DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to amendment
This action is responsive to an amendment filed on 09/12/2022.
Claims 1, 3-4, 9-10, 12 and 15-17 have been amended.
Claims 1-20 are pending.
Response to Arguments
Applicant’s arguments, see Applicant Arguments/Remarks, filed on 09/12/2022, with respect to the rejection of the pending claims under 35 U.S.C. §103 have been fully considered but they are not persuasive.
Applicant argues that “Teo never discloses determining frequencies with which an IP address or other characteristics determined from a data stream is associated with the internal network based on responses to requests communicated to systems connected to the internal network, nor does Teo disclose determining the frequency with which an IP address or other characteristic determined from a data stream is associated with other networks accessible over the Internet based on responses to requests communicated to systems accessible over the Internet” (Rem./Arg. Page 14).
Examiner respectfully disagrees. Teo teaches the external data sources generate data streams that are destined to be received by one or more of the protected nodes. The protected nodes may respond to a data stream. The protected nodes may also initiate connections to the external data sources. Response System monitor and analyze the data streams between the internal nodes and the external data sources [¶ 0049]. For example, the collection of external data sources could refer to the computer systems connected to the Internet, while the collection of internal protected nodes could refer to the machines in an internal network of an organization [¶ 0050]. determines which data stream connections originate from external data sources and which are initiated by the internal protected nodes. In the context of the Internet, studies the IP addresses that  it encounters and determines which are from the Internet (external IP addresses)  and which belong to the internal network [¶ 0066]. The IP addresses of the nodes in the internal network are encountered often (i.e., higher frequency), while the IP addresses on the internet would appear “random” (i.e., lower frequency) [¶ 0069]. Therefore, as aforementioned, it would be appreciated that Teo’s data stream is based on request and response messages from the protected internal node and external node via Internet.   
Applicant further argues that the frequencies of Tong also are not determined based on responses to requests communicated to systems connected to a first network or to systems accessible over the Internet. …Tong cannot disclose that frequencies are determined based on responses to requests communicated to network accessible systems as claim 1 has been amended. (Rem./Arg. Pages 14-15). 
Examiner respectfully disagrees. As mentioned earlier in previous Office action, filed on 06/20/2022, Examiner relies on Tong only to teach identification of unique and prevalent “indicators” in a data set based on frequency analysis. So that, the identified “indicators” can be used to distinguish different data sets from each other (e.g., a fingerprint of the data set).






Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-4, 9-12 and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over US 2007/0094491 (Teo et al.) in view of US 20200019702 (Tong et al.) further in view of US 2020/0019702 (Siegmund).

Regarding Claim 1, Teo teaches a method comprising: determining a set of identifying elements of a first network based, at least in part, on at least one of configuration data of the first network and a set of data obtained from a first set of systems connected to the first network ([¶ 0007], dynamically learning network environments… monitoring a data stream associated with the node to identify a characteristic of the node. [¶ 0049] the external data sources generate data streams that are destined to be received by one or more of the protected nodes [i.e., a first set of systems connected to the first network]. The protected nodes may respond to a data stream. The protected nodes may also initiate connections to the external data sources. Response System monitor and analyze the data streams between the internal nodes and the external data sources. [¶ 0050] For example, the collection of external data sources could refer to the computer systems connected to the Internet, while the collection of internal protected nodes could refer to the machines in an internal network of an organization);
for each identifying element of the set of identifying elements, determining a first frequency at which the identifying element is associated with the first set of systems based, at least in part, on responses to first requests communicated to each of the first set of systems; determining a second frequency at which the identifying element is associated with a second set of systems of other networks accessible via the Internet based, at least in part, on responses to second requests communicated to each of the second set of systems; ([¶ 0066], determines which data stream connections originate from external data sources and which are initiated by the internal protected nodes. In the context of the Internet, the Adaptive Security System studies the IP addresses that it encounters [i.e., frequency] and determines which are from the Internet (external IP addresses) and which belong to the internal network);
determining if the identifying element is associated with the first set of systems at a greater frequency than with the second set of systems based, at least in part, on the first frequency and the second frequency ([¶ 0069], the IP addresses of the nodes in the internal network are encountered often [i.e., a greater frequency], while the IP addresses on the internet would appear more "random." [i.e., second frequency]); 
Teo does not explicitly teach, but Tong teaches determining that the identifying element is associated with the first set of systems at a greater frequency than with the second set of systems, indicating that the identifying element is a malware (i.e., interpreted as data element) (emphasis added) ([¶ 0047], Tong teaches detecting two pattern set (e.g. a malware pattern set and a normal pattern set). …a first frequency of a system call sequence in the malware set is calculated. … the first frequency may be calculated as the average frequency of the system call sequence in the malware set. [¶ 0049], a second frequency of the system call sequence in the normal application set is calculated. … the second frequency may be calculated as the average frequency of the system call sequence in the normal application set. [¶ 0051], the system call sequence is judged as a malware pattern or a normal pattern, based on comparison between the first and second frequencies. …if the first frequency of a system call sequence is greater than its second frequency, it may be put into the malware pattern set). 
NOTE: Although, Tong looking for malware pattern set, however, examiner relies on Tong only to teach identification of unique and prevalent “indicators” in a data set based on frequency analysis. So that, the identified “indicators” can be used to distinguish different data sets from each other (e.g., a fingerprint of the data set).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine teaching of Toe’s pattern study by the teachings of Tong’s detection of a particular data pattern set between two pattern sets, by comparing a first frequency of a system call sequence in first set with a second frequency of a system call sequence in second set and determine the particular set (e.g. malware)  if first frequency is greater than the second frequency as taught by Tong, in order to implement the pattern study of Toe. Because comparing frequency of occurring a data set using a threshold would help to identify unique and prevalent indicators in a data set. 
Teo in view of Tong do not explicitly teach, however, Siegmund teaches identifying element is a fingerprint of the first network ([¶¶ 0004, 0031], generating a network signature [i.e., fingerprint]. A network signature may include, for example, network information associated with a network (e.g., IP address, MAC address, domain name, DNS name, routing information, phone number, etc.)).
A person having ordinary skill in the art before the effective filing date of the claimed invention would have incorporated the Siegmund's system of generating network signature with Teo’s dynamically learning network environments and Tong’s identifying a particular data set because it would have allowed for application of a known technique for improvement to yield the predictable result of identifying network information to generate network signature, without the requiring significant modifications to the Toe and Tong’s disclosure outside the scope of one having ordinary skill in the art before the effective filing date of the claimed invention.   

Regarding Claim 2, Teo in view of Tong do not explicitly teach, however, Siegmund teaches the method of claim 1, wherein the fingerprint distinguishes the first set of systems from any of the second set of systems of other networks ([¶ 0029], generate a list of networks and network devices. The list also specify a corresponding signature [i.e., fingerprint] for each network. [¶ 0031], A signature may include, for example, network information associated with a network (e.g., IP address, MAC address, domain name, DNS name, routing information, phone number, etc.). …the signature also may include network information associated with one or more network devices coupled to the network. [¶ 0037], assign a network identifier to each network signature. Specifically, each signature may be assigned a network identifier. …The network identifier allows identical networks to be grouped and be treated as a same cluster. [Fig. 3, ¶¶ 0040-0042], identifying one or more networks, where each network is associated with one or more network devices…determining one or more properties associated with a network and any one of the network devices…creates a unique signature based on the one or more properties. Since, Siegmund teaches specify a corresponding signature for each network, therefore, given the broadest reasonable interpretation, Examiner interprets each signature distinguishes set of systems from any of other set of systems of other networks).

Regarding Claim 3, Teo teaches the method of claim 1, wherein determining the first frequency comprises: for each system of the first set of systems and corresponding one of the responses to the first requests, determining if the response to the request satisfies a criterion corresponding to a type of the identifying element; and determining the first frequency based, at least in part, on determining a frequency with which the responses to the first requests satisfied the criterion ([¶ 0049], the external data sources generate data streams that are destined to be received by one or more of the protected nodes. The protected nodes may respond to a data stream. The protected nodes may also initiate connections to the external data sources. Response System monitor and analyze the data streams between the internal nodes and the external data sources. [¶ 0050], For example, the collection of external data sources could refer to the computer systems connected to the Internet, while the collection of internal protected nodes could refer to the machines in an internal network of an organization. [¶ 0066], evaluating data streams [i.e., response to the request], determines which data stream connections originate from external data sources and which are initiated by the internal protected nodes [i.e., the first set of systems]. … studies the IP addresses [i.e., a criterion corresponding to a type of the identifying element] that it encounters and determines which are from the Internet (external IP addresses) and which belong to the internal network … study the pattern of the IP addresses that encounters. [¶ 0069] The IP addresses of the nodes in the internal network are encountered often, while the IP addresses on the Internet would appear more "random.").

Regarding Claim 4, Teo teaches the method of claim 1, wherein determining the second frequency comprises: for each system of the second set of systems and corresponding one of the responses to the second requests, determining if the response satisfies a criterion corresponding to a type of the identifying element; and determining the second frequency based, at least in part, on determining a frequency with which the responses to the second requests satisfied the criterion ([¶ 0066], evaluating data streams [i.e., response to the request], determines which data stream connections originate from external data sources [i.e., the second set of systems] and which are initiated by the internal protected nodes. … studies the IP addresses [i.e., a criterion corresponding to a type of the identifying element] that it encounters and determines which are from the Internet (external IP addresses) and which belong to the internal network … study the pattern of the IP addresses that encounters. [¶ 0069] The IP addresses of the nodes in the internal network are encountered often, while the IP addresses on the Internet would appear more "random.").

Regarding Claim 9, Teo in view of Tong do not explicitly teach, however, Siegmund teaches the method of claim 1, wherein determining the set of identifying elements comprises determining each of the at least one of the configuration data and the set of data and combinations of each of the at least one of the configuration data and the set of data, and wherein each identifying element of the set of identifying elements comprises one of the at least one of the configuration data and the set of data or one of the combinations of data ([Fig. 3A, ¶¶  0039-0040], disclose process 300 for creating a signature. The process 300 begins with identifying one or more networks [i.e., set of network data], where each network is associated with one or more network devices [i.e., combination of each set of network device data]. [¶ 0041], Determining one or more properties [i.e., set of network elements] associated with a network and any one of the network devices. The one or more properties may include, without limitation, network IP address, network mask, gateway MAC address, connection name, network profile, domain name [i.e. publicly available information], other network setting information, device information and the like.).
A person having ordinary skill in the art before the effective filing date of the claimed invention would have incorporated the Siegmund's system of generating network signature with Teo’s dynamically learning network environments and Tong’s identifying a particular data set, because it would have allowed for application of a known technique for improvement to yield the predictable result of identifying network properties from  set of networks, where each network is associated with one or more network devices, without the requiring significant modifications to the Toe and Tong’s disclosure outside the scope of one having ordinary skill in the art before the effective filing date of the claimed invention.

Regarding Claim 10, Teo teaches one or more non-transitory machine readable media comprising program code (¶0038). The rest of the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under same rationale.  
Regarding Claim 11, the claim limitations are identical and/or equivalent in scope to claim 9, therefore, rejected under same rationale.
Regarding Claim 12, the claim limitations are identical and/or equivalent in scope to claims 3 and 4, therefore, rejected under same rationale.
Regarding Claim 15, Teo teaches an apparatus comprising: a processor; and a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to,… (¶¶ 0035-0038). The rest of the claim limitations are identical and/or equivalent in scope to claim 1, therefore, rejected under same rationale.
Regarding Claims 16-18, the claim limitations are identical and/or equivalent in scope to claims 3, 4 and 9, respectively, therefore, rejected under same rationale.

Claims 5, 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Teo in view of Tong and  Siegmund, further in view of US Patent No. 9633205 (Guan).

Regarding Claim 5, Teo teaches the method of claim 1, wherein determining that the identifying element is associated with the first set of systems at a greater frequency than with the second set of systems ([¶ 0069] The IP addresses of the nodes in the internal network are encountered often, while the IP addresses on the Internet would appear more "random."), however, Teo do in view of Tong and Siegmund do not explicitly teach, but Guan teaches determining at least one of that the first frequency is greater than the second frequency, that the first frequency exceeds a first threshold, and that the second frequency does not exceed a second threshold [C 4: L 46-50], calculating the ratio of the quantity of first samples containing the text string to the total quantity of first samples in the first sample set, and using the calculated ratio as the second frequency of the text string in the first sample set. [C 4: L 65- C 5: L 3], the text strings with a first frequency [i.e. the second frequency] not exceeding a preset first frequency threshold [i.e. the second threshold] and a second frequency [i.e., the first frequency] exceeding a preset second frequency threshold [i.e. the first frequency] may be selected from the obtained text strings; and the selected text strings are determined to be the virus signatures candidate).
NOTE: Although, Guan determining virus signature candidate, however, examiner relies on Guan only to teach generally comparing indicators to each other and to thresholds to ensure uniqueness of the indicators.  They are compared to each other to ensure they are unique to a particular data set (more common in one than the other) and compared to thresholds to ensure they are sufficiently representative (common in one data set and uncommon in the other).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine teaching of Toe’s pattern study, Tong’s malware pattern set detection and Siegmund’s generating network signature with the teachings of Guan’s determining virus signature, by comparing a first frequency of text string occur in a non-virus  sample with a threshold and a second frequency of text string occur in a virus  sample with another threshold and if  frequency of text string occur in a non-virus  sample is below a threshold and frequency of text string occur in a virus  sample is above the other threshold, then determine the text string to be a virus signature as taught by Guan. Because including comparing frequency based on predetermined threshold would allow to identify indicators that can be used to distinguish different data sets from each other (e.g., a fingerprint of the data set).

Regarding Claim 13 and 14, the claim limitations are identical and/or equivalent in scope to claim 5, therefore, rejected under same rationale.

Claims 6 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Teo in view of Tong and Siegmund, further in view of US 2013/0007882 (Devarajan et al.).

Regarding Claim 6, as aforementioned, Teo teaches the method of claim 1 further comprising, based on determining that the identifying element is associated with the first set of systems connected to the first network at a greater frequency than with the second set of systems, however, Teo in view of  Tong, and Siegmund do not teach, but Devarajan teaches calculating a score of the identifying element based, at least in part, on the first frequency and the second frequency ([¶ 0058], the server calculate the reputation score, by determining a quantity of event signature matches associated with each of a plurality of network resource addresses, sequencing each of the plurality of network resource addresses, grouping the quantity of event signature  matches according to a common quantity of event signature matches, generating a rolling count for each grouping of the common quantity of event signature matches, assigning a percentile score to each of the quantity of event signature matches according to the rolling count, and assigning the percentile score assigned to the quantity of event signature matches associated with the network resource address as the reputation score for the network resource address).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention modify Teo, Tong and Siegmund in order to assign a percentile score to the quantity of event signature matches as taught by Devarajan, because it would have been a predictable variation of analysis client data to determine whether the client device data is from a known device.

Regarding Claim 19, the claim limitations are identical and/or equivalent in scope to claim 6, therefore, rejected under same rationale.

Claims 7 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Teo in view of Tong, Siegmund and Devarajan, further in view of US 2014/0283061 (Quinlan et al.).

Regarding Claim 7, Toe in view of Tong, Siegmund and Devarajan do not explicitly teach, however, Quinlan teaches the method of claim 6 further comprising, determining a rank of the identifying element based, at least in part, on the score of the identifying element, wherein indicating that the identifying element is a fingerprint of the first network comprises determining that the rank satisfies a third threshold ([¶ 0042] ..each data item is associated with a different importance ranking such that those data items determined to be of higher importance are data items that are more likely to uniquely identify attacker device while those data items determined to be of lower importance are less likely to uniquely identify attacker. Fingerprint module may refrain from generating a fingerprint for attacker device until either the number of data items and corresponding data values for associated with attacker device satisfy a threshold number or the combined importance ranking satisfies a threshold total importance ranking).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the references in order to determine that the collected data items is a fingerprint based on importance ranking and scores of the rank of the data as taught by Quinlan, because it would allow to uniquely identify a device data.

Regarding Claim 20, the claim limitations are identical and/or equivalent in scope to claim 7, therefore, rejected under same rationale.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Teo in view of Tong and  Siegmund, further in view of US 2010/0315975 (Arkin).

Regarding Claim 8, Teo in view of Tong and Siegmund do not explicitly teach, however, Arkin teaches the method of claim 1 further comprising obtaining the set of data of the first network based, at least in part, on querying each system of the first set of systems ([¶ 0012], obtaining address data characterizing a network address …querying all known connecting nodes and generating a port dataset representing all ports thereof which have registered address data characterizing the network address of a discovered new node).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention modify Teo, Tong and Siegmund in order to querying all nodes to obtain datasets as taught by Arkin, because it would have been a predictable variation of obtaining data form all systems in a network.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD YOUSUF A MIAN whose telephone number is (571)272-9206. The examiner can normally be reached Monday-Friday 9am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, UMAR CHEEMA can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
/LANCE LEONARD BARRY/Primary Examiner, Art Unit 2448                                                                                                                                                                                                        

/MOHAMMAD YOUSUF A. MIAN/Examiner, Art Unit 2448