ANOMALY DETECTION INCLUDING PROPERTY CHANGES

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to the arguments filed on 03/02/2026. Claims 1-20 are currently pending. Response to Amendment The amendments made to claims 16-20 have overcome the previous objections raised in the last office action regarding the application. Response to Arguments Applicant's arguments filed on 03/02/2026 have been fully considered but they are not persuasive. Applicant argued that DANICHEV (US 20180241654) does not disclose the limitation of “in response to detecting multiple changes associated with overlapping properties of the plurality of properties, counting the multiple changes as a single change” as recited in independent claims 1, 8, and 15. This argument is not persuasive because applicant appears to the arguing against individual reference as against the teaching of combination of the cited references. BRATSPIESS (US 20160173511) in ¶0129 and ¶0123 as cited in the last office action teaches the limitation of “detecting one or more changes to the plurality of properties, including in response to detecting multiple changes associated with overlapping properties of the plurality of properties” (¶0129, “If network appliances generate invalid address packets that exceed a configured maximum invalid packet address rate (for example, Ethernet source MAC address is broadcast, e.g., ff:ff:ff:ff:ff:ff, with rate of one error per minute), it may indicate of a change in the normal behavior and may be regarded as an irregularity…”, wherein the network appliance has a MAC address and plurality of properties such as such as VLAN, network appliance type and/or profile and IP address, protocol, service port number or Uniform Resource Locator (URL) address (which are overlapping properties), a change or variation in the MAC address (single change) is an indication of a change in the plurality of properties of the appliance (entity)), (¶0123, “The selected ports may monitor traffic characteristics such as change in the network utilization, traffic volume, silent port, errored traffic, invalid packet structure in all layers, invalid packet address, change in traffic direction and/or toggling link status…). DANICHEV (US 20180241654) discloses counting the multiple changes as a single change ¶0041-¶0042, “FIG. 3 shows an example histogram 300 for a property. The property may be an event property or a global property. Over the time slots, different property values 302A, 302B, 302C , . . . , 302N, which are collectively referred to as the property values 302, have been computed for the property. This histogram 300 maintains counts 304A, 304B, 304C , . . . , 304N, which are collectively referred to as the counts 304, for the respective property values 302. This means that the property value 302A has been computed in a number of time slots equal to the count 304A; the property value 302B has been computed in a number of time slots equal to the count 304B; the property value 302C has been computed in a number of time slots equal to the count 304C; and the property value 302D has been computed in a number of time slots equal to the count 304D…”, here the counter is incremented by one for different property values computed in a number of time slots). As such the combination of BRATSPIESS and DANICHEV teaches the aforementioned limitation of “detecting one or more changes to the plurality of properties, including in response to detecting multiple changes associated with overlapping properties of the plurality of properties, counting the multiple changes as a single change”. Consequently, the examiner hereby maintains the earlier 103 rejections made in respect of independent claims 1, 8, and 15. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Claims 1, 3, 5- 8, 10, 12-15, 17, and 19-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 7, 1, 5/6, 4/8, 9, 16, 1, 14, 17, 18, and 20 of U.S. Patent No. 12063234. Although the claims at issue are not identical, they are not patentably distinct from each other because the said claims of the present application are conspicuously found in the respective claims of the said patent No. 12063234. Claims 1, 8, and 15 PAT NO. 12063234 claims 1, 9, and 18 Present Application A method comprising: tracking a plurality of properties that are associated with an entity that is communicatively coupled to a network, the entity having a MAC address, wherein the plurality of properties includes a switch port name or a switch port power over ethernet (POE) connected device; storing a respective value of the plurality of properties that are associated with the entity communicatively coupled to the network, wherein each of the plurality of properties are associated with a respective weight that is associated with a priority of a respective one of the plurality of properties wherein a first of the plurality of properties is prioritized over a second of the plurality of properties based on the respective weight; detecting a change to the plurality of properties that are associated with the same MAC address based on the stored respective value of the plurality of properties including detecting a change to the switch port name or the switch port POE connected device associated with the same MAC address; in response to the change to the respective value of the property, incrementing a counter by an amount of the respective weight of the property wherein overlapping properties of the plurality of properties are associated with respective groups and multiple changes of the overlapping properties in one of the respective groups are counted as a single change; and in response to the counter being greater than one of a plurality of thresholds which is applied based on a device type of the entity, storing an indicator that an anomaly associated with MAC address spoofing is detected, wherein each of the plurality of thresholds is associated with a particular set of the plurality of properties. A method comprising: tracking a plurality of properties that are associated with an entity that is communicatively coupled to a network; storing a respective value of the plurality of properties that are associated with the entity communicatively coupled to the network; detecting one or more changes to the plurality of properties, including in response to detecting multiple changes associated with overlapping properties of the plurality of properties, counting the multiple changes as a single change; and in response to the detected one or more changes satisfying a threshold, storing an indicator that an anomaly associated with the entity is detected. As can be seen from the above table, all the limitations of claims 1, 8, and 15 of the present application are conspicuously found in the limitations of claims 1, 9, and 18 of Pat. No. 12063234. This is a nonstatutory double patenting. Claims 3, 10, and 17. Pat. No. 12063234 Claims 7 and 16 Present Application The method of claim 2, wherein the action comprises at least one of changing a virtual local area network (VLAN) associated with the entity, quarantining the entity, initiating an update, tracking further network traffic of the entity, or sending a notification associated with the entity. The method of claim 1, further comprising: in response to the anomaly that is associated with the entity, performing a software update associated with the entity. As can be seen from the above table, all the limitations of claims 3, 10, and 17 of the present application are conspicuously found in the limitations of claims 7 and 16 of Pat. No. 12063234. This is a nonstatutory double patenting. Claims 5, 12, and 19. Pat. No. 12063234 Claims 1 and 9, and 18 Present application (Currently amended) A method comprising: tracking a plurality of properties that are associated with an entity that is communicatively coupled to a network, the entity having a MAC address, wherein the plurality of properties includes a switch port name or a switch port power over ethernet (POE) connected device; storing a respective value of the plurality of properties that are associated with the entity communicatively coupled to the network, wherein each of the plurality of properties are associated with a respective weight that is associated with a priority of a respective one of the plurality of properties wherein a first of the plurality of properties is prioritized over a second of the plurality of properties based on the respective weight; detecting a change to the plurality of properties that are associated with the same MAC address based on the stored respective value of the plurality of properties including detecting a change to the switch port name or the switch port POE connected device associated with the same MAC address; in response to the change to the respective value of the property, incrementing a counter by an amount of the respective weight of the property wherein overlapping properties of the plurality of properties are associated with respective groups and multiple changes of the overlapping properties in one of the respective groups are counted as a single change; and in response to the counter being greater than one of a plurality of thresholds which is applied based on a device type of the entity, storing an indicator that an anomaly associated with MAC address spoofing is detected, wherein each of the plurality of thresholds is associated with a particular set of the plurality of properties. The method of claim 1, wherein detecting one or more changes to the plurality of properties comprises counting each of the one or more changes based on a respective weight of each of the plurality of properties. As can be seen from the above table, all the limitations of claims 5, 12, and 19 of the present application are conspicuously found in the limitations of claims 1, 9, and 18 of Pat. No. 12063234. This is a nonstatutory double patenting. Claims 5, 12, and 19. Pat. No. 12063234 claims 3, 11, and 20 Present Application The method of claim 1 wherein a first weight associated with the first of the plurality of properties is different from a second weight that is associated with the second of the plurality of properties. The method of claim 1, wherein detecting one or more changes to the plurality of properties comprises counting each of the one or more changes based on a respective weight of each of the plurality of properties. As can be seen from the above table, all the limitations of claims 5, 12, and 19 of the present application are not patently distinct from the limitations of claims 3, 11, and 20 of Pat. No. 12063234. This is a nonstatutory double patenting. Claims 6, 13, and 20 Pat. No. 12063234 claims 6, 14 Present Application The method of claim 5, wherein at least one of the respective weight associated with each of the plurality of properties or the threshold are user configurable. The method of claim 5, wherein the respective weight associated with each of the plurality of properties is determined based on a network policy or is user configurable. As can be seen from the above table, all the limitations of claims 6, 13, and 20 of the present application are conspicuously found in the limitations of claims 6 and 14 of Pat. No. 12063234. This is a nonstatutory double patenting. Claims 7, 14 Pat. No. 12063234 claims 8, and 17 Present Application The method of claim 1, wherein the threshold is different for different portions of the network. The method of claim 1, wherein the threshold associated with a first portion of the network is different than the threshold associated with a second portion of the network. As can be seen from the above table, all the limitations of claims 7 and 14 of the present application not patentably distinct from the limitations of claims 8 and 17 of Pat. No. 12063234. This is a nonstatutory double patenting. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 6, 8, 13, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of US PGPub. No. 20180241654 to DANICHEV et al. (hereinafter DANICHEV). Regarding claim 1, BRATSPIESS discloses a method comprising: tracking a plurality of properties that are associated with an entity that is communicatively coupled to a network (Fig. 1, ¶0066-¶0068, wherein network appliances (entities) 110A-110C are connected to network 170), (¶0032, “the security device further comprises a network port configured to couple the one or more network appliances associated with the security device with the network, wherein: the baseline profile includes characteristics of the plurality of network appliances, and the hardware processor is further configured to: (i) select one or more ports from the ports, and (ii) monitor the traffic of the network passing through the selected one or more ports for inbound traffic generated by network appliances of the plurality of network appliances coupled with the selected one or more ports indicative of the characteristics of the network appliances”); storing a respective value of the plurality of properties that are associated with the entity communicatively coupled to the network (¶0115, “Each such combination (i.e., a port and at least one identifier of an associated network appliance) which generates inbound traffic in the port may be considered as a new network appliance and thus may be registered in a list of allowed new network appliances. Such a list may be stored in the storage device and may be added to the baseline profile of the network.”), (¶0123, “The list of allowed network appliances behaviors may be stored, e.g. in the storage device, for persistency, and may be added to the baseline profile of the network; detecting one or more changes to the plurality of properties, including in response to detecting multiple changes associated with overlapping properties of the plurality of properties (¶0129, “If network appliances generate invalid address packets that exceed a configured maximum invalid packet address rate (for example, Ethernet source MAC address is broadcast, e.g., ff:ff:ff:ff:ff:ff, with rate of one error per minute), it may indicate of a change in the normal behavior and may be regarded as an irregularity…”, wherein the network appliance has a MAC address and plurality of properties such as such as VLAN, network appliance type and/or profile and IP address, protocol, service port number or Uniform Resource Locator (URL) address (overlapping properties), a change or variation in the MAC address (single change) is an indication of a change in the plurality of properties of the appliance (entity)), (¶0123, “The selected ports may monitor traffic characteristics such as change in the network utilization, traffic volume, silent port, errored traffic, invalid packet structure in all layers, invalid packet address, change in traffic direction and/or toggling link status…), and in response to the detected one or more changes satisfying a threshold, storing an indicator that an anomaly associated with the entity is detected (¶0128, “If network appliances generate invalid structured packets that exceed a configured maximum invalid packet structure rate (for example, IP header version 10 with one error per minute rate), it may indicate of a change in the normal behavior and it may therefore be regarded as an irregularity. For example, Wi-Fi access point which generates traffic with a 100 invalid structured packets per second rate may imply that this appliance might be compromised and might be instructed to generate malicious traffic aimed to interfere with the normal network or servers functioning or exploit vulnerability sensible to invalid structured packets.”), (¶0082-¶0083, “…The actions that the system may perform if an irregular event is identified may include logging of a suspected event…”) However, BRATSPIESS does not explicitly disclose the following limitation: counting the multiple changes as a single change; DANICHEV discloses counting the multiple changes as a single change (¶0041-¶0042, “FIG. 3 shows an example histogram 300 for a property. The property may be an event property or a global property. Over the time slots, different property values 302A, 302B, 302C , . . . , 302N, which are collectively referred to as the property values 302, have been computed for the property. This histogram 300 maintains counts 304A, 304B, 304C , . . . , 304N, which are collectively referred to as the counts 304, for the respective property values 302. This means that the property value 302A has been computed in a number of time slots equal to the count 304A; the property value 302B has been computed in a number of time slots equal to the count 304B; the property value 302C has been computed in a number of time slots equal to the count 304C; and the property value 302D has been computed in a number of time slots equal to the count 304D…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS to include the concept of counting the multiple changes as a single change as disclosed by DANICHEV and be motivated in doing so in order to update the computed property values-DANICHEV ¶0042 in parts. Regarding claim 8, BRATSPIESS discloses a system comprising: a memory (¶0186 “a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing”); and a processing device, operatively coupled to the memory, (¶ 0187 “A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device”) to: track a plurality of properties that are associated with an entity that is communicatively coupled to a network (Fig. 1, ¶0066-¶0068, wherein network appliances (entities) 110A-110C are connected to network 170), (¶0032, “the security device further comprises a network port configured to couple the one or more network appliances associated with the security device with the network, wherein: the baseline profile includes characteristics of the plurality of network appliances, and the hardware processor is further configured to: (i) select one or more ports from the ports, and (ii) monitor the traffic of the network passing through the selected one or more ports for inbound traffic generated by network appliances of the plurality of network appliances coupled with the selected one or more ports indicative of the characteristics of the network appliances”); store a respective value of the plurality of properties that are associated with the entity communicatively coupled to the network (¶0115, “Each such combination (i.e., a port and at least one identifier of an associated network appliance) which generates inbound traffic in the port may be considered as a new network appliance and thus may be registered in a list of allowed new network appliances. Such a list may be stored in the storage device and may be added to the baseline profile of the network.”), (¶0123, “The list of allowed network appliances behaviors may be stored, e.g. in the storage device, for persistency, and may be added to the baseline profile of the network; detect one or more changes to the plurality of properties, including in response to detecting multiple changes associated with overlapping properties of the plurality of properties (¶0129, “If network appliances generate invalid address packets that exceed a configured maximum invalid packet address rate (for example, Ethernet source MAC address is broadcast, e.g., ff:ff:ff:ff:ff:ff, with rate of one error per minute), it may indicate of a change in the normal behavior and may be regarded as an irregularity…”, wherein the network appliance has a MAC address and plurality of properties such as such as VLAN, network appliance type and/or profile and IP address, protocol, service port number or Uniform Resource Locator (URL) address (overlapping properties), a change or variation in the MAC address (single change) is an indication of a change in the plurality of properties of the appliance (entity)), (¶0123, “The selected ports may monitor traffic characteristics such as change in the network utilization, traffic volume, silent port, errored traffic, invalid packet structure in all layers, invalid packet address, change in traffic direction and/or toggling link status…), and in response to the detected one or more changes satisfying a threshold, storing an indicator that an anomaly associated with the entity is detected (¶0128, “If network appliances generate invalid structured packets that exceed a configured maximum invalid packet structure rate (for example, IP header version 10 with one error per minute rate), it may indicate of a change in the normal behavior and it may therefore be regarded as an irregularity. For example, Wi-Fi access point which generates traffic with a 100 invalid structured packets per second rate may imply that this appliance might be compromised and might be instructed to generate malicious traffic aimed to interfere with the normal network or servers functioning or exploit vulnerability sensible to invalid structured packets.”), (¶0082-¶0083, “…The actions that the system may perform if an irregular event is identified may include logging of a suspected event…”) However, BRATSPIESS does not explicitly disclose the following limitation: counting the multiple changes as a single change; DANICHEV discloses counting the multiple changes as a single change (¶0041-¶0042, “FIG. 3 shows an example histogram 300 for a property. The property may be an event property or a global property. Over the time slots, different property values 302A, 302B, 302C , . . . , 302N, which are collectively referred to as the property values 302, have been computed for the property. This histogram 300 maintains counts 304A, 304B, 304C , . . . , 304N, which are collectively referred to as the counts 304, for the respective property values 302. This means that the property value 302A has been computed in a number of time slots equal to the count 304A; the property value 302B has been computed in a number of time slots equal to the count 304B; the property value 302C has been computed in a number of time slots equal to the count 304C; and the property value 302D has been computed in a number of time slots equal to the count 304D…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS to include the concept of counting the multiple changes as a single change as disclosed by DANICHEV and be motivated in doing so in order to update the computed property values-DANICHEV ¶0042 in parts. Regarding claim 15, BRATSPIESS discloses a non-transitory computer readable medium having instructions encoded thereon that (¶0186 “A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire”), when executed by a processing device (¶ 0187 “A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device”), cause the processing device to: track a plurality of properties that are associated with an entity that is communicatively coupled to a network (Fig. 1, ¶0066-¶0068, wherein network appliances (entities) 110A-110C are connected to network 170), (¶0032, “the security device further comprises a network port configured to couple the one or more network appliances associated with the security device with the network, wherein: the baseline profile includes characteristics of the plurality of network appliances, and the hardware processor is further configured to: (i) select one or more ports from the ports, and (ii) monitor the traffic of the network passing through the selected one or more ports for inbound traffic generated by network appliances of the plurality of network appliances coupled with the selected one or more ports indicative of the characteristics of the network appliances”); store a respective value of the plurality of properties that are associated with the entity communicatively coupled to the network (¶0115, “Each such combination (i.e., a port and at least one identifier of an associated network appliance) which generates inbound traffic in the port may be considered as a new network appliance and thus may be registered in a list of allowed new network appliances. Such a list may be stored in the storage device and may be added to the baseline profile of the network.”), (¶0123, “The list of allowed network appliances behaviors may be stored, e.g. in the storage device, for persistency, and may be added to the baseline profile of the network; detect one or more changes to the plurality of properties, including in response to detecting multiple changes associated with overlapping properties of the plurality of properties (¶0129, “If network appliances generate invalid address packets that exceed a configured maximum invalid packet address rate (for example, Ethernet source MAC address is broadcast, e.g., ff:ff:ff:ff:ff:ff, with rate of one error per minute), it may indicate of a change in the normal behavior and may be regarded as an irregularity…”, wherein the network appliance has a MAC address and plurality of properties such as such as VLAN, network appliance type and/or profile and IP address, protocol, service port number or Uniform Resource Locator (URL) address (overlapping properties), a change or variation in the MAC address (single change) is an indication of a change in the plurality of properties of the appliance (entity)), (¶0123, “The selected ports may monitor traffic characteristics such as change in the network utilization, traffic volume, silent port, errored traffic, invalid packet structure in all layers, invalid packet address, change in traffic direction and/or toggling link status…), and in response to the detected one or more changes satisfying a threshold, storing an indicator that an anomaly associated with the entity is detected (¶0128, “If network appliances generate invalid structured packets that exceed a configured maximum invalid packet structure rate (for example, IP header version 10 with one error per minute rate), it may indicate of a change in the normal behavior and it may therefore be regarded as an irregularity. For example, Wi-Fi access point which generates traffic with a 100 invalid structured packets per second rate may imply that this appliance might be compromised and might be instructed to generate malicious traffic aimed to interfere with the normal network or servers functioning or exploit vulnerability sensible to invalid structured packets.”), (¶0082-¶0083, “…The actions that the system may perform if an irregular event is identified may include logging of a suspected event…”), However, BRATSPIESS does not explicitly disclose the following limitation: counting the multiple changes as a single change; DANICHEV discloses counting the multiple changes as a single change (¶0041-¶0042, “FIG. 3 shows an example histogram 300 for a property. The property may be an event property or a global property. Over the time slots, different property values 302A, 302B, 302C , . . . , 302N, which are collectively referred to as the property values 302, have been computed for the property. This histogram 300 maintains counts 304A, 304B, 304C , . . . , 304N, which are collectively referred to as the counts 304, for the respective property values 302. This means that the property value 302A has been computed in a number of time slots equal to the count 304A; the property value 302B has been computed in a number of time slots equal to the count 304B; the property value 302C has been computed in a number of time slots equal to the count 304C; and the property value 302D has been computed in a number of time slots equal to the count 304D…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS to include the concept of counting the multiple changes as a single change as disclosed by DANICHEV and be motivated in doing so in order to update the computed property values-DANICHEV ¶0042 in parts. Regarding claim 6, BRATSPIESS in view of DANICHEV discloses the method of claim 5. BRATSPIESS further discloses wherein the respective weight associated with each of the plurality of properties is determined based on a network policy or is user configurable (¶0093 “…..The above values (weight) of the threshold and the period of time may be adjusted and fine-tuned by a user (user configurable) subject to the specific environment on site”, wherein weights are values such as positive integers based on applicant disclosure in ¶0028- ¶0029). Regarding claim 13, BRATSPIESS in view of DANICHEV discloses the system of claim 12. BRATSPIESS further discloses wherein the respective weight associated with each of the plurality of properties is determined based on a network policy or is user configurable (¶0093 “…..The above values (weight) of the threshold and the period of time may be adjusted and fine-tuned by a user (user configurable) subject to the specific environment on site”, wherein weights are values such as positive integers based on applicant disclosure in ¶0028- ¶0029). Regarding claim 20, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium of claim 19. BRATSPIESS further discloses wherein the respective weight associated with each of the plurality of properties is determined based on a network policy or is user configurable (¶0093 “…..The above values (weight) of the threshold and the period of time may be adjusted and fine-tuned by a user (user configurable) subject to the specific environment on site”, wherein weights are values such as positive integers based on applicant disclosure in ¶0028- ¶0029). Claims 2, 9, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of U.S. PGPub. No. 2080241654 to DANICHEV et al. (hereinafter DANICHEV) and further in view of U.S. PGPub. No. 20020157020 to Royer, Coby (hereinafter Royer). Regarding claim 2, BRATSPIESS in view of DANICHEV discloses the method of claim 1. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: further comprising: in response to the anomaly that is associated with the entity, changing an access to the entity over the network. Royer discloses in response to the anomaly that is associated with the entity, changing an access to the entity over the network (¶0012, “…Generally, the sensor is programmed to match incoming packets with patterns associated with known attacks. If the sensor detects a match, it will forward all information to a central monitoring station that will alert network administrators, or log details of the attack, or change a router access Control List (ACL) to prevent subsequent traffic from reaching the network.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS and DANICHEV to include the concept of changing an access to the entity over a network if anomaly is detected as disclosed Royer and be motivated in doing so in order to prevent subsequent traffic from reaching the network-Royer ¶0012 in parts. Regarding claim 9, BRATSPIESS in view of DANICHEV discloses the system of claim 8. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: wherein the processing device is further to: in response to the anomaly that is associated with the entity, change an access to the entity over the network. Royer discloses in response to the anomaly that is associated with the entity, changing an access to the entity over the network (¶0012, “…Generally, the sensor is programmed to match incoming packets with patterns associated with known attacks. If the sensor detects a match, it will forward all information to a central monitoring station that will alert network administrators, or log details of the attack, or change a router access Control List (ACL) to prevent subsequent traffic from reaching the network.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the system of BRATSPIESS and DANICHEV to include the concept of changing an access to the entity over a network if anomaly is detected as disclosed Royer and be motivated in doing so in order to prevent subsequent traffic from reaching the network-Royer ¶0012 in parts. Regarding claim 16, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium of claim 15. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: wherein the processing device is further to: in response to the anomaly that is associated with the entity, change an access to the entity over the network. Royer discloses in response to the anomaly that is associated with the entity, changing an access to the entity over the network (¶0012, “…Generally, the sensor is programmed to match incoming packets with patterns associated with known attacks. If the sensor detects a match, it will forward all information to a central monitoring station that will alert network administrators, or log details of the attack, or change a router access Control List (ACL) to prevent subsequent traffic from reaching the network.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the non-transitory computer readable medium of BRATSPIESS and DANICHEV to include the concept of changing an access to the entity over a network if anomaly is detected as disclosed Royer and be motivated in doing so in order to prevent subsequent traffic from reaching the network-Royer ¶0012 in parts. Claims 3, 10, and 17 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of U.S. PGPub. No. 2080241654 to DANICHEV et al. (hereinafter DANICHEV) and further in view of U.S. PGPub. No. 20070113281 to LEACH; John (hereinafter LEACH). Regarding claim 3, BRATSPIESS, in view of DANICHEV discloses the method of claim 1. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: further comprising: in response to the anomaly that is associated with the entity, performing a software update associated with the entity. LEACH discloses in response to the anomaly that is associated with the entity, performing a software update associated with the entity (¶0237, “Either automatically or manually by the risk manager, the software would calculate what the results would be for various different countermeasure settings and would use these new results to determine the optimal countermeasure adjustments needed to keep the risk indices and protection levels within the targets given the present threat levels. Either automatically or manually, countermeasures could be adjusted (e.g. anti-virus software set to check for new updates with a different frequency) or other components on the IT network could be adjusted (e.g. the rate at which e-mails are received from the Internet could be throttled back) to achieve the protection levels required.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS and DANICHEV in claim 1 to include software updating as disclosed by LEACH and be motivated in doing so in order to achieve the protection level required by the–LEACH ¶0237 in parts. Regarding claim 10, BRATSPIESS in view of DANICHEV discloses the system of claim 8. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: Wherein the processing device is further to: in response to the anomaly that is associated with the entity, perform a software update associated with the entity. LEACH discloses in response to the anomaly that is associated with the entity, performing a software update associated with the entity (¶0237, “Either automatically or manually by the risk manager, the software would calculate what the results would be for various different countermeasure settings and would use these new results to determine the optimal countermeasure adjustments needed to keep the risk indices and protection levels within the targets given the present threat levels. Either automatically or manually, countermeasures could be adjusted (e.g. anti-virus software set to check for new updates with a different frequency) or other components on the IT network could be adjusted (e.g. the rate at which e-mails are received from the Internet could be throttled back) to achieve the protection levels required.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS and DANICHEV in claim 1 to include software updating as disclosed by LEACH and be motivated in doing so in order to achieve the protection level required by the–LEACH ¶0237 in parts. Regarding claim 17, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium of claim 15. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: Wherein the processing device is further to: in response to the anomaly that is associated with the entity, perform a software update associated with the entity. LEACH discloses in response to the anomaly that is associated with the entity, performing a software update associated with the entity (¶0237, “Either automatically or manually by the risk manager, the software would calculate what the results would be for various different countermeasure settings and would use these new results to determine the optimal countermeasure adjustments needed to keep the risk indices and protection levels within the targets given the present threat levels. Either automatically or manually, countermeasures could be adjusted (e.g. anti-virus software set to check for new updates with a different frequency) or other components on the IT network could be adjusted (e.g. the rate at which e-mails are received from the Internet could be throttled back) to achieve the protection levels required.”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the non-transitory computer readable medium of BRATSPIESS and DANICHEV in claim 15 to include software updating as disclosed by LEACH and be motivated in doing so in order to achieve the protection level required by the–LEACH ¶0237 in parts. Claims 4, 11, and 18 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of U.S. PGPub. No. 2080241654 to DANICHEV et al. (hereinafter DANICHEV) and further in view of U.S. PGPub. No. 20150033340 to Giokas; Ioannis (hereinafter Giokas). Regarding claim 4, BRATSPIESS in view of DANICHEV discloses the method of claim 1. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: further comprising: in response to the anomaly that is associated with the entity, detecting one or more ports that are open on the entity. Giokas discloses in response to the anomaly that is associated with the entity, detecting one or more ports that are open on the entity (¶0095, “In some embodiments, the network security tool 120 includes a vulnerability assessor 210… In some embodiments, the vulnerability assessor 210 can identify a current vulnerability of a private network and determine a signature of an attack configured to exploit the current vulnerability…For example, the vulnerability assessor 210 can obtain data packets of a protected network, save the data packets to a data file or database, and analyze the data packets to identify stray IP addresses, spoofed packets, unnecessary packet drops, or suspicious packet generation from a single IP address…Further, the vulnerability assessor 210 can determine which ports are open and whether these open ports can be exploited…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS and DANICHEV in claim 1 to include detecting one or more ports that are open on the entity as disclosed by Giokas and be motivated in doing so in order to identify a list of vulnerabilities in the open ports of the protected network–Giokas ¶0095 in parts. Regarding claim 11, BRATSPIESS in view of DANICHEV discloses the system of claim 8. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: wherein the processing device is further to: in response to the anomaly that is associated with the entity, detect one or more ports that are open on the entity. Giokas discloses in response to the anomaly that is associated with the entity, detecting one or more ports that are open on the entity (¶0095, “In some embodiments, the network security tool 120 includes a vulnerability assessor 210… In some embodiments, the vulnerability assessor 210 can identify a current vulnerability of a private network and determine a signature of an attack configured to exploit the current vulnerability…For example, the vulnerability assessor 210 can obtain data packets of a protected network, save the data packets to a data file or database, and analyze the data packets to identify stray IP addresses, spoofed packets, unnecessary packet drops, or suspicious packet generation from a single IP address…Further, the vulnerability assessor 210 can determine which ports are open and whether these open ports can be exploited…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the system of BRATSPIESS and DANICHEV in claim 1 to include detecting one or more ports that are open on the entity as disclosed by Giokas and be motivated in doing so in order to identify a list of vulnerabilities in the open ports of the protected network–Giokas ¶0095 in parts. Regarding claim 18, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium system of claim 15. However, BRATSPIESS in view of DANICHEV does not explicitly disclose the following limitation: wherein the processing device is further to: in response to the anomaly that is associated with the entity, detect one or more ports that are open on the entity. Giokas discloses in response to the anomaly that is associated with the entity, detecting one or more ports that are open on the entity (¶0095, “In some embodiments, the network security tool 120 includes a vulnerability assessor 210… In some embodiments, the vulnerability assessor 210 can identify a current vulnerability of a private network and determine a signature of an attack configured to exploit the current vulnerability…For example, the vulnerability assessor 210 can obtain data packets of a protected network, save the data packets to a data file or database, and analyze the data packets to identify stray IP addresses, spoofed packets, unnecessary packet drops, or suspicious packet generation from a single IP address…Further, the vulnerability assessor 210 can determine which ports are open and whether these open ports can be exploited…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the non-transitory computer readable medium of BRATSPIESS and DANICHEV in claim 15 to include detecting one or more ports that are open on the entity as disclosed by Giokas and be motivated in doing so in order to identify a list of vulnerabilities in the open ports of the protected network–Giokas ¶0095 in parts. Regarding claim 5, BRATSPIESS, in view of DANICHEV discloses the method of claim 1. DANICHEF further discloses wherein detecting one or more changes to the plurality of properties comprises counting each of the one or more changes based on a respective weight of each of the plurality of properties (¶0053-¶0057, “For each property, an anomaly score is thus computed for each property value based on the occurrence weight of the property value. This means that if a property has fifteen different property values in its histogram, say, then fifteen anomaly scores are computed corresponding to the fifteen different property values... the anomaly score of a property value x of a property is computed using a distinct residual property function that can fully weight property values of the property within the histogram above x, and that can weight the property values of the property within the histogram below x by a dynamic weight that decreases with increasing distance from x in relation to a separation scale parameter s. ”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS, DANICHEV in claim 1 to include counting each of the one or more changes based on a respective weight of each of the plurality of properties as disclosed by DANICHEV and be motivated in doing so because it provides a method to compute anomaly score for each identified property value within the time-decaying histogram of each different property to detect occurrence of an anomaly within the system – DANICHEV abstract. Regarding claim 12, BRATSPIESS in view of DANICHEV discloses the system of claim 8. DANICHEF further discloses wherein detecting one or more changes to the plurality of properties comprises counting each of the one or more changes based on a respective weight of each of the plurality of properties (¶0053-57, “For each property, an anomaly score is thus computed for each property value based on the occurrence weight of the property value. This means that if a property has fifteen different property values in its histogram, say, then fifteen anomaly scores are computed corresponding to the fifteen different property values... the anomaly score of a property value x of a property is computed using a distinct residual property function that can fully weight property values of the property within the histogram above x, and that can weight the property values of the property within the histogram below x by a dynamic weight that decreases with increasing distance from x in relation to a separation scale parameter s. ”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the method of BRATSPIESS, DANICHEV in claim 1 to include counting each of the one or more changes based on a respective weight of each of the plurality of properties as disclosed by DANICHEV and be motivated in doing so because it provides a method to compute anomaly score for each identified property value within the time-decaying histogram of each different property to detect occurrence of an anomaly within the system – DANICHEV abstract. Regarding claim 19, BRATSPIESS in view of DANICHEV discloses the non-transitory computer readable medium of claim 15. DANICHEF further discloses wherein detecting one or more changes to the plurality of properties comprises counting each of the one or more changes based on a respective weight of each of the plurality of properties (¶0053-57, “For each property, an anomaly score is thus computed for each property value based on the occurrence weight of the property value. This means that if a property has fifteen different property values in its histogram, say, then fifteen anomaly scores are computed corresponding to the fifteen different property values... the anomaly score of a property value x of a property is computed using a distinct residual property function that can fully weight property values of the property within the histogram above x, and that can weight the property values of the property within the histogram below x by a dynamic weight that decreases with increasing distance from x in relation to a separation scale parameter s. ”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of applicant’s claimed invention to modify the non-transitory computer readable medium of BRATSPIESS, DANICHEV in claim 15 to include counting each of the one or more changes based on a respective weight of each of the plurality of properties as disclosed by DANICHEV and be motivated in doing so because it provides a method to compute anomaly score for each identified property value within the time-decaying histogram of each different property to detect occurrence of an anomaly within the system – DANICHEV abstract. Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub. No. 20160173511 to BRATSPIESS et al. (hereinafter BRATSPIESS) in view of U.S. PGPub. No. 20180241654 to DANICHEV et al. (hereinafter DANICHEV) and further in view of U.S. 20130275567 to Karthikeyan et al. (hereinafter Karthikeyan). Regarding claim 7, BRATSPIESS in view of DANICHEV discloses the method of claim 1. However, BRATSPIESS in view of DANICHEV does not explicitly disclose wherein the threshold associated with a first portion of the network is different than the threshold associated with a second portion of the network. Karthikeyan discloses a quality of service (QoS) thresholds assigned for each of the different network segments (¶ 0047, “The supervisory module has an overview of the entire end-to-end route across the network, the QoS thresholds for the end-to-end route and the QoS thresholds assigned for each of the different network segments that the end-to-end route passes through…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of BRATSPIESS and DANICHEV to include different thresholds for different segments (portions) of a network as disclosed by Karthikeyan and be motivated in doing because it provides a utilization that re-routes data transmission that will breach the quality of service thresholds associated with a particular segment of the network - Karthikeyan abstract in part. Regarding claim 14, BRATSPIESS in view of DANICHEV discloses the system of claim 8. However, BRATSPIESS in view of DANICHEV does not explicitly disclose wherein the threshold associated with a first portion of the network is different than the threshold associated with a second portion of the network. Karthikeyan discloses a quality of service (QoS) thresholds assigned for each of the different network segments (¶ 0047, “The supervisory module has an overview of the entire end-to-end route across the network, the QoS thresholds for the end-to-end route and the QoS thresholds assigned for each of the different network segments that the end-to-end route passes through…”). Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the applicant’s claimed invention to modify the method of BRATSPIESS and DANICHEV to include different thresholds for different segments (portions) of a network as disclosed by Karthikeyan and be motivated in doing because it provides a utilization that re-routes data transmission that will breach the quality of service thresholds associated with a particular segment of the network - Karthikeyan abstract in parts. Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MUDASIRU K OLAEGBE/Examiner, Art Unit 2495 /FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495