DYNAMIC NETWORK TRAFFIC ANALYSIS FOR ANOMALY

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims Claims 1-20 are pending in this Office Action. Priority Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Drawings The formal drawings received on 10/24/204 have been entered. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Izrael (US 20200314134) in view of Yaghi (US 20240353808), and further in view of Aaron (US 20070150950), Ong (US 20140330886), and Zhang (US 20160065423). 1, 9, 17. Izrael teaches: A method, comprising: – in paragraphs [0006]-[0073] (A method for method for mitigating cyber security threats by devices using risk factors.) determining, by a network device in a network, a device type of a respective user device associated with the network device; – in paragraphs [0006]-[0073] (The known normal behaviors may further include different sets of known normal behaviors for different devices, types of devices, users of devices, and the like.) monitoring, by the network device, a movement pattern of the user device, – in paragraphs [0006]-[0073] (The detection tools 112 are configured to collect data related to the device, network activity by the device 130, or both. Such data may include data related to observed risk behaviors such as, but is not limited to, geographical movements of the device, and the like. Data indicating that the device is moving is associated with a predetermined observed behavior risk factor of 2 and data indicating that the device is immobile is associated with a predetermined observed behavior risk factor of 8. The data related to the device includes data directly related to the device (e.g., configuration data of the device, identifying information of the device, etc.)) monitoring, by the network device, a traffic pattern indicating a type and a volume of traffic generated by the user device; – in paragraphs [0006]-[0073] (The detection tools 112 are configured to collect data related to the device, network activity by the device 130, or both. Such data may include data related to observed risk behaviors such as, but is not limited to, data included in traffic to or from the device 130, amounts of traffic sent by the device 130, number of endpoints receiving traffic from the device 130, type of traffic sent by the device 130 (e.g., encrypted or unencrypted, repetitive or non-repeating, etc.) common vulnerabilities and exposure exhibited by the device 130 (e.g., for the device 130, for software running on the device 130, or both), geographical movements of the device, and the like.) determining whether a combination of the device type, the movement pattern, and the traffic pattern matches an anomalous operation; and – in paragraphs [0006]-[0073] (The risk factors may be determined based on comparison of behaviors between devices.) Izrael does not explicitly teach: the movement pattern indicating a number of times the network device has learned a layer-2 address of the user device within a period. However, Yaghi teaches: the movement pattern indicating a number of times the network device has learned a layer-2 address of the user device within a period; – in paragraphs [0004]-[0094] (The smart home control system 320 may send a request to the router 404 to provide the list of devices connected to the home network. The list of devices connected to the home network may include a device name, or nickname, an internet protocol (IP) address, a media access control (MAC) address, information about the device (e.g., description, how long the device has been connected, how many times the device has connected and/or disconnected, manufacturer, model), device data usage (e.g., upload and download amounts), signal strength (e.g., WiFi™ signal strength), average signal strength, signal strength over time, among other information.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Izrael with Yaghi to include the movement pattern indicating a number of times the network device has learned a layer-2 address of the user device within a period, as taught by Izrael, in paragraphs [0001]-[0038], to secure networks against threats posed by malicious devices. Combination of Izrael and Yaghi does not explicitly teach: in response to the combination matching the anomalous operation: selecting a traffic filter mapped to the anomalous operation; applying the traffic filter on traffic at the network device to select a subset of the traffic associated with the anomalous operation; selecting, from a set of target devices, a target device based at least on a volume of the subset of the traffic, mirroring the subset of the traffic to the target device. However, Aaron teaches: in response to the combination matching the anomalous operation: – in paragraphs [0003]-[0044] (The verification system 110 may be configured to determine whether the network element 130 is trustable or not, by, for example, determining a degree of trust for the network element 130. At block 205, the traffic associated with the network element 130 is mirrored based on whether the network element 130 can be trusted.) selecting a traffic filter mapped to the anomalous operation; – in paragraphs [0003]-[0044] (These rules may be based on the degree of trust determined for the network element 130. The mirroring controller 115 may use the rules stored in the mirroring database 120 to filter the traffic to be mirrored based on packet header (e.g., source/destination address, ports, protocol), class/Quality of Service, associated communication streams or conversations, and/or the contents of the traffic payloads.) applying the traffic filter on traffic at the network device to select a subset of the traffic associated with the anomalous operation; – in paragraphs [0003]-[0044] (The mirroring controller 115 may also select what portions of the traffic associated with the network element 130 are to be mirrored based on rules stored in the mirroring database.) selecting, from a set of target devices, a target device based at least on a volume of the subset of the traffic, – in paragraphs (The mirroring controller 115 may direct the mirrored traffic to a destination based, for example, on the degree of trust associated with the network element 130. The mirrored traffic may be directed to a plurality of destinations such that different portions and/or classifications of traffic are directed to different ones of the plurality of destinations. The mirroring controller 115 further consults the mirroring database to determine that the appropriate mirroring destination is a local law enforcement agency.) mirroring the subset of the traffic to the target device. – in paragraphs [0003]-[0044] (The mirrored traffic may be directed to a plurality of destinations such that different portions and/or classifications of traffic are directed to different ones of the plurality of destinations.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Izrael and Yaghi with Aaron to include in response to the combination matching the anomalous operation: selecting a traffic filter mapped to the anomalous operation; applying the traffic filter on traffic at the network device to select a subset of the traffic associated with the anomalous operation; selecting, from a set of target devices, a target device based at least on a volume of the subset of the traffic, mirroring the subset of the traffic to the target device, as taught by Aaron, in paragraphs [0001]-[0027], to provide automatic network-based mirroring of traffic may be desired in certain scenarios, in particular if a network element has been modified in an undesirable fashion. Combination of Izrael, Yaghi, and Aaron does not explicitly teach: selecting, from a set of target devices, a target device based at least on a volume of the subset of the traffic. However, Ong teaches: selecting, from a set of target devices, a target device based at least on a volume of the subset of the traffic, – in paragraphs [0005]-[0054] (This may entail consulting tables within the router to determine the best router to which to forward an incoming packet, determining the best router to handle a given type of traffic, determining the best router to handle a given volume of traffic, and the like.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Izrael, Yaghi, and Aaron with Ong to include selecting, from a set of target devices, a target device based at least on a volume of the subset of the traffic, as taught by Ong, in paragraphs [0003]-[0040], to determine a best router to handle a given type and volume of traffic. Combination of Izrael, Yaghi, Aaron, and Ong does not explicitly teach: the target device is to facilitate analysis of the subset of the traffic. However, Zhang teaches: the target device is to facilitate analysis of the subset of the traffic; and – in paragraphs [0027]-[0137] (The chosen multiplexer may then send the mirrored packed to one of a set of processing modules (PMs) 112, based on at least one load balancing consideration. The chosen processing module can then use one or more processing engines to process the mirrored packet (along with other, previously received, mirrored packets). At least one consuming entity 114 may interact with the processing modules 112 to obtain the mirrored packets. The consuming entity 114 may then perform any application-specific analysis on the mirrored packets, using one or more processing engines.) It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Izrael, Yaghi, Aaron, and Ong with Zhang to include the target device is to facilitate analysis of the subset of the traffic, as taught by Zhang, in paragraphs [0001]-[0004], to determine the cause of failures and other anomalous events that occur within a network. 2, 10, 18. The method of claim 1, – refer to the indicated claim for reference(s). Izrael teaches: further comprising maintaining information associated with a set of anomalous operations, – in paragraphs [0006]-[0073] (The instructions, when executed, cause the processing circuitry 310 to generate fleet behavior models and detect anomalous behavior in fleets or sub-fleets as described herein. The database 111 may further store data related to known device behaviors that may be utilized to determine risk factors.) which includes the determined anomalous operation, at the network device, – in paragraphs [0006]-[0073] (Thus, the database 111 may act as a knowledgebase of known device behavior profiles. The data related to known device behaviors may define baseline behaviors for a device representing normal behavior and values (or formulas used for calculating values) of risk factors based on deviations from the baseline behaviors.) wherein a respective anomalous operation is mapped to a combination of a corresponding movement pattern and a corresponding traffic pattern. – in paragraphs [0006]-[0073] (The detection tools 112 are configured to collect data related to the device, network activity by the device 130, or both. Such data may include data related to observed risk behaviors such as, but is not limited to, data included in traffic to or from the device 130, amounts of traffic sent by the device 130, number of endpoints receiving traffic from the device 130, type of traffic sent by the device 130 (e.g., encrypted or unencrypted, repetitive or non-repeating, etc.) common vulnerabilities and exposure exhibited by the device 130 (e.g., for the device 130, for software running on the device 130, or both), geographical movements of the device.) 3, 11, 19. The method of claim 2, – refer to the indicated claim for reference(s). Izrael teaches: wherein maintaining the information associated with the set of anomalous operations further comprises storing, in a data structure at the network device, a set of parameters and one or more device types with a respective anomalous operation, – in paragraphs [0006]-[0073] (The instructions, when executed, cause the processing circuitry 310 to generate fleet behavior models and detect anomalous behavior in fleets or sub-fleets as described herein. The database 111 may further store data related to known device behaviors that may be utilized to determine risk factors. Thus, the database 111 may act as a knowledgebase of known device behavior profiles. The data related to known device behaviors may define baseline behaviors for a device representing normal behavior and values (or formulas used for calculating values) of risk factors based on deviations from the baseline behaviors.) wherein the set of parameters indicates whether the movement pattern and the traffic pattern are anomalous. – in paragraphs [0006]-[0073] (The detection tools 112 are configured to collect data related to the device, network activity by the device 130, or both. Such data may include data related to observed risk behaviors such as, but is not limited to, data included in traffic to or from the device 130, amounts of traffic sent by the device 130, number of endpoints receiving traffic from the device 130, type of traffic sent by the device 130 (e.g., encrypted or unencrypted, repetitive or non-repeating, etc.) common vulnerabilities and exposure exhibited by the device 130 (e.g., for the device 130, for software running on the device 130, or both), geographical movements of the device. The threat mitigator 120 is configured to determine a risk score for the device 130 and to perform mitigation actions based on the determined risk score.) 4, 12, 20. The method of claim 3, – refer to the indicated claim for reference(s). Izrael teaches: further comprising: comparing, in the data structure, the movement pattern and the traffic pattern associated with the user device with the set of parameters of the respective anomalous operation; and – in paragraphs [0006]-[0073] (The detection tools 112 are configured to collect data related to the device, network activity by the device 130, or both. Such data may include data related to observed risk behaviors such as, but is not limited to, data included in traffic to or from the device 130, amounts of traffic sent by the device 130, number of endpoints receiving traffic from the device 130, type of traffic sent by the device 130 (e.g., encrypted or unencrypted, repetitive or non-repeating, etc.) common vulnerabilities and exposure exhibited by the device 130 (e.g., for the device 130, for software running on the device 130, or both), geographical movements of the device. The threat mitigator 120 is configured to determine a risk score for the device 130 and to perform mitigation actions based on the determined risk score.) selecting the anomalous operation from the set of anomalous operations based on the comparison. – in paragraphs [0006]-[0073] (The data related to known device behaviors may define baseline behaviors for a device representing normal behavior and values (or formulas used for calculating values) of risk factors based on deviations from the baseline behaviors.) 5, 13. The method of claim 1, – refer to the indicated claim for reference(s). Aaron teaches: further comprising: comparing the movement pattern and the traffic pattern with a set of traffic filters maintained at the network device; and – in paragraphs [0003]-[0044] (These rules may be based on the degree of trust determined for the network element 130. The mirroring controller 115 may use the rules stored in the mirroring database 120 to filter the traffic to be mirrored based on packet header (e.g., source/destination address, ports, protocol), class/Quality of Service, associated communication streams or conversations, and/or the contents of the traffic payloads.) selecting, from the set of traffic filters, the traffic filter to correspond to the subset of the traffic. – in paragraphs [0003]-[0044] (The mirroring controller 115 may also select what portions of the traffic associated with the network element 130 are to be mirrored based on rules stored in the mirroring database.) 6, 14. The method of claim 1, – refer to the indicated claim for reference(s). Zhang teaches: further comprising selecting the target device based further on a requirement of subsequent analysis of the mirrored traffic. – in paragraphs [0027]-[0137] (The chosen multiplexer may then send the mirrored packed to one of a set of processing modules (PMs) 112, based on at least one load balancing consideration. The chosen processing module can then use one or more processing engines to process the mirrored packet (along with other, previously received, mirrored packets). At least one consuming entity 114 may interact with the processing modules 112 to obtain the mirrored packets. The consuming entity 114 may then perform any application-specific analysis on the mirrored packets, using one or more processing engines.) 7, 15. The method of claim 1, – refer to the indicated claim for reference(s). Zhang teaches: wherein the set of target devices for mirroring the subset of the traffic comprises one or more of: a processing resource of the network device; a remote virtual machine (VM); a network management system via the processing resource; and the network management system via a network interface controller (NIC) of the network device. – in paragraphs [0027]-[0137] (The chosen multiplexer may then send the mirrored packed to one of a set of processing modules (PMs) 112, based on at least one load balancing consideration. The chosen processing module can then use one or more processing engines to process the mirrored packet (along with other, previously received, mirrored packets). At least one consuming entity 114 may interact with the processing modules 112 to obtain the mirrored packets. The consuming entity 114 may then perform any application-specific analysis on the mirrored packets, using one or more processing engines.) 8, 16. The method of claim 1, – refer to the indicated claim for reference(s). Aaron teaches: wherein the mirroring of the subset of the traffic is initiated prior to detecting an issue with the network device, and wherein the issue corresponds to utilization of resources, delay, or packet drops at the network device. – in paragraphs [0003]-[0044] (The mirrored traffic may be directed to a plurality of destinations such that different portions and/or classifications of traffic are directed to different ones of the plurality of destinations.) Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M.. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached at (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MUHAMMAD RAZA/Primary Examiner, Art Unit 2449