DETAILED ACTION
This Office Action is with regard to the most recent papers filed 3/20/2026.
Response to Arguments
On pages 7-8, Applicant addresses the rejection under 35 USC 112. In view of the amendments filed 3/20/2026, the rejection has been overcome.
Applicant's remaining arguments filed 3/20/2026 have been fully considered but they are not persuasive.
On pages 9-10, Applicant argues the rejection of claim 1.
First, Applicant argues the step of “receiving telemetry data and a rule associated with the telemetry data.” Applicant appears to argue that a single unit of information is received that contains both the data and the rule that is specific to that data. However, the instant claim does not present this. Instead, the claim recites that the items are received, but does not limit how the items are received, such as that they are received together or separately. Further, “associated with” does not present how the rule is associated with the data, where in the applied art, the rule is at least associated with the data as it is applied to the data. If Applicant intends for the two items to be received together, and for the rule to be specific for the telemetry data, then the claim should be amended to reflect this.
Second, Applicant addresses the rule defining perimeter filter and the deep filter, where Applicant appears to argue that the terms “perimeter filter” and “deep filter” are noticeably absent from Hu. However, this argument does not at all address the discussion of how these terms are being treated, where terms are addressed as being labels, as there is no controlling definition on the record for how these terms are to be interpreted. As presented in the rejection, paragraph [0049] of the instant specification provides a discussion of these terms being “in an embodiment,” which as stated below, does not serve to limit the instant claims. If Applicant intends for these terms to have specific meaning, the instant claims should be amended to reflect this.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2004/0205360 (Norton) in view of US 2010/0235877 (Hu).
With regard to claim 1, Norton discloses a computer-implemented method comprising:
Receiving telemetry data and a rule associated with the data (Norton: Figure 3, 310-320 and Paragraph [0014]. Lacking any detail of what constitutes “telemetry data,” such data would appear to be any detected data. In the field of networking, such telemetry data could refer to packets or other information, such as log information, metrics, traces, etc. In this case, Norton at least discloses the use of packets, which would be a type of telemetry data.);
modifying a rule engine in accordance with the received rule (Norton: Figure 3 and Paragraph [0014]. The utilizes rule sets corresponding to different parameters to trigger the rule set (rules as claimed), which allows different groupings of rules (filters) to be applied based on characteristics of the received data, such that rules within a selected rule set are applied and rules that are not within the rule set are not applied.); and
processing the received telemetry data with the modified rule engine to determine occurrence of an event (Norton: Figure 3 and Paragraph [0018]. Events are determined and at least logged.).
Norton fails to teach, but Hu teaches the rule defining at least one perimeter filter and at least one deep filter for processing the telemetry data and the modified rule engine configured to automatically switch between the at least one perimeter filter and the at least one deep filter, wherein the at least one perimeter filter is configured to operate on perimeter-type data including Hypertext Transfer Protocol (HTTP) requests and HTTP responses and the at least one deep filter is configured to operate on the perimeter-type data and deep-type data including data that results from the HTTP requests and the HTTP responses (Hu: Figure 5 and Abstract. Hu teaches the analysis of data flows (multiple packets, which fits within the scope of “telemetry data”), with a determination being made if there are any privacy rules that are applicable. In the case that there are not, deep packet inspection is not allowed. The results of any inspections would then be applied to the rules, with such rules constituting such filters (as they serve to filter what type of events are logged). The instant claim fails to define “perimeter” or “deep,” where the broadest reasonable interpretation in light of, but not limited by, the instant specification would be applied. As no limiting disclosure is provided, such terms would appear to constitute mere labels for the type of data with no real applicable limitations (note that the term “deep” does not appear to denote any specific level of treatment or complexity. For instance, claim 6 provides that the inclusion of any “deep” type data would omit certain filters, while when there is no “deep” type data, both filters would apply, thus demonstrating that the difference between “deep” and “perimeter” does not appear to provide any requirements with regard to the amount of processing or complexity of such.). If Applicant intends for such terms to have a specific meaning, the instant claims should be amended to clearly provide such meaning. For example, Paragraph [0049] provides a discussion of the terms (with the phrase “In an embodiment,” which explicitly does not limit the instant claims), where perimeter telemetry data would be directly mapped to [individual] HTTP request and HTTP response messages while indirect telemetry data would be generated by instrumentation of various steps in a HTTP transaction pipeline, thus requiring multiple HTTP requests/responses, where incorporating specific language with these requirements would overcome the interpretation relied upon for the application of Hu. Note that the language should at least provide these requirements to significantly advance prosecution, as using broader language would likely introduce other issues, whether such would be the application of different prior art on the same terms based on the broadest reasonable interpretation or the introduction of rejections under 35 USC 112. In the application of Hu to the labels of “deep” and “perimeter,” “deep” would refer to the data and inspections corresponding to packets that have no corresponding privacy rules, where such would have the inspections limited to not include DPI, while “perimeter” would be the packets that have corresponding privacy rules, and thus would allow for DPI. It is also noted that the combination of Hsu and Norton would be applied to all messages, whether a request or a response.).
Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to have the rule defining at least one perimeter filter and at least one deep filter for processing the telemetry data and to have the engine to automatically switch between these to leverage the rule sets of Norton to apply different types of inspection based on the needs of the system, such as privacy concerns. In Norton, the rule set would have any rules (filters) within it applied to inspect the traffic, where in Hu, deep packet inspection is avoided to avoid the exposure of private information (in a case that there are no applicable privacy rules allowing for such deep packet inspection).
With regard to claim 2, Norton in view of Hu teaches that the telemetry data is based on at least one of: a HTTP transaction and processing the HTTP transaction (Norton: Paragraph [0008]. The traffic could be HTTP traffic, and thus the data would at least be based on the HTTP transaction.).
With regard to claim 3, Norton in view of Hu teaches wherein the telemetry data is based on multiple HTTP transactions (Norton: Figure 3 and Hu: Abstract. Norton can perform the functions with regard to multiple packets, with the system looping until all packets have been processed. Hu, meanwhile, performs the functions with regard to data flows, which would include multiple packets (See, for example, Hu: Paragraph [0113]).
With regard to claim 4, Norton in view of Hu teaches wherein the telemetry data includes at least one of: perimeter-type data and deep-type data (Hu: Figure 5. As with claim 1, the terms “perimeter” and “deep” are not defined in the instant claim, and the instant specification fails to provide a limiting disclosure. As with claim 1, if Applicant intends for such terms to have a specific meaning, the instant claims should be amended to clearly provide such meaning. For example, Paragraph [0049] provides a discussion of the terms (with the phrase “In an embodiment, which explicitly does not limit the instant claims”), where perimeter telemetry data would be directly mapped to [individual] HTTP request and HTTP response messages while indirect telemetry data would be generated by instrumentation of various steps in a HTTP transaction pipeline, thus requiring multiple HTTP requests/responses. In Hu, perimeter would follow the path of 516 to 518 while deep would follow the path of 512 to 514.).
With regard to claim 5, Norton in view of Hu teaches that processing the received telemetry data comprises: selecting one or more filters, from amongst the at least one perimeter filter and the at least one deep filter, based on data types comprising the telemetry data; and processing the telemetry data with the selected one or more filters (Hu: Figure 5).
With regard to claim 6, Norton fails to teach, but knowledge possessed by one of ordinary skill in the art at the time of filing teaches the telemetry data includes only the perimeter-type data and selecting the one or more filters comprises: selecting both the at least one perimeter filter and the at least one deep filter (In Hu, deep packet inspection is skipped due to privacy concerns when no privacy rules allowing for such inspections are present. Thus, when such rules are present, the packet would be subjected to DPI, where Official Notice is taken that such DPI serves to analyze the header and the body, while shallow packet inspection would only apply to the header, thus providing that both types of filters would be applied.). Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to perform both shallow and deep packet inspection when no privacy concerns are present to ensure that the packet is fully analyzed, in accordance with standard DPI practice.). Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to, when applying the inspections of Hu, to perform the functions of both shallow and deep packet inspections when performing the deep packet inspection to ensure that the entire packet is analyzed, including the information in the header.
With regard to claim 7, Norton in view of Hu teaches that processing the received telemetry data with the modified rule engine comprises: identifying which of the at least one perimeter filter and the at least one deep filter is activated in processing the received telemetry data; and determining occurrence of the event based on the identified activated filters (Hu: Figure 5 and Norton: Figure 3).
With regard to claim 8, Norton fails to teach expressly, but knowledge possessed by one of ordinary skill in the art at the time of filing teaches that the rule is constructed and defined in accordance with a grammar (More specifically, Official Notice is taken that having rules that conform to some grammar was well-known to one of ordinary skill in the art.). Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to have the rule constructed and defined in accordance with a grammar to provide some structure to such rules, thus ensuring that the rule would be efficiently interpreted and applied and allowing easier editing of such rules by a human operator.
With regard to claim 9, Norton in view of Hu teaches that the event is: a performance degradation; a security breach; a hijacked session; or a behavior defined by the rule (Norton: Figure 3. Only one option from this list is required to teach the instant claim, as a whole, where the event would at least be a behavior defined by the rule, as the rule triggers to cause logging of such event.).
With regard to claim 10, Norton in view of Hu teaches the processing determines occurrence of the event in real-time (Norton: Figure 3. Lacking detail of what constitutes “real-time,” Norton appears to analyze the packets substantially as received by the system, which would be real-time.).
With regard to claims 11-20, the inventions claimed are similar to that found within one or more of claims 1-10, and are thus rejected for similar reasons.
With regard to claim 21, Norton in view of Hu teaches the telemetry data includes only the perimeter-type data and selecting the one or more filters comprises: disabling the at least one perimeter filter and selecting the at least one deep filter (Hu: Figure 5. When a privacy rule is applicable, only the shallow packet inspection is performed.), and
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCOTT B CHRISTENSEN whose telephone number is (571)270-1144. The examiner can normally be reached Monday through Friday, 6AM to 2PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached at (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
SCOTT B. CHRISTENSEN
Examiner
Art Unit 2444
/SCOTT B CHRISTENSEN/Primary Examiner, Art Unit 2444