TREATING DATA FLOWS DIFFERENTLY BASED ON LEVEL OF INTEREST

§102 §103 §112 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . The following is a Final Office action in response to communications received 12/02/2025. Response to Amendment Claims 21 and 31-37 have been amended. Claims 21-37 have been examined. The rejection of claims 31-38 under 35 U.S.C 101 is withdrawn in light of the applicant’s amendments to the claims. The rejection of claim 37 under 35 U.S.C 112 is withdrawn in light of the applicant’s amendments to the claim. Applicant's arguments filed regarding the rejection of claim 31 under 35 U.S.C 112 have been fully considered but they are not persuasive. As per the applicant’s arguments that the amendments made to the claim overcome the rejection, the examiner respectfully disagrees. The amendments made to claim 31 do not resolve the issue of omitting essential steps. The amendments recite that an interest level in a connection is based on the likelihood of the connection being anomalous in context of historic behavior of a device associated with the connection but fail to resolve the issue of the purpose of determining the interest level in the connection. As stated in the previous office action, the interest level determines whether a connection is analyzed by the deep packet inspection engine or redirected away from it. Therefore, the step of determining what happens to the connection based on the interest level is essential to the claim. Applicant's arguments filed regarding claim 21 have been fully considered but they are not persuasive. As per the applicant’s arguments that prior art of record Venkatramani does not teach the new limitations: “determining an interest level in a connection by at least conducting a comparison of features of the connection to a set of interest criteria in which the interest level is based on the connection being anomalous in context of historic behavior of a device associated with the connection or peer group behavior for the device, wherein the interest level is used in determining routing of one or more data packets associated with the connection”, the examiner respectively disagrees. Venkatramani teaches: (Venkatramani: [0007] In still another embodiment, the connection information includes the attributes of: user name initiating the communication, identification of the user device, etc. [0136] The collector application gathers the connectivity records from all connectivity and application execution sensors and normalizes them with the context information and stores the records in the connection and application execution monitoring database. [0138] The process receives (504) context information from one or more directory servers. As discussed further above, context information can include identity information about the entity involved with the activity data and/or information about files accessed. The process combines (506) context information with the received activity data to generate an activity record. In many embodiments, this provides that the actual end points (e.g., user, user account, device) are known for connections, i.e., the historical connections (historical behavior) of a device are collected. [0139] When the security application is in a learning period or mode, a set of baseline signatures (connection lineage signatures and/or application execution signatures) is built from incoming activity records (e.g., session records and/or application execution records). In many embodiments, the set of baseline signatures is built by counting (e.g., keeping a running count) of incoming records that match in a number of attributes, i.e., a baseline signature is based on a device’s historical behavior. [0144] When the security application is in a detection period or mode, incoming records are compared against a set of baseline signatures stored in the signature database. [0145] The incoming activity record(s) are compared (528) against the set of baseline signatures. An exact or close match (e.g., by a distance measure or difference in number of attributes as discussed further above) to one or more baseline signatures can be considered a normal or acceptable behavior. Larger deviations from matching the baseline signatures can indicate an anomalous condition. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 21-38 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11997113 in view of prior art of record US 20170163666 to Venkatramani et al (hereinafter Venkatramani). Instant application U.S. Patent No. 11997113 21. (New) A method for a cyber threat defense system to differentiate between data flows, comprising: determining an interest level in a connection by at least conducting a comparison of features of the connection to a set of interest criteria in which the interest level is based on the connection being anomalous in context of historic behavior of a device associated with the connection or peer group behavior for the device, wherein the interest level is used in determining routing of one or more data packets associated with the connection; analyzing, by a deep packet inspection engine, one or more data packets of the connection for cyber threats in response to the interest classifier indicates a first interest level; and redirecting the one or more data packets of the connection away from the deep packet inspection engine without processing of the one or more data packets by the deep packet inspection engine in response to the interest classifier indicates a second interest level less than the first interest level. 22. (New) The method for the cyber threat defense system of claim 21, wherein the second interest level represents no interest in the connection. 25. (New) The method for the cyber threat defense system of claim 21 further comprising: identifying at least one dropped packet in the connection operating as a passthrough connection by the deep packet inspection engine; and shunting the passthrough connection with the dropped packet away from the deep packet inspection engine. 27. (New) The method for the cyber threat defense system of claim 21 further comprising: monitoring at least one of a connection length and a payload size associated with the connection associated with the redirecting of the one or more packets. 28. (New) The method for the cyber threat defense system of claim 21, further comprising: reconnecting the connection to the deep packet inspection engine upon detection by an analyzer module of an anomalous event at a first device in a client network being a destination for the one or more data packets; and adjusting the set of interest criteria based on the anomalous event. 29. (New) The method for the cyber threat defense system of claim 21 further comprising: severing the connection upon detection by an analyzer module of an anomalous event at a first device in a client network being a destination for the one or more data packets. 30. (New) A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 21. 31. (New) A cyber threat defense system, comprising: one or more processors; and a non-transitory computer readable medium accessible by the one or more processors, the non-transitory computer readable medium includes a tracker manager module that comprises a classifier module that, when executed by the one or more processors, is configured to (i) to compare features of a connection to a set of interest criteria to determine an interest level by the cyber threat defense system in the connection in which the interest level corresponding to a likelihood of the connection being anomalous in context of historic behavior of a device associated with the connection or peer group behavior for the device and (ii) apply an interest classifier describing the interest level to the connection based on the comparison, a deep packet inspection engine stored in the non-transitory computer readable medium, the deep packet inspection engine is configured to identify a dropped packet in a passthrough connection; and a diverter being software stored in the non-transitory computer readable medium, the diverter is configured to shunt the passthrough connection with the dropped packet away from the deep packet inspection engine. 32. (New) The traffic manager module of claim 31, wherein the deep packet inspection engine is further configured to examine the one or more data packets of the connection for cyber threats if the interest classifier indicates a first interest level. 33. (New) The traffic manager module of claim 32, wherein the diverter is further configured to shunt the one or more data packets of the connection away from the deep packet inspection engine. 34. (New) The traffic manager module of claim 31, wherein the classifier module is further configured to adjust the set of interest criteria based on a set of host parameters for a client network. 35. (New) The traffic manager module of claim 34, wherein the set of host parameters are at least one of storage capacity, processing capacity, and network bandwidth. 36. (New) The traffic manager module of claim 31, wherein the deep packet inspection engine is configured to collect a packet capture of the one or more data packets for the connection. 37. (New) The traffic manager module of claim 36 further comprising: an offload module configured to (i) send the packet capture to a cloud storage system and (ii) set an expiration date for the packet capture in the cloud storage system indicating when the packet capture can be overwritten. 38. (New) The traffic manager module of claim 31 being located at least one of a host- based agent, a virtualized sensor installed on a hypervisor, a centralized physical appliance, and a centralized cloud appliance. 1. A method for a cyber threat defense system to differentiate between data flows, comprising: registering, at a traffic manager module of the cyber threat defense system, a connection between one or more devices within a client network to transfer a series of one or more data packets; executing a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense system in the connection; applying an interest classifier describing the interest level to the connection based on the comparison; passing the one or more data packets of the connection to a deep packet inspection engine for further examination for cyber threats if the interest classifier indicates interest; shunting the one or more data packets of the connection away from the deep packet inspection engine if the interest classifier indicates no interest; identifying a dropped packet in a passthrough connection being processed by the deep packet inspection engine; and shunting the passthrough connection with the dropped packet away from the deep packet inspection engine. 3. The method for the cyber threat defense system of claim 1, further comprising: monitoring at least one of a connection length and a payload size for a shunted connection. 5. The method for the cyber threat defense system of claim 1, further comprising: reconnecting a shunted connection to the deep packet inspection engine upon detection by an analyzer module of an anomalous event at a first device in the client network; and adjusting the set of interest criteria based on the anomalous event. 6. The method for the cyber threat defense system of claim 5, further comprising: severing the connection upon detection by the analyzer module of the anomalous event at the first device in the client network. 8. A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 1. 9. A traffic manager module for a cyber threat defense system, comprising: a registration module stored in a non-transitory computer readable medium, the registration module is configured, when executed by a processor, to register a connection between one or more devices within a client network to transmit a series of one or more data packets; a classifier module stored in the non-transitory computer readable medium, the classifier module is configured, when executed, to compare to execute a comparison of features of the connection to a set of interest criteria to determine an interest level for the cyber threat defense system in the connection and to apply an interest classifier describing the interest level to the connection based on the comparison; a deep packet inspection engine stored in the non-transitory computer readable medium, the deep packet inspection engine is configured to (ii) examine the one or more data packets of the connection for cyber threats if the interest classifier indicates interest and (ii) identify a dropped packet in a passthrough connection; and a diverter stored in the non-transitory computer readable medium, the diverter is configured to shunt (i) the one or more data packets of the connection away from the deep packet inspection engine and (ii) the passthrough connection with the dropped packet away from the deep packet inspection engine. 10. The traffic manager module of claim 9, wherein the classifier module is further configured to adjust the set of interest criteria based on a set of host parameters for the client network. 11. The traffic manager module of claim 10, wherein the set of host parameters are at least one of storage capacity, processing capacity, and network bandwidth. 12. The traffic manager module of claim 9, wherein the deep packet inspection engine is configured to collect a packet capture of the one or more data packets for the connection. 13. The traffic manager module of claim 12, wherein further comprising: an offload module configured to send the packet capture to a cloud storage system. 14. The traffic manager module of claim 13, wherein the offload module is configured to: set an expiration date for the packet capture in the cloud storage system indicating when the packet capture should be overwritten. 15. The traffic manager module of claim 4, wherein the traffic manager module is located at least one of a host-based agent, a virtualized sensor installed on a hypervisor, a centralized physical appliance, and a centralized cloud appliance. U.S. Patent No. 11997113 does not teach: the interest level is based on the connection being anomalous in context of historic behavior of a device associated with the connection or peer group behavior for the device, wherein the interest level is used in determining routing of one or more data packets associated with the connection. However, Venkatramani teaches: the interest level is based on the connection being anomalous in context of historic behavior of a device associated with the connection or peer group behavior for the device, wherein the interest level is used in determining routing of one or more data packets associated with the connection (Venkatramani: [0007] In still another embodiment, the connection information includes the attributes of: user name initiating the communication, identification of the user device, etc. [0136] The collector application gathers the connectivity records from all connectivity and application execution sensors and normalizes them with the context information and stores the records in the connection and application execution monitoring database. [0138] The process receives (504) context information from one or more directory servers. As discussed further above, context information can include identity information about the entity involved with the activity data and/or information about files accessed. The process combines (506) context information with the received activity data to generate an activity record. In many embodiments, this provides that the actual end points (e.g., user, user account, device) are known for connections, i.e., the historical connections (historical behavior) of a device are collected. [0139] When the security application is in a learning period or mode, a set of baseline signatures (connection lineage signatures and/or application execution signatures) is built from incoming activity records (e.g., session records and/or application execution records). In many embodiments, the set of baseline signatures is built by counting (e.g., keeping a running count) of incoming records that match in a number of attributes, i.e., a baseline signature is based on a device’s historical behavior. [0144] When the security application is in a detection period or mode, incoming records are compared against a set of baseline signatures stored in the signature database. [0145] The incoming activity record(s) are compared (528) against the set of baseline signatures. An exact or close match (e.g., by a distance measure or difference in number of attributes as discussed further above) to one or more baseline signatures can be considered a normal or acceptable behavior. Larger deviations from matching the baseline signatures can indicate an anomalous condition. [0152]). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Venkatramani in the invention of U.S. Patent No. 11997113 to include the above limitations. The motivation to do so would be to detect the vertical and horizontal propagation of the threat within an enterprise environment (Venkatramani: [0035]). Claim Objections Claim 21 is objected to because of the following informalities: claim 21 recites: “in response to the interest classifier indicates a first interest level” and “in response to the interest classifier indicates a second interest level…” in the last 2 limitations instead of “in response to the interest classifier indicating a first interest level” and “in response to the interest classifier indicating a second interest level…”. Appropriate correction is required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 21 and 31 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 21 recites the limitation "the interest classifier" in line 10. There is insufficient antecedent basis for this limitation in the claim. Claim 31 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential steps, such omission amounting to a gap between the steps. See MPEP § 2172.01. The omitted steps are: The claim omits limitations that show the purpose of determining an interest level in a connection. The interest level determines whether a connection is analyzed by the deep packet inspection engine or redirected away from it. Therefore, the step of reciting how the connection is treated based on the interest level is essential to the claim. Also, there is no relationship between determining an interest level in a connection described in the third paragraph of the claim and identifying a dropped packet in a passthrough connection and shunting it away from the deep packet inspection engine described in the next two paragraphs. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 21, 22, 29, and 30 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by prior art of record US 20170163666 to Venkatramani et al (hereinafter Venkatramani). As per claim 21, Venkatramani teaches: A method for a cyber threat defense system to differentiate between data flows, comprising: determining an interest level in a connection by at least conducting a comparison of features of the connection to a set of interest criteria in which the interest level is based on the connection being anomalous in context of historic behavior of a device associated with the connection or peer group behavior for the device, wherein the interest level is used in determining routing of one or more data packets associated with the connection (Venkatramani: [0007] In still another embodiment, the connection information includes the attributes of: user name initiating the communication, identification of the user device, etc. [0136] The collector application gathers the connectivity records from all connectivity and application execution sensors and normalizes them with the context information and stores the records in the connection and application execution monitoring database. [0138] The process receives (504) context information from one or more directory servers. As discussed further above, context information can include identity information about the entity involved with the activity data and/or information about files accessed. The process combines (506) context information with the received activity data to generate an activity record. In many embodiments, this provides that the actual end points (e.g., user, user account, device) are known for connections, i.e., the historical connections (historical behavior) of a device are collected. [0139] When the security application is in a learning period or mode, a set of baseline signatures (connection lineage signatures and/or application execution signatures) is built from incoming activity records (e.g., session records and/or application execution records). In many embodiments, the set of baseline signatures is built by counting (e.g., keeping a running count) of incoming records that match in a number of attributes, i.e., a baseline signature is based on a device’s historical behavior. [0144] When the security application is in a detection period or mode, incoming records are compared against a set of baseline signatures stored in the signature database. [0145] The incoming activity record(s) are compared (528) against the set of baseline signatures. An exact or close match (e.g., by a distance measure or difference in number of attributes as discussed further above) to one or more baseline signatures can be considered a normal or acceptable behavior. Larger deviations from matching the baseline signatures can indicate an anomalous condition. [0152]); analyzing, by a deep packet inspection engine, one or more data packets of the connection for cyber threats in response to the interest classifier indicates a first interest level (Venkatramani: [0145] The incoming activity record(s) are compared (528) against the set of baseline signatures. An exact or close match (e.g., by a distance measure or difference in number of attributes as discussed further above) to one or more baseline signatures can be considered a normal or acceptable behavior. Larger deviations from matching the baseline signatures can indicate an anomalous condition. [0151]-[052]. [0040] The threat detection and response system can respond to detected threats by performing enforcement against connections and/or application execution events involving specific IP addresses, machines, applications, processes, files, and/or users. In a number of embodiments, enforcement is determined based upon system administrator defined policies and enforcement can involve … reconfiguring connections within the network to route suspicious traffic (first interest level) through additional filters for heightened scrutiny using deeper levels of data inspection. [0045]); and redirecting the one or more data packets of the connection away from the deep packet inspection engine without processing of the one or more data packets by the deep packet inspection engine in response to the interest classifier indicates a second interest level less than the first interest level (Venkatramani: [0040] The threat detection and response system can respond to detected threats by performing enforcement against connections and/or application execution events involving specific IP addresses, machines, applications, processes, files, and/or users. In a number of embodiments, enforcement is determined based upon system administrator defined policies and enforcement can involve … reconfiguring connections within the network to route suspicious traffic through additional filters for heightened scrutiny using deeper levels of data inspection. [0145]: An exact or close match (e.g., by a distance measure or difference in number of attributes as discussed further above) to one or more baseline signatures can be considered a normal or acceptable behavior (second interest level), i.e., connections considered normal or acceptable are not routed to additional filters for deeper data inspection). As per claim 22, Venkatramani teaches: The method for the cyber threat defense system of claim 21, wherein the second interest level represents no interest in the connection (Venkatramani: [0040]: In a number of embodiments, enforcement is determined based upon system administrator defined policies and enforcement can involve … reconfiguring connections within the network to route suspicious traffic through additional filters for heightened scrutiny using deeper levels of data inspection. [0145]: An exact or close match (e.g., by a distance measure or difference in number of attributes as discussed further above) to one or more baseline signatures can be considered a normal or acceptable behavior (second interest level), i.e., connections considered normal or acceptable represent connections of no interest and are not routed to additional filters for deeper data inspection). As per claim 29, Venkatramani teaches: The method for the cyber threat defense system of claim 21 further comprising: severing the connection upon detection by an analyzer module of an anomalous event at a first device in a client network being a destination for the one or more data packets (Venkatramani: [0054]: Enforcement actions can include, but are not limited to, dropping a specific connection). As per claim 30, Venkatramani teaches: A non-transitory computer readable medium comprising computer readable code operable, when executed by one or more processing apparatuses in the cyber threat defense system to instruct a computing device to perform the method of claim 21 (See claim 21). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action. Claims 23, 27, and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Venkatramani and prior art of record US 20180219879 to Pierce (hereinafter Pierce). As per claim 23, Venkatramani does not teach the limitations of claim 23. However, Pierce teaches: wherein the interest classifier is assigned the first interest level when the connection is a short-lived connection or a connection associated with an abnormal connection pattern (Pierce: [0318]: the security monitoring program 1230 may detect a potential security threat resembling data exfiltration with a high confidence when the connection indicates that data is being transferred efficiently in one direction, such as when an attacker is stealing files. For example, for connections exchanging under a certain amount of data (e.g., less than 10 kbytes), the security monitoring program 1230 may detect a potential security threat resembling data exfiltration when the connection has an efficiency metric or average packet size over a certain threshold (e.g., over 500 bytes per packet), a very large asymmetry, such as a magnitude of a symmetry metric over a certain threshold (e.g., Abs(symmetry) of greater than or equal to 40), and a short duration (e.g., under 5 seconds)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pierce in the invention of Venkatramani to include the above limitations. The motivation to do so would be to detect potential security threats with increased efficiency and accuracy (Pierce: [0010]). As per claim 27, Venkatramani does not teach the limitations of claim 27. However, Pierce teaches: further comprising: monitoring at least one of a connection length and a payload size associated with the connection associated with the redirecting of the one or more packets (Pierce: [0249] In some embodiments, the security monitoring program 1230 may identify a network traffic metric representing the duration of a network connection, where this duration metric is included in the received network traffic data. [0250] The duration of the connection indicates the longevity of the network connection and may be measured in any time unit, such as seconds. [0299] In some embodiments, the security monitoring program 1230 may determine when one or more of the metrics for the connection violate the permissible values or value ranges for the communication protocol being used. Accordingly, the security monitoring program 1230 may determine that such protocol violations represent a potential security threat to the network connection. [0318]. [0345]: In some embodiments, the security monitoring system 1116 may perform one or more corrective actions to correct the potential security threat, such as by executing anti-virus software, anti-malware operations, or any technically feasible software or hardware corrective actions to mitigate potential security threats). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pierce in the invention of Venkatramani to include the above limitations. The motivation to do so would be to detect potential security threats with increased efficiency and accuracy (Pierce: [0010]). As per claim 28, Venkatramani does not teach the limitations of claim 28. However, Pierce teaches: The method for the cyber threat defense system of claim 21, further comprising: reconnecting the connection to the deep packet inspection engine upon detection by an analyzer module of an anomalous event at a first device in a client network being a destination for the one or more data packets; and adjusting the set of interest criteria based on the anomalous event (Pierce: [0241]. [0305] In some embodiments, the security monitoring program 1230 may determine that the additional or subsequent metrics no longer exhibit the same behavior as the previous behavior of the connection by determining that the connection no longer meets one or more of the same behavior profiles as determined by the initial categorization. For example, a network connection could be used for certain types of communications, such as when a connection is used for client-server request/response interactions, such as a user surfing the web. Subsequently, in some embodiments, the behavior of the connection may change radically, such as when the connection is later used for large file transfers or probing activity. In such embodiments, the security monitoring program 1230 may determine that the connection no longer resembles or corresponds to the same behavior profile, and such a significant change in the behavior of the connection represents a potential security threat to the connection. [0341]-[0344]. [0345]: In some embodiments, the security monitoring system 1116 may perform one or more corrective actions to correct the potential security threat, such as by executing anti-virus software, anti-malware operations, or any technically feasible software or hardware corrective actions to mitigate potential security threats (reconnecting to deep packet inspection engine)). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Pierce in the invention of Venkatramani to include the above limitations. The motivation to do so would be to detect potential security threats with increased efficiency and accuracy (Pierce: [0010]). Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Venkatramani and prior art of record US 20110185419 to Boteler et al (hereinafter Boteler). As per claim 24, Venkatramani does not teach the limitations of claim 24. However, Boteler teaches: wherein the interest classifier is assigned the first interest level when contents of the connection are unable to be decrypted within a parameter set for a first device in a client network being a destination for the one or more data packets (Boteler: [0040] unknown network flows = a network communication which cannot be deciphered. [0077]: The event can be indicated by for instance the detection of a login attack, or for instance anomalous packet detection, unknown network flow detection. [0079]: When, as illustrated by threshold circuit 22, 100 detected events within an hour exceed a T=100 threshold an alarm condition is initiated by activating an alarm 24). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Boteler in the invention of Venkatramani to include the above limitations. The motivation to do so would be to reduce the manual work required by the application of correlation to digital event filters (Boteler: [0051]). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-4:30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached at (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. MADHURI R. HERZOG Primary Examiner Art Unit 2438 /MADHURI R HERZOG/Primary Examiner, Art Unit 2438