SYSTEM FOR MONITORING AND MANAGING DATACENTERS

DETAILED ACTION Claims 1-20 are presented for examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/02/2026 has been entered. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Engel et al. (US Patent Application No. 20140165207) (Hereinafter Engel) in view of Sultan et al. (US Patent No. 9438618) (Hereinafter Sultan). As per claim 1, Engel discloses a system for monitoring network performance, the system comprising: a plurality of sensors residing on nodes of a data center network, each sensor configured to monitor communications to or from the node upon which it is resident (fig 1, 2A, para 14-22, 80-83, having multiple sensors 110A and 110B, the sensors collects network raw data from network component such as that is associated with at least one router, switch or at least one server which are part of the computer network, said raw data includes at least one of: traffic data, logs and flow data, and may collect network data between virtual machines), wherein each sensor is configured to selectively capture the packets in network traffic data from the communications to or from the sensor's associated node (summary of the invention, para 16-21 and 83, collecting data, parsing creating metadata, associating metadata with entities (users, IP Addresses, services) , and corelating actions, collecting data between virtual machines and associating activity to the correct user) and send the captured packets or the information contained in select packets to a collector (para 82, he present invention, the sensors may collect data from several places in the computer network and after analysis of the collected data the sensors may send the data to an anomaly detection module), wherein the selectively captured packets or information contained in select packets includes information captured from packets relating to a network event and excludes at least a portion of the packets not related to the network event (Summary of the Invention, para 18-21, 64-66, and 89, identifying network actions , corelating actions, and clustering anomalies or incidents, also considering duplication eliminator module stores only relevant metadata and eliminates duplicate information, which excludes a portion of collected raw data not related to the network event) wherein the collector aggregates the packets or information contained in select packets relating to the network event and provides it to an analytics module(para 64, 82-84, collecting data from multiple sensors and forwarding to anomaly detection module 175 for analysis, aggregation and clustering anomalies or incidents), and wherein the analytics module receives and analyzes the aggregated information received from the collector (para 16-22, analyzing raw, creating statistical models, and detecting anomalous action); and a presentation module including a user interface that displays information resulting from the analysis of the aggregated information relating to the network event (para 64-66, generation and ranking of incidents alerts, such alerts necessarily are presented to a user through interface). Engel does not explicitly discloses packets or information contained in select packets based on contextual information not contained in packet data. However, Sultan discloses packets or information contained in select packets based on contextual information not contained in packet data (col 2, lines 1-15., collecting identifying characteristics at introspection points, including software versions, process names , machine identities, encryption/decryption keys, and virtual machine identities, such identifying characteristics are contextual information external to packet payload/packet fields). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Engel and Sultan. The motivation would have been to improve accuracy of anomaly detection and reduce processing overhead by collecting only traffic relevant to the detected event. The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims. As per claim 2, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the analytics module uses machine learning to analyze the network traffic data (para 27, machine learning algorithms for creating statistical behavioral models) . As per claim 3, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the network traffic data further includes a representative sample of packets (para 74, 86, "raw data" relates to packets, traffic data, flow data, logs, queries and network protocols.; extract relevant data for detecting attacks from the collected data). As per claim 4, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the network traffic data further includes metadata describing the communications to or from a sensor’s associated node (fig 3, para 15-18, extract relevant data for detecting attacks from the collected data .. associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of: Internet Protocol, IP address, users, services, protocols, servers and workstations). As per claim 5, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein selectively capturing the network traffic data from the communications to or from the sensor’s associated node is based on source address, source port, destination address, and destination port of the packets in the node network traffic (fig 3, para 15-18, extract relevant data for detecting attacks from the collected data .. associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of: Internet Protocol, IP address, users, services, protocols, servers and workstations). As per claim 6, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein selectively capturing the network traffic data from the communications to or from the sensor’s associated node is based on source address, source port, destination address, destination port, and protocol of the packets in the node network traffic (fig 3, para 15-18, extract relevant data for detecting attacks from the collected data .. associating the meta-data with entities by analyzing the identified network actions and correlating between different computer network actions, wherein entities include at least one of: Internet Protocol, IP address, users, services, protocols, servers and workstations; para 136 port). As per claim 7, claim is rejected for the same reasons and motivation as claim 1, above. In addition, Engel discloses wherein the captured packets relate to a network flow (para 15-21, traffic data, logs and flow data). As per claims 8-14, Claims are rejected for the same reasons and motivation as claims 1-7, above. As per claims 15-20, Claims are rejected for the same reasons and motivation as claims 1-6, above. Response to Arguments Applicant's arguments filed 03/02/2026 have been fully considered but they are not persuasive, therefore rejections to claims 1-20 is maintained. In response to Applicant’s arguments against the references individually, one cannot show non-obviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). In this case Engel discloses a plurality of sensors residing on nodes of a data center network, each sensor configured to monitor communications to or from the node upon which it is resident (fig 1, 2A, para 14-22, 80-83, having multiple sensors 110A and 110B, the sensors collects network raw data from network component such as that is associated with at least one router, switch or at least one server which are part of the computer network, said raw data includes at least one of: traffic data, logs and flow data, and may collect network data between virtual machines), wherein each sensor is configured to selectively capture the packets in network traffic data from the communications to or from the sensor's associated node (summary of the invention, para 16-21 and 83, collecting data, parsing creating metadata, associating metadata with entities (users, IP Addresses, services) , and corelating actions, collecting data between virtual machines and associating activity to the correct user) and send the captured packets or the information contained in select packets to a collector (para 82, he present invention, the sensors may collect data from several places in the computer network and after analysis of the collected data the sensors may send the data to an anomaly detection module), wherein the selectively captured packets or information contained in select packets includes information captured from packets relating to a network event and excludes at least a portion of the packets not related to the network event (Summary of the Invention, para 18-21, 64-66, and 89, identifying network actions , corelating actions, and clustering anomalies or incidents, also considering duplication eliminator module stores only relevant metadata and eliminates duplicate information, which excludes a portion of collected raw data not related to the network event) wherein the collector aggregates the packets or information contained in select packets relating to the network event and provides it to an analytics module(para 64, 82-84, collecting data from multiple sensors and forwarding to anomaly detection module 175 for analysis, aggregation and clustering anomalies or incidents), and wherein the analytics module receives and analyzes the aggregated information received from the collector (para 16-22, analyzing raw, creating statistical models, and detecting anomalous action); and a presentation module including a user interface that displays information resulting from the analysis of the aggregated information relating to the network event (para 64-66, generation and ranking of incidents alerts, such alerts necessarily are presented to a user through interface). Sultan discloses packets or information contained in select packets based on contextual information not contained in packet data (col 2, lines 1-15., collecting identifying characteristics at introspection points, including software versions, process names , machine identities, encryption/decryption keys, and virtual machine identities, such identifying characteristics are contextual information external to packet payload/packet fields). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Engel and Sultan. The motivation would have been to improve accuracy of anomaly detection and reduce processing overhead by collecting only traffic relevant to the detected event. Conclusion Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976. The examiner can normally be reached Monday-Friday. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached at 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOHAMMAD A SIDDIQI/ Primary Examiner, Art Unit 2493