DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending.
Examiner’s Comments
Claims 15-20 is directed towards a tangible computer-readable storage medium and has been analyzed for 35 USC 101. The claim comprises storing instructions to be executed by a processor of a mobile device. No 35 USC 101 deemed necessary since specification states: “...present disclosure can be stored on a tangible or physical (broadly non-transitory) computer-readable storage device or medium, e.g., volatile memory, non-volatile memory, ROM memory, RAM memory, magnetic or optical drive, device or diskette and the like. Furthermore, a "tangible" computer-readable storage device or medium comprises a physical device, a hardware device, or a device that is discernible by the touch. More specifically, the computer-readable storage device may comprise any physical devices that provide the ability to store information such as data and/or instructions to be accessed by a processor or a computing device such as a computer or an application server” (para 0071). Therefore, the tangible computer-readable medium storing instructions does not include any propagating signals.


Double Patenting
A rejection based on double patenting of the “same invention” type finds its support in the language of 35 U.S.C. 101 which states that “whoever invents or discovers any new and useful process... may obtain a patent therefor...” (Emphasis added). Thus, the term “same invention,” in this context, means an invention drawn to identical subject matter. See Miller v. Eagle Mfg. Co., 151 U.S. 186 (1894); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Ockert, 245 F.2d 467, 114 USPQ 330 (CCPA 1957).
A statutory type (35 U.S.C. 101) double patenting rejection can be overcome by canceling or amending the claims that are directed to the same invention so they are no longer coextensive in scope. The filing of a terminal disclaimer cannot overcome a double patenting rejection based upon 35 U.S.C. 101.
Claims 1-20 are rejected under 35 U.S.C. 101 as claiming the same invention as that of claims 1-18 of prior U.S. Patent No. 10,938,844 B2. This is a statutory double patenting rejection. Furthermore, the instant application recites “internet protocol addresses” and US Patent 10,938,844 B2, “domain names” which are equivalent. 
 Instant Application
17/189,232
US Patent
10,938,844 B2
Claims 1, 8, and 15
A device comprising; a method comprising; and A tangible computer-readable medium storing instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
a processor; and 
a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising: 
classifying mobile network traffic of a network as being associated with one or more mobile software applications of a plurality of mobile software applications using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses; 
detecting an anomaly associated with a mobile software application of the plurality of mobile software applications based on the mobile network traffic classified as being associated with the one or more mobile software applications, wherein the anomaly comprises at least one of: a security event or a performance issue; 
verifying a set of one or more of the internet protocol addresses is associated with the mobile software application in response to the detecting of the anomaly; and 
performing one or more remedial actions to address the anomaly based on the verifying, wherein the one or more remedial actions comprise sending a notification to a mobile endpoint device having the mobile software application, wherein the notification contains a request to a user of the mobile endpoint device having the mobile software application to deactivate or deinstall the mobile software application, blocking mobile traffic from a functional internet protocol address correlated to the mobile software application, or throttling the mobile traffic from the functional internet protocol address correlated to the mobile software application. 

Claims 1, 8, and 14
A device comprising; a method comprising; and A tangible computer-readable medium storing instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising:
a processor; and 
a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising: 
          classifying mobile network traffic of a network as being associated with one or more mobile software applications of a plurality of mobile software applications using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of domain names;

      detecting an anomaly associated with a mobile software application of the plurality of mobile software applications based on the mobile network traffic classified as being associated with the one or more mobile software applications, wherein the anomaly comprises at least one of: a security event or a performance issue;
        verifying a set of one or more of the domain names is associated with the mobile software application in response to the detecting of the anomaly; and

          performing one or more remedial actions to address the anomaly based on the verifying, wherein the one or more remedial actions comprise: sending a notification to a mobile endpoint device having the mobile software application, wherein the notification contains a request to a user of the mobile endpoint device having the mobile software application to deactivate or deinstall the mobile software application, blocking mobile traffic from a functional domain name correlated to the mobile software application, or throttling the mobile traffic from the functional domain name correlated to the mobile software application.

Claims 2, 9, and 16
The device of claim 1, wherein the one or more remedial actions further comprise sending a notification to a developer of the mobile software application.
Claims 2, 9, and 15
The device of claim 1, wherein the one or more remedial actions further comprise sending a notification to a developer of the mobile software application.
Claims 3, 10, and 17
The device of claim 1, wherein the one or more remedial actions further comprise sending a notification to an entity responsible for the mobile endpoint device having the mobile software application.
Claims 3, 10, and 16
The device of claim 1, wherein the one or more remedial actions further comprise sending a notification to an entity responsible for the mobile endpoint device having the mobile software application.
Claims 4, 11, and 18
The device of claim 3, wherein the entity comprises a business entity, a governmental agency, a guardian or a parent.
Claims 4 and 11
The device of claim 3, wherein the entity comprises a business entity, a governmental agency, a guardian or a parent.
Claims 5, 12, and 19
The device of claim 1, wherein the one or more remedial actions further comprise allocating an additional network resource to address the anomaly.
Claims 5, 12, and 17
The device of claim 1, wherein the one or more remedial actions further comprise allocating an additional network resource to address the anomaly.
Claims 6, 13, and 20
The device of claim 1, wherein the one or more remedial actions further comprise blocking mobile traffic from the mobile endpoint device having the mobile software application.
Claims 6, 10, and 18
The device of claim 1, wherein the one or more remedial actions further comprise blocking mobile traffic from the mobile endpoint device having the mobile software application.
Claims 7 and 14
The device of claim 1, the operations further comprising: retraining the probabilistic model on a periodic basis.
Claim 7
The device of claim 1, the operations further comprising:
retraining the probabilistic model on a periodic basis.


Examiner Note: In the event, statutory type (35 U.S.C. 101) double patenting rejection
may not be applied then nonstatutory double patenting rejection will be applied as
follows.
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,938,844 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-20 are anticipated by 1-18 of the US Patent.
Claims 1-18 of the U.S. Patent No. 10,938,844 B2 as shown above in the table contains every element of claims 1-20 of the instant application and as such anticipates claims 1-20.
Furthermore, Claims 1-20are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,938,844 B2, in view of Stiansen 2016/0044054 A1 and further in view of Schultz 2015/0381649 A1, and further in view of Xue 2014/0298460 A1. Although the claims at issue are not identical, they are not patentably distinct from each other because the concepts are similar in nature.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/01/2021 was filed.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 5-6, 8, 12-13, 15 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over, in view of Baradaran et al., hereinafter (“Baradaran”), US PG Publication (20170124478 A1), in view of Stiansen et al., hereinafter (“Stiansen”), US PG Publication (2016/0044054 A1).
Regarding claims 1, 8, and 15, Baradaran teaches a device comprising; a method comprising; and a tangible computer-readable medium storing instructions which, when executed by a processor, cause the processor to perform operations, the operations comprising: [Baradaran , ¶0281: systems and methods described above may be provided as one or more computer-readable programs]
a processor [Baradaran , ¶¶0095-0096: appliance 200: server, etc.]; and 
a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising: [Baradaran , ¶0281: hardware logic as well as software or programmable code embedded in a computer readable medium that is executed by a processor]
classifying mobile network traffic of a network as being associated with one or more mobile software applications of a plurality of mobile software applications using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses;  [Baradaran , ¶¶0105, 0186-0187, 0254 and 0258-0259: mobile IP protocol executing on clients 102a-102n and servers 106a-106n using multi-protocol compression engine 238. Flow-based data parallelism 510 distributes data flow such that each cores using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses. using a probabilistic model for the plurality of mobile software applications, wherein the probabilistic model is based on a distribution of internet protocol addresses. The data points of the training dataset and/or the set of outliers may include network traffic data points include any number of parameters and/or values, such as IP addresses. Normalcy calculator 710 configured to identify a plurality of cluster, segments, or partitions of data points; K-means algorithms and classifying.]
detecting an anomaly associated with a mobile software application of the plurality of mobile software applications based on the mobile network traffic classified as being associated with the one or more mobile software applications, wherein the anomaly comprises at least one of: a security event or a performance issue; [Baradaran , ¶¶0039, 0250, and 0252  FIG. 7A, one embodiment of a system 700 for improving anomaly detection using injected outliers is depicted. The normalcy calculator 710, the outlier detector 715, and/or the clustering engine 720 may be specifically designed or configured for performing anomaly detection.]
verifying a set of one or more of the internet protocol addresses is associated with the mobile software application in response to the detecting of the anomaly; [Baradaran, ¶0265: the normalcy calculator 710 may verify or determine whether all the artificial outliers 731′ are excluded from the region.] and 
While Baradaran teaches anomaly based on the verifying and blocking mobile traffic from a functional internet protocol address correlated to the mobile software application  [See Baradaran, ¶¶0123-0124 the appliance 200 responds to a client's DNS request with an IP address of a server 106 determined by the appliance 200; the policy engine 236 provides rules for detecting and blocking illegitimate requests. In some embodiments, the application firewall 290 protects against denial of service (DoS) attacks. ¶0265: the normalcy calculator 710 may verify...]; however, Baradaran fails to explicitly teach but Stiansen teaches performing one or more remedial actions to address the anomaly based on the verifying, wherein the one or more remedial actions comprise sending a notification to a mobile endpoint device having the mobile software application, wherein the notification contains a request to a user of the mobile endpoint device having the mobile software application to deactivate or deinstall the mobile software application, blocking mobile traffic from a functional internet protocol address correlated to the mobile software application, or throttling the mobile traffic from the functional internet protocol address correlated to the mobile software application.  [Stiansen, ¶0107: a collection agent (10) is an IRC agent built on top of TCP/IP for security or identity verification ¶0170: In some embodiments, the detection module is configured to detect an infected host (a mobile endpoint device) within the computer network, wherein the infected host has risky activities or risky data packets. In further embodiments, the detection module is further configured to send a notification to a user upon blocking the one or more data packets]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of an Anomaly detection with k-means clustering and artificial outlier injection of Baradaran before him or her by including the teachings of a Network appliance for dynamic protection from risky network activities of Stiansen. The motivation/suggestion would have been obvious to try to modify the anomaly detection as taught by Baradaran by adding the detection module that blocks IP based traffic as taught by Stiansen [Stiansen, ¶¶0107 and 0170].  
Regarding claims 5, 12, and 19, the combination of Baradaran and Stiansen teach claim 1 as described above.
However, Baradaran fails to explicitly teach but Stiansen teaches wherein the one or more remedial actions further comprise allocating an additional network resource to address the anomaly. [Stiansen , ¶0124: autonomous and semi-autonomous collection agents (10) is augmented and supplemented by human agents (10) who monitor communications and data; further human agents (10) launch and maintain additional autonomous or semi-autonomous collection agents (10)(an additional network resource to address the anomaly), or to provide information directly to the rating system (18)]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of an Anomaly detection with k-means clustering and artificial outlier injection of Baradaran before him or her by including the teachings of a Network appliance for dynamic protection from risky network activities of Stiansen. The motivation/suggestion would have been obvious to try to modify the anomaly detection as taught by Baradaran by adding the detection module that augments the appliance and system with additional collection agents to supplement addressing anomalies [Stiansen, ¶0124].

Regarding claims 6, 13, and 20, the combination of Baradaran and Stiansen teach claim 1 as described above.
However, Baradaran fails to explicitly teach but Stiansen teaches wherein the one or more remedial actions further comprise blocking mobile traffic from the mobile endpoint device having the mobile software application. [Stiansen , ¶0170: In some embodiments, the detection module is configured to detect an infected host (a mobile endpoint device) within the computer network, wherein the infected host has risky activities or risky data packets. In further embodiments, the detection module is further configured to send a notification to a user upon blocking the one or more data packets]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of an Anomaly detection with k-means clustering and artificial outlier injection of Baradaran before him or her by including the teachings of a Network appliance for dynamic protection from risky network activities of Stiansen. The motivation/suggestion would have been obvious to try to modify the anomaly detection as taught by Baradaran by correlating risky activity comprises one or more of the following: virus, virus distribution, phishing, intrusion, an attack, malware, fraud, identity theft, crime, cyberbullying, denial-of-service; with that of risky source address: an Internet protocol address, a numerical address, a portion of a numerical address, a domain name, or a portion of a domain name [Stiansen, ¶0086].  
Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over, in view of Baradaran et al., hereinafter (“Baradaran”), US PG Publication (20170124478 A1), in view of Stiansen et al., hereinafter (“Stiansen”), US PG Publication (2016/0044054 A1), in view of Schultz et al., hereinafter (“Schultz”), US PG Publication (20150381649 A1).
Regarding claims 2, 9, and 16, the combination of Baradaran and Stiansen teach claim 1 as described above.
While Stiansen teaches a notification [See Stiansen, ¶0170]; however, the combination of Baradaran and Stiansen fail to explicitly teach but Raff teaches wherein the one or more remedial actions further comprise sending a notification to a developer of the mobile software application. [Schultz ¶¶0035 and 0050: recovery to limit damage by notification and protecting customers or one’s intellectual property. Examiner interprets one’s IP of software as the developer].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Baradaran and Stiansen before him or her by including the teachings of a Probabilistic Model For Cyber Risk Forecasting of Schultz. The motivation/suggestion would have been obvious to try to modify the anomaly detection as taught by Baradaran by adding the detection module that blocks IP based traffic as taught by Stiansen, with the ability to forecast loss from cyber-attacks as taught by Schultz [Schultz, ¶¶0032, 0035, and 0050].  

Claims 3-4, 7, 10-11, 14, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over, in view of Baradaran et al., hereinafter (“Baradaran”), US PG Publication (20170124478 A1), in view of Stiansen et al., hereinafter (“Stiansen”), US PG Publication (2016/0044054 A1), in view of Xue et al, hereinafter (“Xue”), US PG Publication (20140298460 A1).

Regarding claims 3, 10, and 17, the combination of Baradaran and Stiansen teach claim 1 as described above.
While Stiansen teaches a notification [See Stiansen, ¶0170]; however, the combination of Baradaran and Stiansen fail to explicitly teach but Xue teaches wherein the one or more remedial actions further comprise sending a notification to an entity responsible for the mobile endpoint device having the mobile software application. [Xue, ¶0060: The output module 220 outputs results after the malicious URL detection module 102 applies the classifications models 228 to an unknown URL 230. For example, the results may notify a Web user at one of client computing devices 204(1) . . . (M) that a URL in a communication is likely to be a malicious URL]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Baradaran and Stiansen before him or her by including the teachings of a Malicious uniform resource locator detection of Xue. The motivation/suggestion would have been obvious to try to modify the anomaly detection as taught by Baradaran by adding the detection module that blocks IP based traffic as taught by Stiansen, with the ability to forecast loss from cyber-attacks and perform an action to limit of Xue [Xue, ¶¶0032, 0035, 0050, and 0060].  

Regarding claims 4, 11, and 18, the combination of Baradaran and Stiansen teach claim 1 as described above.
However, the combination of Baradaran and Stiansen fail to explicitly teach but Xue teaches wherein the entity comprises a business entity, a governmental agency, a guardian or a parent. [Xue, ¶0018: entity may be commercial or business entity]

Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Baradaran and Stiansen before him or her by including the teachings of a Malicious uniform resource locator detection of Xue. The motivation/suggestion would have been obvious to try to modify the anomaly detection as taught by Baradaran by adding the detection module that blocks IP based traffic as taught by Stiansen, with the ability to forecast loss from cyber-attacks and perform an action to limit of Xue [Xue, ¶¶0032, 0035, 0050, and 0060].  

Regarding claims 7 and 14, the combination of Baradaran and Stiansen teach claim 1 as described above.
However, the combination of Baradaran and Stiansen fail to explicitly teach but Xue teaches retraining the probabilistic model on a periodic basis. [Xue, ¶0068: …the classification models may be retrained or adapted using a set of training URLs selected rather than URLs that were previously wrongly classified. Thus, the system may continually seek to improve the decision criteria used in the classification models 228 so that the malicious URL detection module can continue to protect network users, as well as, authentic resources and/or legitimate entities]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Baradaran and Stiansen before him or her by including the teachings of a Malicious uniform resource locator detection of Xue.  The motivation would have been obvious to substitute malicious classification module functions of adapting and considering new features when cyber attackers continuously try to evade [Xue, ¶0075].  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Duchesneau (8706914 B2) discloses Computing infrastructure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:30-2:30, 7-10.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/           Primary Examiner, Art Unit 2497