysis of the host threat traffic by the management device. (Paragraph 49 of Samadani, in various embodiments, a security hub device in the network may manage the security of both monitoring computing devices and non-monitoring computing devices, and may take an action to handle any network traffic flows associated with non-benign or malicious activity providing security for both monitoring computing devices and non-monitoring computing devices. For example, the security hub may be configured to prioritize suspicious network flows for both monitoring computing devices and/or non-monitoring computing devices for deeper analysis, and such prioritization may be based at least in part on any malicious activity tags received by the security hub. Various embodiments may enable both monitoring computing devices and non-monitoring computing devices to be provided security by non-benign or malicious activity reporting from only a subset of computing devices in the network, specifically only non-benign or malicious activity reporting from the monitoring computing devices).

As per claim 23 Samadani in view of Yadav discloses:
The method of claim 21, further comprising: identifying a specific host threat, of the plurality of host threats, based on a particular identification, of the plurality of particular identifications, associated with the specific host threat, (paragraph 57 of Samadani,  in some embodiments, the network device may receive a plurality of packets from a network traffic flow and may perform one or more analyses on the plurality packets to determine one or more traffic flow characteristics) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).
Wherein information identifying the specific host threat includes a list of network addresses associated with the specific host threat. (Paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).

As per claim 25 Samadani in view of Yadav discloses:
The method of claim 23, further comprising: identifying at least one network element, of a plurality of network elements, of the network, associated with the specific host threat to the network; (paragraph 25 of Samadani, the term “monitoring computing device” refers to a computing device that is configured to send information characterizing or identifying a network traffic flow and/or information characterizing or identifying an application of the computing device that is the source of a network traffic flow, as further described below).
Determining a network control system associated with the identified at least one network element; (paragraph 44 of Samadani, in various embodiments, the processor of the network device may send an indication of all network traffic flows associated with a malicious activity tag and/or information identifying source applications to another device, such as a security hub managing security for those network traffic flows).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Determining a policy enforcement group of at least one network element that maps to the list of network addresses associated with the specific host threat; determining a threat policy action to enforce for the specific host threat; and causing, via the network control system, the threat policy action to be enforced by the policy enforcement group of the at least one network element.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 29 of Yadav, 10 can supplement its analysis by initiating synthetic traffic flows and synthetic attacks on the datacenter. These artificial actions can assist analytics module 110 in gathering data to enhance its model. In some example embodiments, these synthetic flows and synthetic attacks are used to verify the integrity of sensors 104, collectors 108, and analytics module 110. Over time, components may occasionally exhibit anomalous behavior. Analytics module 110 can analyze the frequency and severity of the anomalous behavior to determine a reputation score for the component using reputation module 162. Analytics module 110 can use the reputation score of a component to selectively enforce policies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by enforcing the network security policy (see paragraph 29 of Yadav).

As per claim 26 Samadani in view of Yadav discloses:
The method of claim 23, further comprising: generating, based on the host threat feed information, a data structure that includes information identifying sessions associated with the endpoint hosts, (Paragraph 35 of Samadani, extrinsic traffic flow characteristics may be obtained by the processor of the network device by observing tagged packets, and any packets received in response over an observational period of time to identify common features or patterns in such traffic flows. Examples of extrinsic traffic flow characteristics may include one or more of packet size, packet volumes, packet interarrival times, packet lengths, packet length densities, session handshake patterns, messaging patterns, and packet statistics, such as mean packet size, interquartile range (IQR), and decomposition type (Wavelet, Fourier, etc.)) and (paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).
The specific host threat being caused by one of the endpoint hosts; and wherein identifying the at least one network element comprises: identifying, based on the data structure, the at least one network element associated with the specific host threat to the network. (Paragraph 39 of Samadani, In some embodiments, the processor of the network device may use the learned associations of traffic flow characteristics and traffic flow characterizations or descriptions to associate information identifying a source application with characteristics of associated network traffic flows. In such embodiments, the network device may use the learned associations of the source applications with the traffic flow characteristics to determine the applications associated with network traffic of non-monitoring computing devices) and (paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).

As per claim 27 Samadani in view of Yadav discloses:
The method of claim 21, further comprising: identifying network control systems associated with the endpoint hosts; and adding, to a data structure, information identifying the network control systems associated with the endpoint hosts. (Paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).

As per claim 28 Samadani discloses:
A device, comprising: one or more memories; and one or more processors to: receive host threat feed information associated with endpoint hosts communicating with a network, (paragraph 4 of Samadani, various embodiments include methods that may be implemented on a processor of a network device for protecting computing devices from non-benign activity. Various embodiments may include receiving a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow, determining one or more characteristics of the first network traffic flow associated with the non-benign behavior) and (paragraph 30 of Samadani, non-benign or malicious activities may include, for example, activities causing the leakage of an International Mobile Equipment Identity (IMEI) of the computing device, activities tracking the computing device location, an unexpected or atypical connection for a particular application or for a particular type of communication, communication with a malicious server, communication activity typically associated with malware, or any other activity that may negatively affect a computing device).
Wherein the host threat feed information includes information identifying network addresses associated with threat feeds; (paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).
Tag at least one host threat, of a plurality of host threats, identified by the host threat feed information, with at least one particular identification of a plurality of particular identifications, (paragraph 4 of Samadani, receiving a second network traffic flow from a non-monitoring computing device, and determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow) and (paragraph 8 of Samadani, comparing one or more traffic features of the second network traffic flow with one or more traffic features associated with the non-benign activity, determining whether the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation, and associating the malicious activity tag and the second network traffic flow in response to determining that the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation).
Wherein the at least one particular identification is based on one of: a media access control (MAC) address, session information, or a hardware identifier associated with one of the endpoint hosts, (paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).
Wherein a subset of the endpoint hosts that represent threats are tagged with the at least one particular identification; (paragraph 23 of Samadani, various embodiments may apply machine learning techniques to learn associations of non-benign or malicious activities identified by a subset of computing devices with recognizable characteristics of network traffic flows, characterizations of the network traffic flows, and/or source applications of the network traffic flows, thereby enabling monitoring of non-benign or malicious activity among all computing devices).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Monitor host threat traffic across the network based on the at least one particular identification.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 531 of Yadav, as a network system monitors traffic to detect security threats, the most effective attacks attempt to compromise the monitoring system first. In a system that contains multiple “sensors” reporting traffic flows from various nodes around the network, an attacker might attempt to create fake sensors to manipulate reports in order to mask illegitimate traffic or overwhelm the system with false reports).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by monitoring the network traffic (see paragraph 531 of Yadav).

As per claim 29 Samadani in view of Yadav discloses:
The device of claim 28, wherein the one or more processors are further to: provide information associated with the host threat traffic to a management device to permit the management device to analyze the host threat traffic. (Paragraph 49 of Samadani, in various embodiments, a security hub device in the network may manage the security of both monitoring computing devices and non-monitoring computing devices, and may take an action to handle any network traffic flows associated with non-benign or malicious activity providing security for both monitoring computing devices and non-monitoring computing devices. For example, the security hub may be configured to prioritize suspicious network flows for both monitoring computing devices and/or non-monitoring computing devices for deeper analysis, and such prioritization may be based at least in part on any malicious activity tags received by the security hub. Various embodiments may enable both monitoring computing devices and non-monitoring computing devices to be provided security by non-benign or malicious activity reporting from only a subset of computing devices in the network, specifically only non-benign or malicious activity reporting from the monitoring computing devices).

As per claim 30 Samadani in view of Yadav discloses:
The device of claim 28, wherein the one or more processors are further to: provide information associated with the host threat traffic to a management device to prevent duplicate analysis of the host threat traffic by the management device. (Paragraph 49 of Samadani, in various embodiments, a security hub device in the network may manage the security of both monitoring computing devices and non-monitoring computing devices, and may take an action to handle any network traffic flows associated with non-benign or malicious activity providing security for both monitoring computing devices and non-monitoring computing devices. For example, the security hub may be configured to prioritize suspicious network flows for both monitoring computing devices and/or non-monitoring computing devices for deeper analysis, and such prioritization may be based at least in part on any malicious activity tags received by the security hub. Various embodiments may enable both monitoring computing devices and non-monitoring computing devices to be provided security by non-benign or malicious activity reporting from only a subset of computing devices in the network, specifically only non-benign or malicious activity reporting from the monitoring computing devices).

As per claim 31 Samadani in view of Yadav discloses:
The device of claim 28, wherein the one or more processors are further to: add information identifying the plurality of particular identifications to a data structure, wherein the data structure includes information identifying endpoint hosts and sessions associated with the endpoint hosts. (Paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).

As per claim 32 Samadani in view of Yadav discloses:
The device of claim 28, wherein the one or more processors are further to: identify a specific host threat, of the plurality of host threats, based on a particular identification, of the plurality of particular identifications, associated with the specific host threat, , (paragraph 57 of Samadani,  in some embodiments, the network device may receive a plurality of packets from a network traffic flow and may perform one or more analyses on the plurality packets to determine one or more traffic flow characteristics) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).
Wherein the information identifying the specific host threat includes a list of network addresses associated with the specific host threat. (Paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).

As per claim 34 Samadani in view of Yadav discloses:
The device of claim 32, wherein the one or more processors are further to: receive the specific host threat based on the at least one particular identification; (paragraph 25 of Samadani, the term “monitoring computing device” refers to a computing device that is configured to send information characterizing or identifying a network traffic flow and/or information characterizing or identifying an application of the computing device that is the source of a network traffic flow, as further described below).
Identify at least one network element associated with the specific host threat based on network topology information and the at least one particular identification; and identify a network control system associated with the at least one network element. (Paragraph 44 of Samadani, in various embodiments, the processor of the network device may send an indication of all network traffic flows associated with a malicious activity tag and/or information identifying source applications to another device, such as a security hub managing security for those network traffic flows).

As per claim 35 Samadani discloses:
A non-transitory computer-readable medium storing instructions, the instructions comprising: one or more instructions that, when executed by one or more processors, cause the one or more processors to: receive host threat feed information associated with endpoint hosts communicating with a network, (paragraph 4 of Samadani, various embodiments include methods that may be implemented on a processor of a network device for protecting computing devices from non-benign activity. Various embodiments may include receiving a first network traffic flow of a monitoring computing device and a malicious activity tag identifying a non-benign behavior of the first network traffic flow, determining one or more characteristics of the first network traffic flow associated with the non-benign behavior) and (paragraph 30 of Samadani, non-benign or malicious activities may include, for example, activities causing the leakage of an International Mobile Equipment Identity (IMEI) of the computing device, activities tracking the computing device location, an unexpected or atypical connection for a particular application or for a particular type of communication, communication with a malicious server, communication activity typically associated with malware, or any other activity that may negatively affect a computing device).
Wherein the host threat feed information includes information identifying network addresses associated with threat feeds; (paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).
Tag at least one host threat, of a plurality of host threats, identified by the host threat feed information, with at least one particular identification of a plurality of particular identifications, (paragraph 4 of Samadani, receiving a second network traffic flow from a non-monitoring computing device, and determining whether the second network traffic flow represents non-benign activity by comparing the one or more characteristics of the first network traffic flow associated with the non-benign activity to the second network traffic flow) and (paragraph 8 of Samadani, comparing one or more traffic features of the second network traffic flow with one or more traffic features associated with the non-benign activity, determining whether the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation, and associating the malicious activity tag and the second network traffic flow in response to determining that the packet header information and one or more traffic features of the second network traffic flow correlate to packet header information and the one or more traffic features associated with the non-benign activity within a threshold degree of correlation).
Wherein the at least one particular identification is based on one of: a media access control (MAC) address, session information, or a hardware identifier associated with one of the endpoint hosts, (paragraph 31 of Samadani, a malicious activity tag may include one or more of an identifier (ID) of the monitoring computing device sending the malicious activity tag (e.g., the monitoring computing device's Media Access control (MAC ID), a source Internet Protocol (IP) address of the network traffic flow on which the malicious activity occurred, a source port of the network traffic flow on which the non-benign or malicious activity occurred, a destination IP address of the network traffic flow on which the non-benign or malicious activity occurred, and a destination port of the network traffic flow on which the non-benign or malicious activity occurred).
Wherein a subset of the endpoint hosts that represent threats are tagged with the at least one particular identification; (paragraph 23 of Samadani, various embodiments may apply machine learning techniques to learn associations of non-benign or malicious activities identified by a subset of computing devices with recognizable characteristics of network traffic flows, characterizations of the network traffic flows, and/or source applications of the network traffic flows, thereby enabling monitoring of non-benign or malicious activity among all computing devices). 
Identify a specific host threat, of the plurality of host threats, based on a particular identification, of the plurality of particular identifications, associated with the specific host threat; (paragraph 57 of Samadani,  in some embodiments, the network device may receive a plurality of packets from a network traffic flow and may perform one or more analyses on the plurality packets to determine one or more traffic flow characteristics) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Determine a threat policy action to enforce for the specific host threat; and cause the threat policy action to be enforced.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 29 of Yadav, 10 can supplement its analysis by initiating synthetic traffic flows and synthetic attacks on the datacenter. These artificial actions can assist analytics module 110 in gathering data to enhance its model. In some example embodiments, these synthetic flows and synthetic attacks are used to verify the integrity of sensors 104, collectors 108, and analytics module 110. Over time, components may occasionally exhibit anomalous behavior. Analytics module 110 can analyze the frequency and severity of the anomalous behavior to determine a reputation score for the component using reputation module 162. Analytics module 110 can use the reputation score of a component to selectively enforce policies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by enforcing the network security policy (see paragraph 29 of Yadav).

As per claim 36 Samadani in view of Yadav discloses:
The non-transitory computer-readable medium of claim 35, wherein the instructions further comprise: one or more instructions that, when executed by the one or more processors, cause the one or more processors to: identify at least one network element associated with the specific host threat based on network topology information and the at least one particular identification; identify a network control system associated with the at least one network element; (Paragraph 44 of Samadani, in various embodiments, the processor of the network device may send an indication of all network traffic flows associated with a malicious activity tag and/or information identifying source applications to another device, such as a security hub managing security for those network traffic flows).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Cause, via the network control system, the threat policy action to be enforced by a policy enforcement group associated with the at least one network element.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 29 of Yadav, 10 can supplement its analysis by initiating synthetic traffic flows and synthetic attacks on the datacenter. These artificial actions can assist analytics module 110 in gathering data to enhance its model. In some example embodiments, these synthetic flows and synthetic attacks are used to verify the integrity of sensors 104, collectors 108, and analytics module 110. Over time, components may occasionally exhibit anomalous behavior. Analytics module 110 can analyze the frequency and severity of the anomalous behavior to determine a reputation score for the component using reputation module 162. Analytics module 110 can use the reputation score of a component to selectively enforce policies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by enforcing the network security policy (see paragraph 29 of Yadav).

As per claim 37 Samadani in view of Yadav discloses:
The non-transitory computer-readable medium of claim 36, wherein the instructions further comprise: one or more instructions that, when executed by the one or more processors, cause the one or more processors to: generate, based on the host threat feed information, a data structure that includes information identifying sessions associated with the endpoint hosts, (Paragraph 35 of Samadani, extrinsic traffic flow characteristics may be obtained by the processor of the network device by observing tagged packets, and any packets received in response over an observational period of time to identify common features or patterns in such traffic flows. Examples of extrinsic traffic flow characteristics may include one or more of packet size, packet volumes, packet interarrival times, packet lengths, packet length densities, session handshake patterns, messaging patterns, and packet statistics, such as mean packet size, interquartile range (IQR), and decomposition type (Wavelet, Fourier, etc.)) and (paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).
Wherein the one or more instructions, that cause the one or more processors to identify the at least one network element, cause the one or more processors to: identify, based on the data structure, the at least one network element associated with the specific host threat to the network. ( Paragraph 39 of Samadani, In some embodiments, the processor of the network device may use the learned associations of traffic flow characteristics and traffic flow characterizations or descriptions to associate information identifying a source application with characteristics of associated network traffic flows. In such embodiments, the network device may use the learned associations of the source applications with the traffic flow characteristics to determine the applications associated with network traffic of non-monitoring computing devices) and (paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).

As per claim 38 Samadani in view of Yadav discloses:
The non-transitory computer-readable medium of claim 35, wherein the instructions further comprise: one or more instructions that, when executed by the one or more processors, cause the one or more processors to: provide information associated with the host threat traffic to a management device to permit the management device to analyze the host threat traffic. (Paragraph 96 of Samadani, in response to determining that another traffic feature associated with non-benign or malicious activity is available for comparison (i.e., determination block 260=“Yes”), the processor of the network device 102 may select another traffic feature to be observed in the second network traffic flow and compared to a traffic feature associated with non-benign or malicious activity in block) and (Paragraph 49 of Samadani, in various embodiments, a security hub device in the network may manage the security of both monitoring computing devices and non-monitoring computing devices, and may take an action to handle any network traffic flows associated with non-benign or malicious activity providing security for both monitoring computing devices and non-monitoring computing devices. For example, the security hub may be configured to prioritize suspicious network flows for both monitoring computing devices and/or non-monitoring computing devices for deeper analysis, and such prioritization may be based at least in part on any malicious activity tags received by the security hub. Various embodiments may enable both monitoring computing devices and non-monitoring computing devices to be provided security by non-benign or malicious activity reporting from only a subset of computing devices in the network, specifically only non-benign or malicious activity reporting from the monitoring computing devices).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Monitor host threat traffic across the network based on the plurality of particular identifications.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 531 of Yadav, as a network system monitors traffic to detect security threats, the most effective attacks attempt to compromise the monitoring system first. In a system that contains multiple “sensors” reporting traffic flows from various nodes around the network, an attacker might attempt to create fake sensors to manipulate reports in order to mask illegitimate traffic or overwhelm the system with false reports).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by monitoring the network traffic (see paragraph 531 of Yadav).

As per claim 39 Samadani in view of Yadav discloses:
The non-transitory computer-readable medium of claim 35, wherein the instructions further comprise: one or more instructions that, when executed by the one or more processors, cause the one or more processors to: identify network control systems associated with the endpoint hosts; and generate, based on identifying the network control systems, a data structure that includes information identifying the network control systems associated with the endpoint hosts. . (Paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow) and (Paragraph 35 of Samadani, extrinsic traffic flow characteristics may be obtained by the processor of the network device by observing tagged packets, and any packets received in response over an observational period of time to identify common features or patterns in such traffic flows. Examples of extrinsic traffic flow characteristics may include one or more of packet size, packet volumes, packet interarrival times, packet lengths, packet length densities, session handshake patterns, messaging patterns, and packet statistics, such as mean packet size, interquartile range (IQR), and decomposition type (Wavelet, Fourier, etc.)) and (paragraph 69 of Samadani, the processor of the network device 102 may store packet header information in a data structure configured to enable rapid access to the various packet header data, as further described with reference to traffic flow characteristics 300 illustrated in FIG. 3) and (paragraph 5 of Samadani, the one or more characteristics of the first network traffic flow associated with the non-benign activity may include information in packet headers of the first network traffic flow).

As per claim 40:
The non-transitory computer-readable medium of claim 35, wherein the instructions further comprise: one or more instructions that, when executed by the one or more processors, cause the one or more processors to: provide information associated with the host threat traffic to a management device to prevent duplicate analysis of the host threat traffic by the management device. (Paragraph 49 of Samadani, in various embodiments, a security hub device in the network may manage the security of both monitoring computing devices and non-monitoring computing devices, and may take an action to handle any network traffic flows associated with non-benign or malicious activity providing security for both monitoring computing devices and non-monitoring computing devices. For example, the security hub may be configured to prioritize suspicious network flows for both monitoring computing devices and/or non-monitoring computing devices for deeper analysis, and such prioritization may be based at least in part on any malicious activity tags received by the security hub. Various embodiments may enable both monitoring computing devices and non-monitoring computing devices to be provided security by non-benign or malicious activity reporting from only a subset of computing devices in the network, specifically only non-benign or malicious activity reporting from the monitoring computing devices).
Samadani teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
Monitor host threat traffic across the network based on the plurality of particular identifications.
However, in the same field of endeavor, Yadav teaches this limitation as, (paragraph 531 of Yadav, as a network system monitors traffic to detect security threats, the most effective attacks attempt to compromise the monitoring system first. In a system that contains multiple “sensors” reporting traffic flows from various nodes around the network, an attacker might attempt to create fake sensors to manipulate reports in order to mask illegitimate traffic or overwhelm the system with false reports).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and include the above limitation using the teaching of Yadav in order to enhance the security of network activity by monitoring the network traffic (see paragraph 531 of Yadav).
Claims 24 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over Samadani (US Pub. No. 2018/0131705) in view of Yadav (US Pub. No. 2016/0359872) and further in view of Mihelich (US Pub. No. 2018/0191681).

As per claim 24:
The combination of Samadani and Yadav teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
The method of claim 23, further comprising: causing, based on the host threat feed information, host threat traffic external to the network to be blocked at a perimeter network element of the network; and causing, based on the host threat feed information, host threat traffic internal to the network to be blocked at a switching layer of the network.
However, in the same field of endeavor, Mihelich teaches this limitation as, (paragraph 48 of Mihelich,  if the access at issue from the internal client machine to the external network is restricted according to the security policy of perimeter network security appliance 121, perimeter network security appliance 121 may Boot the external network traffic and the internal client machine will be unable to access the external network) and (paragraph 60 of Mihelich,  if the access at issue from the internal client machine to the external network is restricted according to the security policy of perimeter network security appliance 121, perimeter network security appliance 121 may block the external network traffic and the internal client machine will be unable to access the external network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and Yadav to include the above limitation using the teaching of Mihelich in order to enhance the security of network activity by monitoring and blocking the network traffic according to the network policy (see paragraphs 48 and 60 of Mihelich).

As per claim 33:
The combination of Samadani and Yadav teaches the method of identifying the threat traffic across the network based on the at least one particular identification (see paragraph 4 of Samadani) but fails to clearly disclose:
The device of claim 32, wherein the one or more processors are further to: cause, based on the host threat feed information, host threat traffic external to the network to be blocked at a perimeter network element of the network; and cause, based on the host threat feed information, host threat traffic internal to the network to be blocked at a switching layer of the network.
However, in the same field of endeavor, Mihelich teaches this limitation as, (paragraph 48 of Mihelich,  if the access at issue from the internal client machine to the external network is restricted according to the security policy of perimeter network security appliance 121, perimeter network security appliance 121 may Boot the external network traffic and the internal client machine will be unable to access the external network) and (paragraph 60 of Mihelich,  if the access at issue from the internal client machine to the external network is restricted according to the security policy of perimeter network security appliance 121, perimeter network security appliance 121 may block the external network traffic and the internal client machine will be unable to access the external network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Samadani and Yadav to include the above limitation using the teaching of Mihelich in order to enhance the security of network activity by monitoring and blocking the network traffic according to the network policy (see paragraphs 48 and 60 of Mihelich). 

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Rostamabadi (US Pub. No. 2017/0250997). Rostamabadi discloses: 
a method and system for alerting and tagging using a malware analysis platform for threat intelligence made actionable are disclosed. In some embodiments, a system, process, and/or computer program product for alerting and tagging using a malware analysis platform for threat intelligence made actionable includes receiving a plurality of samples for performing automated malware analysis to generate log files based on the automated malware analysis; processing the log files to extract artifacts associated with the log files; determining whether a tag matches any of the plurality of samples based on the artifacts; and performing an action based on whether the tag matches any of the plurality of samples.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally be reached M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/TESHOME HAILU/Primary Examiner, Art Unit 2434