DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in reply to papers filed on 2021-04-20. Claims 1-18 are pending. Claims 1, 9, 17, 18 is/are independent.
Priority papers submitted under 35 U.S.C. § 119(a)-(d) are acknowledged.

Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 2020-09-08, 2021-04-20 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto.

Claim Interpretation
Consistent with the broadest reasonable interpretation, in claim 4, 12, Examiner interprets the phrase "adjusting a total of sampling points of the sampling data from N to M, wherein N is different from M" to mean that the total number of sampling points of the sampling data during one sampling window is a number N and that the total number of sampling points of the sampling data during another different sampling window is a number M.  As written, the claim encompasses both (i) the scenario in which the sampling rate per unit time is adjusted and (ii) the scenario if the sampling rate per unit time is held steady, but the window length varies.  If Applicant desires a different interpretation, Applicant must make clear on the record that such a different interpretation is required, e.g. by amendment.

Summary of Claim Rejections under 35 U.S.C. § 102 and § 103
The following table summarizes the rejections set forth in detail below of the claims over the prior art.

Claim No.
Strayer '439 
Strayer '439 in view of Chen '745
1
[Wingdings font/0xFC]

2
[Wingdings font/0xFC]

3
[Wingdings font/0xFC]

4
[Wingdings font/0xFC]

5
[Wingdings font/0xFC]

6
[Wingdings font/0xFC]

7
[Wingdings font/0xFC]

8
[Wingdings font/0xFC]

9
[Wingdings font/0xFC]

10
[Wingdings font/0xFC]

11
[Wingdings font/0xFC]

12
[Wingdings font/0xFC]

13
[Wingdings font/0xFC]

14
[Wingdings font/0xFC]

15
[Wingdings font/0xFC]

16
[Wingdings font/0xFC]

17

[Wingdings font/0xFC]
18

[Wingdings font/0xFC]


Claim Rejections - 35 U.S.C. § 102
The following is a quotation of the appropriate paragraphs of AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1-16 is/are rejected under 35 U.S.C. § 102   as being anticipated by U.S. Publication 20030097439 to Strayer et al. (hereinafter "Strayer '439").  Strayer '439 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 1 (independent):
Strayer '439 discloses an abnormal traffic detection method (classifies traffic as suspicious, anomalous or benign [Strayer '439 ¶ 0022-0025])
Strayer '439 discloses obtaining network traffic data of a target device (collection agents 125 collect network traffic flows for analysis by traffic auditor 130 [Strayer '439 ¶ 0025-0028])
Strayer '439 discloses sampling the network traffic data by a sampling window to obtain sampling data, wherein the sampling window has a time length (samples network traffic flows "into windows of constant time" [Strayer '439 ¶ 0088])
Strayer '439 discloses generating an image according to the sampling data, wherein the image presents a traffic feature of the network traffic data corresponding to the time length (converts traffic data to 2D image [Strayer '439 ¶ 0060-0067, 0088])
Strayer '439 discloses analyzing the image to generate evaluation information corresponding to an abnormal traffic (analyzes 2D image to classify anomalies [Strayer '439 ¶ 0088]; computes score level of unknown patterns to classify flows [Strayer '439 ¶ 0103-0104])
Per claim 2 (dependent on claim 1):
Strayer '439 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Strayer '439 discloses selecting the time length from a plurality of candidate time lengths (varies length of window [Strayer '439 ¶ 0045-0046, 0065-0069])
Strayer '439 discloses generating the sampling window according to the time length (samples network traffic flows "into windows of constant time" [Strayer '439 ¶ 0088])
Per claim 3 (dependent on claim 1):
Strayer '439 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Strayer '439 discloses the step of sampling the network traffic data by the sampling window to obtain the sampling data comprises filtering the network traffic data according to a white list (filters out expected traffic flows before analysis [Strayer '439 ¶ 0107])
Strayer '439 discloses sampling the filtered network traffic data by the sampling window to obtain the sampling data (samples network traffic flows "into windows of constant time" [Strayer '439 ¶ 0088])
Per claim 4 (dependent on claim 1):
Strayer '439 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Strayer '439 discloses the step of generating the image according to the sampling data comprises adjusting a total of sampling points of the sampling data from N to M, wherein N is different from M (time sampling is adjustable [Strayer '439 ¶ 0045-0046])
Per claim 5 (dependent on claim 1):
Strayer '439 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Strayer '439 discloses the step of generating the image according to the sampling data comprises converting the sampling data into a two-dimensional bit map, wherein a first dimension of the two-dimensional bit map corresponds to a plurality of sampling points, and a second dimension of the two-dimensional bit map corresponds to a plurality of sampling values (converts traffic data to 2D image [Strayer '439 ¶ 0060-0067, 0088])
Strayer '439 discloses generating the image according to the two-dimensional bit map (converts traffic data to 2D image [Strayer '439 ¶ 0060-0067, 0088])
Per claim 6 (dependent on claim 5):
Strayer '439 discloses the elements detailed in the rejection of claim 5 above, incorporated herein by reference
Strayer '439 discloses the step of generating the image according to the two-dimensional bit map comprises determining, according to a bit value of a first position in the two-dimensional bit map, a pixel value of a second position corresponding to the first position in the image (converts traffic data to 2D image [Strayer '439 ¶ 0060-0067, 0088])
Per claim 7 (dependent on claim 1):
Strayer '439 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference
Strayer '439 discloses the evaluation information comprise at least one of a source address of the network traffic data, a destination address of the network traffic data, a total time length of the network traffic data, an occurrence rate of the traffic feature of the abnormal traffic in the network traffic data and the time length of the sampling window (evaluates "n-tuple of data, which may include a time of arrival (TOA) of when the event was detected and logged. Each event may further include a unique identifier identifying a sender of the unit of communication, a duration of the received unit of communication, a geo-location associated with the sender of the unit of communication, information characterizing the type of transmission (e.g., radio, data network, etc.), and a signal strength " [Strayer '439 ¶ 0042])
Per claim 8 (dependent on claim 7):
Strayer '439 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference
Strayer '439 discloses evaluating a risk level of the abnormal traffic according to the occurrence rate and the total time length of the network traffic data (computes score level of unknown patterns to classify flows [Strayer '439 ¶ 0103-0104]; evaluates as suspicious/anomalous based on cyclical activity [Strayer '439 ¶ 0088]; evaluates as suspicious/anomalous based on "length of data within traffic flows" [Strayer '439 ¶ 0124, 0042])
Per claim 9 (independent):
Strayer '439 discloses an abnormal traffic detection device comprising a storage device and a processor (processor(s), memory, computer readable media, storage, executable instructions [¶ 0024-0025, 0029, 0037-0039, 0041, 0105, 0125])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 10 (dependent on claim 9):
Strayer '439 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 2 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 11 (dependent on claim 9):
Strayer '439 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 3 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 12 (dependent on claim 9):
Strayer '439 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 4 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 13 (dependent on claim 9):
Strayer '439 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 5 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 14 (dependent on claim 13):
Strayer '439 discloses the elements detailed in the rejection of claim 13 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 6 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 15 (dependent on claim 9):
Strayer '439 discloses the elements detailed in the rejection of claim 9 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 7 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Per claim 16 (dependent on claim 15):
Strayer '439 discloses the elements detailed in the rejection of claim 15 above, incorporated herein by reference
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 8 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.

Claim Rejections - 35 U.S.C. § 103
The following is a quotation of AIA  35 U.S.C. 103 that forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 17-18 is/are rejected under 35 U.S.C. § 103    as being unpatentable over Strayer '439 in view of U.S. Publication 20190042745 to Chen et al. (hereinafter "Chen '745").  Chen '745 is prior art to the claims under 35 U.S.C. § 102(a)(1) and 35 U.S.C. § 102(a)(2).
Per claim 17 (independent):
Strayer '439 does not disclose sampling the network traffic data by a second sampling window to obtain second sampling data, wherein the second sampling window has a second time length, and the first time length is different from the second time length
Strayer '439 does not disclose generating a second image according to the second sampling data
Strayer '439 does not disclose generating evaluation information corresponding to an abnormal traffic according to the first image and the second image
However, Strayer '439 discloses generating evaluation information corresponding to an abnormal traffic according to the first image (analyzes 2D image to classify anomalies [Strayer '439 ¶ 0088]; computes score level of unknown patterns to classify flows [Strayer '439 ¶ 0103-0104])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 1 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.
Further:
Chen '745 discloses sampling the network traffic data by a second sampling window to obtain second sampling data, wherein the second sampling window has a second time length, and the first time length is different from the second time length (regenerates image at new time length and re-evaluates [Chen '745 ¶ 0104-0105])
Chen '745 discloses generating a second image according to the second sampling data (regenerates image at new time length and re-evaluates [Chen '745 ¶ 0104-0105])
Chen '745 discloses generating evaluation information corresponding to an abnormal traffic according to the first image and the second image (regenerates image at new time length and re-evaluates [Chen '745 ¶ 0104-0105])
It would have been obvious to a person having ordinary skill in the art (1) before the effective filing date of the claimed invention and (2) before the invention was made to have modified Strayer '439 with the additional time scale of Chen '745 to arrive at an apparatus, method, and product including:
sampling the network traffic data by a second sampling window to obtain second sampling data, wherein the second sampling window has a second time length, and the first time length is different from the second time length
generating a second image according to the second sampling data
generating evaluation information corresponding to an abnormal traffic according to the first image and the second image
A person having ordinary skill in the art would have been motivated to combine them at least because an additional time scale for encoding the traffic as an image would have offered the chance at a successful classification in some situations where the original time scale produced no confidence or false results.  A person having ordinary skill in the art would have been further motivated to combine them at least because Chen '745 teaches  [Chen '745 ¶ 0104-0105] modifying an image-based traffic classifier [Strayer '439 ¶ 0022-0025] such as that of Strayer '439 to arrive at the claimed invention; because doing so constitutes use of a known technique (additional time scale [Chen '745 ¶ 0104-0105]) to improve similar devices and/or methods (image-based traffic classifier [Strayer '439 ¶ 0022-0025]) in the same way; because doing so constitutes applying a known technique (additional time scale [Chen '745 ¶ 0104-0105]) to known devices and/or methods (image-based traffic classifier [Strayer '439 ¶ 0022-0025]) ready for improvement to yield predictable results; and because the modification amounts to combining prior art elements according to known methods to yield predictable results.  Here, (1) the prior art included each element (as detailed above); (2) one of ordinary skill in the art could have combined the elements as claimed by known methods, and in this combination, each element merely performs the same function as it does separately (image-based traffic classifier [Strayer '439 ¶ 0022-0025] identifies suspicious or anomalous traffic using additional time scale [Chen '745 ¶ 0104-0105]); (3) one of ordinary skill in the art would have recognized that the results of the combination were predictable; and (4) other considerations do not overcome this conclusion.
Per claim 18 (independent):
Strayer '439 discloses an abnormal traffic detection device comprising a storage device and a processor (processor(s), memory, computer readable media, storage, executable instructions [Strayer '439 ¶ 0024-0025, 0029, 0037-0039, 0041, 0105, 0125])
The remaining limitations of the claim(s) correspond(s) to features of claim(s) 17 and the claim(s) is/are rejected for the reasons detailed with respect to those claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE C PARSONS whose telephone number is (571)270-1475.  The examiner can normally be reached on MTWRF 7:30-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on (571) 272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/THEODORE C PARSONS/Primary Examiner, Art Unit 2494