SYSTEMS AND METHODS FOR IDENTIFYING TRAFFIC DIRECTION IN NETWORK TRAFFIC LOGS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office correspondence is in response to the amendment filed on November 24, 2025. Claims 1, 13, 15, and 20 are amended. Claim 19 is canceled. Claim 21 is newly added. Claims 1-18, and 20-21 are pending. Information Disclosure Statement information disclosure statement (IDS) submitted on 12/11/2025 was filed after the mailing date of the instant application on 03/21/2024. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Response to Arguments Applicant’s arguments with respect to claims 11/24/2025 have been considered but are moot because the new ground of rejection. The instant application discloses identifying traffic direction in network traffic logs and obtaining the plurality of data logs and determining the traffic direction and communication between two machines. Similarly, prior art Sanghavi discloses devices for blocking, detecting, and/or preventing malicious traffic. The network device obtains a set of rules that specify match criteria that include source network addresses and destination network addresses associated with packets. Routing devices includes one or more network devices (server or client machines) capable of processing and/or transferring traffic information. The traffic from the forwarding component and compare the source network address, the destination network address, the source identifier, and/or the destination identifier of the traffic to the information associated with the blacklisted domain identifiers as stored in the data structure. The network device may evaluate the source and/or destination network addresses and/or the source and/or destination identifiers according to predefined rules or criteria, and perform an action based on the rules and/or satisfaction of the criteria. The criteria to which the security device analyzes incoming traffic for determining matches to blacklisted domains and/or network addresses of devices hosting the blacklisted domains may include, for example, the list of network addresses corresponding to the blacklisted domains, source identifiers, destination identifiers, and/or the like, contained in the data structure. Where a source network address, a destination network address, and/or a source or destination identifier of incoming traffic matches the information stored in the data structure, an action may be performed, such as, allowing the traffic to be routed to the intended destination server device hosting a webpage, routing (e.g., redirecting) the traffic to a custom network address (e.g., a custom webpage), routing the traffic to a sinkhole server, resetting the connection, etc. Additionally, redirect the traffic to the server associated with the selected server identifier. In this way, the traffic may be redirected to the server that is closest to the source of the traffic, which may be the best equipped to log, report, and/or perform preventative actions on the traffic. Pereira discloses identifying malicious domain data using network traffic data logs. Determining a first domain name identifier in a set of domain name identifiers as malicious, determining a first IP address associated with the first domain name identifier, and determining first virtual private cloud (VPC) flow log data that corresponds to historical network traffic associated with the first IP address. Furthermore, second VPC flow log data that corresponds to historical network traffic associated with a second IP address that is non-malicious, determining, using the first VPC flow log data and the second VPC flow log data, that the first VPC flow log data is non-malicious, and determining that the first domain name identifier is to be non-malicious. Security detection systems continuously monitor for malicious behavior from either the server machines or client machines and are used to detect threats and to prevent unauthorized access to computer systems, data, and other digital information. Determine domain names that are associated with a malware command and control server, and may identify or determine network traffic associated with the malware command and control server to determine any traffic patterns or behaviors that can be classified or identified. In some embodiments, if network activity or data flow is determined to be associated with a malware command and control server, patterns that may be identified may include TCP/UDP port numbers, packet sizes, number of packets, overall number of bytes in a single traffic flow or TCP session, and/or other metrics. Threat intelligence data identifies which server/client machines have malicious domains, domain identifiers, known threat identifiers, IP addresses that are malicious addresses, virus signatures, malware file data, URLs, and/or other threat intelligence, thus may take appropriate remedial action, such as flagging the traffic for manual review, preventing or blocking the traffic, and the like. Furthermore, as it is Applicant's right to continue to claim as broadly as possible their invention, it is also the Examiner's right to continue to interpret the claim language as broadly as possible. It is the Examiner's position that the detailed functionality that allows Applicant’s invention to overcome the prior art used in the rejection, fails to differentiate in detail how these features are unique. By the rejection above, the applicant must submit amendments to the claims in order to distinguish over the prior art use in the rejection that discloses different features of Applicant's claimed invention. Applicant has not yet submitted claims drawn to limitations, which distinguishes over the prior art or to significantly narrow definition/scope of the claims and supply arguments commensurate in scope with the claims implies the Applicant intends broad interpretation be given to the claims. It is requested that Applicant clearly and distinctly define the claimed invention. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over SANGHAVI et al. (US Publication 2021/0136075), in view of Pereira et al. (US Patent 10,924,503) hereafter Pereira, in further view of Shaik et al. (US Publication 2024/0106867) hereafter Shaik. As per claim 1, SANGHAVI discloses a method for determining traffic direction for a plurality of data logs, comprising: obtaining the plurality of data logs associated with a cloud network, wherein each of the plurality of data logs are associated with communications between machines associated with the cloud network and indicate a source internet protocol (IP) address, a destination IP address, a source port, and a destination port, wherein the machines comprise one or more server machines and one or more client machines (paragraphs 0024, 0027, 0034, 0036: logging actions on the traffic); determining a frequency of the source IP addresses and the destination IP addresses and/or ports associated with the source IP addresses and the destination IP addresses within the plurality of data logs (paragraphs 0016, 0044-45: count of the DNS satisfies the threshold to identify malicious traffic); and determining the traffic direction associated with the plurality of data logs based on the frequency of the source IP addresses and the destination IP addresses and/or the ports, wherein the traffic direction indicates one or more server machines client machines (paragraphs 0051-54, 0119: determine traffic direction based on count to prevent malicious traffic). Although, SANGHAVI discloses set of rules that specify match criteria and detecting and blocking malicious traffic, but fails to elaborately disclose determining a frequency of the source IP addresses and the destination IP addresses and/or ports. However, in the same field of endeavors, Pereira expressly discloses the claimed limitation of determining a frequency of the source IP addresses and the destination IP addresses and/or ports (12:52-13:26; 14:33-52). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Pereiras’ teaching with SANGHAVI. One would be motivated to secure the cloud network to prevent any abnormal and/or malicious traffic by isolating the target to reduce attacks and error effectiveness. Although, SANGHAVI-Pereira discloses DNS request that can be associated with malicious identifier and to trying to access a device in the network, but fail to elaborately wherein the one or more client machines request services from the one or more server machines and the one or more server machines provide the services to the one or more client machines; and he traffic direction does not indicate a direction of data flow associated with the plurality of data logs between the machines and instead indicates which of the machines are the one or more server machines and which of the machines are the one or more client machines. However, in the same field of endeavors, Shaik expressly discloses the claimed limitation of wherein the one or more client machines request services from the one or more server machines and the one or more server machines provide the services to the one or more client machines (paragraphs 0043, 0094-95); and he traffic direction does not indicate a direction of data flow associated with the plurality of data logs between the machines and instead indicates which of the machines are the one or more server machines and which of the machines are the one or more client machines (0069, 0092-94). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Shaiks’ teaching of security rule updates based on change in the network data with teachings of SANGHAVI-Pereira. One would be motivated to have periodic service requests from machines to update traffic logs to optimize load balancing for any communications between client and server. As per claim 2, SANGHAVI discloses the method further comprising: determining one or more traffic rules based on the determined traffic direction, wherein the one or more traffic rules indicate communication restrictions to the one or more server machines; and applying the one or more traffic rules to restrict communications to the one or more server machines (paragraphs 0022, 0052, 0119). As per claim 3, SANGHAVI discloses the method wherein applying the one or more traffic rules comprises: blocking communications from a new client machine to the one or more server machines based on the one or more traffic rules and an IP address for the new client machine (paragraphs 0044-45, 0052, 0119). As per claim 4, SANGHAVI discloses the method further comprising: determining explicit information within a first subset of the plurality of data logs, and wherein determining the traffic direction comprises: determining the traffic direction for the first subset of the plurality of data logs based on the explicit information (0015-18, 0025, 0031); and determining the traffic direction for a second subset of the plurality of data logs based on the frequency of the source IP addresses and the destination IP addresses within the plurality of data logs (paragraphs 0051-54, 0119 ). Although, SANGHAVI discloses set of rules that specify match criteria and detecting and blocking malicious traffic, but fails to elaborately disclose data logs based on the frequency of the source IP addresses and the destination IP addresses within the plurality of data logs. However, in the same field of endeavors, Pereira expressly discloses the claimed limitation of data logs based on the frequency of the source IP addresses and the destination IP addresses within the plurality of data logs (12:52-13:26; 14:33-52). The same motivation that was utilized in the combination of claim 1 applies equally as well to claim 4. As per claim 5, SANGHAVI discloses the method wherein the explicit information indicates one or more specific ports that are used by the server machines, and wherein determining the traffic direction for the first subset of the plurality of data logs comprises: comparing the source ports and the destination ports within the plurality of data logs with the one or more specific ports that are used by the server machines; and assigning the machines associated with the source IP addresses or the destination IP addresses as the server machines based on the comparison (paragraphs 0018-19, 0028-29). As per claim 6, SANGHAVI discloses the method wherein each of the plurality of data logs further comprises a flag field, wherein the explicit information indicates one or more flags that identifies the machines as the server machines, and wherein determining the traffic direction for the first subset of the plurality of data logs comprises: comparing the flag field within the plurality of data logs with the one or more flags that identifies the machines as the server machines; and assigning the machines associated with the source IP addresses or the destination IP addresses as the server machines based on the comparison (paragraphs 0024-25, 0041-43). As per claim 7, SANGHAVI discloses the method wherein the source IP addresses and the destination IP addresses comprise a plurality of different IP addresses within the plurality of data logs, and wherein determining the frequency and/or the ports within the plurality of data logs comprises: generating first data structures for each of the plurality of different IP addresses and/or port combinations, wherein each of the first data structures indicates a number of instances a particular machine associated with a particular IP address, from the plurality of different IP addresses, appears within the plurality of data logs (paragraphs 0044-45, 0052, 0119); and generating second data structures for each of the plurality of different IP addresses, wherein each of the second data structures indicates IP addresses and ports of a plurality of machines that the particular machine communicated with within the plurality of data logs (paragraphs 0051-54, 0119). As per claim 8, SANGHAVI discloses the method wherein each of the first data structures comprises a counter indicating the number of instances that the particular machine appears within the plurality of data logs, and wherein determining the frequency and/or ports within the plurality of data logs further comprises: incrementing the counter by one each time the particular IP address and/or port combination appears within the plurality of data logs (paragraphs 0052-53, 0119). As per claim 9, SANGHAVI discloses the method wherein determining the frequency and/or ports within the plurality of data logs further comprises: determining whether the particular machine identified by the particular IP address and/or port combination has previously been identified as a server machine or a client machine, and wherein incrementing the counter is based on determining whether the particular machine identified by the particular IP address and/or port combination has previously been identified as the server machine or the client machine (paragraphs 0044-45, 053, 0119). As per claim 10, SANGHAVI discloses the method wherein determining the frequency and/or the ports within the plurality of data logs further comprises: determining that the particular IP address and/or port combination appears within a first data log and a second data log from the plurality of data logs; and updating the second data structure for the particular IP address and/or port combination to indicate other IP addresses and ports associated with the other IP addresses within the first data log and the second data log (paragraphs 0019-22, 0052-53). As per claim 11, SANGHAVI discloses the method wherein determining the traffic direction associated with the plurality of data logs comprises: sorting the plurality of IP addresses and/or port combinations based on the first data structures; and determining the one or more server machines that expose the services based on the sorting (paragraphs 0016, 0052-53, 0135). As per claim 12, SANGHAVI discloses the method wherein determining the one or more server machines comprises: determining, based on sorting the first data structures, a first IP address and/or port combination that most frequently appears within the plurality of data logs; and determining that a first machine associated with the first IP address and/or port combination is the server machine (paragraphs 0044-45, 0052, 0119). As per claim 13, SANGHAVI discloses the method wherein determining the one or more server machines further comprises: determining, based on the second data structure associated with the first IP address and/or port combination, one or more second machines identified by second IP addresses and/or port combinations that communicated with the first machine; determining that the one or more second machines identified by the second IP address and/or port combinations are the client machines; and deleting the first data structures and the second data structures associated with the second IP addresses and/or ports combinations (paragraphs 0044-45, 0052-53, 0119). As per claim 14, SANGHAVI discloses the method wherein determining the one or more server machines further comprises: subsequent to deleting the first data structures and the second data structures associated with the one or more second machines, determining, based on the remaining first data structures, a third IP address and/or port combination that now most frequently appears within the plurality of data logs; and determining that a third machine associated with the third IP address and/or port combination is the server machine (paragraphs 0044-45, 0052, 0119). Claim 15 is an Independent claim with similar limitation but different in preamble and hence are rejected based on the rejection provided in claim 1. Claims 16-18 are listed all the same elements of claims 2-4 respectively. Therefore, the supporting rationales of the rejection to claims 2-5 apply equally as well to claims 16-19 respectively. Claim 20 is an Independent claim with similar limitation but different in preamble and hence are rejected based on the rejection provided in claim 1. As per claim 21, SANGHAVI-Pereira disclose the claimed limitation above, however, in the same field of endeavors, Shaik expressly discloses the claimed limitation of wherein a first data log of the plurality of data logs indicates a first source machine that provides a first data packet to a first destination machine and a second data log of the plurality of data logs indicates a second source machine that provides a second data packet to a second destination machine (paragraphs 0072, 0094-95, 119), wherein determining the traffic direction for the first data log comprises determining that the first source machine is a first client machine from the one or more client machines and the destination machine is a first server machine from the one or more server machines (0069, 0092-94, 110), and wherein determining the traffic direction for the second data log comprises determining that the second source machine is a second server machine from the one or more server machines and the second destination machine is a second client machine from the one or more client machines (0069, 0092-94, 119). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to FARZANA B HUQ whose telephone number is (571)270-3223. The examiner can normally be reached Monday - Friday: 8:30-5:30 ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emmanuel L Moise can be reached at 571-272-3865. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /FARZANA B HUQ/Primary Examiner, Art Unit 2455