DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 11/05/2019, 02/12/2020, 04/15/2020 and 11/06/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Objections
Claims 1, 10, 11 and 20 objected to because of the following informalities:
In claims 1 and 11, line 7, “groupings of network addresses” should be “the groupings of network addresses.”
In claims 10 and 20, line 1, “groupings of network addresses” should be “the groupings of network addresses.”
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1 and 11 recite the limitation “the generated topics” in line 3. There is insufficient antecedent basis for this limitation in the claim. For examination purposes examiner has interpreted the element as “the set of topics.”
Claims 1 and 11 recite the limitation “the topic” in line 4. There is insufficient antecedent basis for this limitation in the claim. For examination purposes examiner has interpreted the element as “a topic.”
Claims 1 and 11 recite the limitation “a set of topics” in line 5 rendering the claim indefinite. The limitation appears to be referring to “a set of topics” in line 2. For examination purposes examiner has interpreted the element as “a topic in the set of topics.”
Claims 2 and 12 recite the limitation “the generated groupings.” There is insufficient antecedent basis for this limitation in the claim. For examination purposes examiner has interpreted the element as “the groupings of network address.”
Claims 3-10 and 13-20 is also rejected due to their dependency on a rejected claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 4-9, 11 and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Niu ("Network Steganography based on Traffic Behavior in Dynamically Changing Wireless Sensor Networks") in view of Lee ("iVisClustering: An Interactive Visual Document Clustering via Topic Modeling").
In regard to claims 1 and 11, Niu teaches: A method of generating groupings of network addresses comprising: (Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node or group of nodes [groupings of network addresses]. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)..."; p. 5 "In the same topic, 36, the top authors are 74.125.19.97, 199.7.51.72 and 98.129.192.234 with a sum of probability of 0.3. These three IP addresses are assigned to Google, Verisign, and Rackspace, respectively, which are web service companies. We can deduce that these nodes have similar traffic behavior, or topic that consists of similar packets to and from these nodes.; These three IP addresses can be an example of addresses in the same group.)
generating a set of topics based on a set of flow characteristics collected for a plurality of flows (Niu, p. 4 B. Model Selection "In this work, we use perplexity to determine the optimal length of time interval t and number of topics T [topics] for traffic behavior [flows] learning."; p. 4-5 D. Network Behavior Discovered with ATM " In Table II, selected topics discovered by ATM are listed. We list the top for each topic..."; see Table II "> TCP-Data - S VIII, < TLSv1-Data - R VIII, etc. [flow characteristics]") 
associated with a plurality of network addresses, (Niu, p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network address] are included in the packet header. In this paper, we utilize this feature to achieve accurate inference by applying both word topic and author-topic probability to infer the network flow.") the generated topics comprising groups of flow characteristics probabilistically associated with the topic; (Niu, p. 4 "… ranked by the probability of a word given a topic..."; see Table II "> TCP-Data - S VIII / 0.13273, < TLSv1-Data - R VIII / 0.09138, etc. [flow characteristics/ probability]") associating each of the plurality of network addresses with a set of topics, (Niu, p. 2 IV. PROPOSED SCHEME "In ATM, each author is associated with a multinomial distribution over topics…"; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network address] are included in the packet header.) each topic associated with a particular network address with a particular probability; and (Niu, p. 4-5 D. Network Behavior Discovered with ATM "In Table II... the top 3 authors for each topic, ranked by... the probability of a topic given an author .., respectively."; see Table II, User Address, e.g. 74.125.19.97 / 0.19326, 199.7.51.72 / 0.06708 [topic 36: network address / a particular probability])
generating groupings of network addresses with similar distributions of topic probability (Niu, p. 4-5 D. Network Behavior Discovered with ATM "We list... the top 3 authors for each topic, ranked by... the probability of a topic given an author... "; p.5 "In the same topic, 36, the top authors are 74.125.19.97, 199.7.51.72 and 98.129.192.234 with a sum of probability of 0.3. These three IP addresses are assigned to Google, Verisign, and Rackspace, respectively, which are web service companies. We can deduce that these nodes have similar traffic behavior, or topic that consists of similar packets to and from these nodes.; These three IP addresses can be an example of addresses in the same group.)
for display in a user interface. (Lee, see Figure 2 and 4 [user interface], p. 1158 "The Cluster Relation View, shown in Figure 2A, represents an overview of the LDA clustering results of a document set."; p. 1161 "Figure 4: Interactive clustering by filtering noisy data. Filtering out noisy documents leads to a clear clustering results.")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Niu to incorporate the teachings of Lee by including an interactive visual analytics system for document clustering. Doing so would provide a summary of each cluster and visualize soft clustering results in parallel coordinates. (Lee, Abstract "This paper proposes an interactive visual analytics system for document clustering, called iVisClustering, based on a widely-used topic modeling method, latent Dirichlet allocation (LDA). iVisClustering provides a summary of each cluster in terms of its most representative keywords and visualizes soft clustering results in parallel coordinates. The main view of the system provides a 2D plot that visualizes cluster similarities and the relation among data items with a graph-based representation.")
Claim 11 recites substantially the same limitation as claim 1, therefore the rejection applied to claim 1 also apply to claim 11. In addition, Niu teaches: A non-transitory machine readable medium storing a program for execution by at least one processing unit, the program for generating groupings of network addresses, the program comprising sets of instructions for: (Niu, p. 4 "In this section, we validate the ability of ATM to learn and infer network behavior. All experiments are implemented using C++ language and tested on PC workstation (3.4GHz CPU and 16GB RAM)…")
In regard to claims 4 and 14, Niu and Lee teach: The method of claim 1, wherein generating the set of topics comprises using probabilistic topic modeling to generate the set of topics. (Niu, p.2 "Author-topic model (ATM) introduced by [13] is an extended Latent Dirichlet Allocation (LDA) model [probabilistic topic modeling] that includes authorship information in addition to finding latent topics. [generate the set of topics]
In regard to claims 5 and 15, Niu and Lee teach: The method of claim 4, wherein the probabilistic topic modeling is latent Dirichlet allocation (LDA). (Niu, p.2 "Author-topic model (ATM) introduced by [13] is an extended Latent Dirichlet Allocation (LDA) model that includesauthorship information in addition to finding latent topics.")
In regard to claims 6 and 16, Niu and Lee teach: The method of claim 5, wherein the LDA uses network addresses of computers in networks as the documents for its analysis. (Niu, p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document [documents] that the authors write about."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses of computers] are included in the packet header. In this paper, we utilize this feature to achieve accurate inference by applying both word topic and author-topic probability to infer the network flow.")
In regard to claims 7 and 17, Niu and Lee teach: The method of claim 6, wherein the LDA uses a particular plurality of groups of flow characteristics associated with a particular network address as a plurality of words associated with a particular document defined by the particular network address. (Niu p.2 "We use protocol, message type, packet length, and time interval in a day [e.g. flow characteristics], to construct words [words] for ATM"; p. 3 "p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document [documents] that the authors write about."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses] are included in the packet header...") (More details in Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval [e.g. flow characteristics] for any node or group of nodes [particular network address]. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)..."; IV. PROPOSED SCHEME "... We mainly use ATM to discover the traffic behavior in terms of which packets flow (traffic pattern), what are the active/inactive times of nodes (business pattern), what traffic patterns and business patterns a given source node is likely to follow and which nodes act similarly."; p. 4-5 D. Network Behavior Discovered with ATM "In Table II, selected topics discovered by ATM are listed. We list the top 7 most likely packets (words) and the top 3authors for each topic, ranked by the probability of a word given a topic ..and the probability of a topic given an author .., respectively."; see Table II, User Address, e.g. 74.125.19.97, 199.7.51.72 [network address])
In regard to claims 8 and 18, Niu and Lee teach: The method of claim 7, wherein the flow characteristics that make up a particular word comprise at least one of a flow direction, a source port, and a destination port. (Niu, p.2 "We use protocol, message type, packet length, and time interval in a day, to construct words [a particular word] for ATM. For example, we can encode such information as shown in Table I (only four protocols and some common message types are shown) based on the forensics dataset used for training our model. For instance, the word TCP — ACK — B — VIII means a TCP ACK [a flow direction] packet of 64 bytes sent or received during 4-6pm."; e.g. the receiver sends an ACK back to the sender)
In regard to claims 9 and 19, Niu and Lee teach: The method of claim 7, wherein the flow characteristics that make up a particular word comprise at least one of a number of bytes exchanged, a number of packets exchanged, and a duration of the flow. (Niu, p.2 "We use protocol, message type, packet length, and time interval in a day, to construct words [a particular word] for ATM. For example, we can encode such information as shown in Table I (only four protocols and some common message types are shown) based on the forensics dataset used for training our model. For instance, the word TCP — ACK — B — VIII means a TCP ACK packet of 64 bytes [a number of bytes exchanged] 
Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Niu in view of Lee in further view of El-Atawy ("Policy Segmentation for Intelligent Firewall Testing").
In regard to claims 2 and 12, Niu and Lee fail to teach, but El-Atawy teaches: The method of claim 1 further comprising applying security policies according to the generated groupings. (El-Atawy, p. 67 Abstract "In this paper, an efficient paradigm for automated testing of firewalls with respect to their internal implementation and security policies is proposed.We propose a novel firewall testing technique using policy-based [security policies] segmentation of the traffic address space [the generated groupings], which can intelligently adapt the test traffic generation to target potential erroneous regions in the firewall input space."; p. 69 Fig. 2; p. 70 "Fig. 2 shows a segmentation example of a simple firewal policy composed of three rules: R1, R2 and R3. As a result of intersecting the three rules, four address segments are produced: S1, S2, S3 and S4. The information associated with each segment is presented in the table in Fig. 2.")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Niu and Lee to incorporate the teachings of El-Atawy by including an automated firewall technique. Doing so would make the problem solvable and offer a significantly higher degree of confidence. (El-Atawy, p. 67 Abstract "We also show that our automated approach of test case generation, analyzing firewall logs and creating testing reports not only makes the problem solvable but also offers a significantly higher degree of confidence than random testing.")
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Niu in view of Lee in further view of Ghafir ("A Survey on Network Security Monitoring Systems").
In regard to claims 3 and 13, Niu and Lee fail to teach, but Ghafir teaches: The method of claim 1, wherein the set of flow characteristics comprises at least one of internet protocol flow information export (IPFIX) data (Ghafir, p. 81, C. Flow-based Observation Representatives "Flow-based observation architecture contains two main components; a flow exporter and a flow collector… 1) Flow Exporters: IPFIX formats... 2) Flow Collectors: nProbe is not only a flow exporter, it is also a flow collector... IPFIXcol [35] is an IPFIX collector designed for high throughput networks...") and tcpdump data. (Ghafir, p. 77, A. Packet Capture Representatives "1) Tcpdump: Tcpdump is a command line tool for packet capture analysis. Tcpdump can analyze both live traffic using the libpcap library and captured packet traces in PCAP format.")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Niu and Lee to incorporate the teachings of Ghafir by including IPFIX or tcpdump. Doing so would include and implement the network security monitoring in the model. (Ghafir, p. 77 "This section classifies the current network security monitoring implementations into packet capture representatives, deep packet inspection representatives and flow-based observation representatives.")
Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Niu in view of Lee in further view of Bassett (US 20150236935 A1).
In regard to claims 10 and 20, Niu and Lee fail to teach, but Bassett teaches: The method of claim 6, wherein generating groupings of network addresses comprises using k-means clustering. (Bassett, [0035] "Turning next to the classification component 206, in this embodiment, the classification component 206 is configured to perform one or more operations, including, creating clusters from the observation vectors. The creation of clusters from the observation vectors is a way to organize and/or group similar hosts, primarily those of the internal network 116 but also potentially including those of the outside network 118.  In some embodiments, the classification component 206 creates clusters using a clustering technique utilizing a single, or a combination of, any suitable clustering algorithms. Examples of suitable clustering algorithms include, k-means clustering, hierarchal clustering, expectation maximization clustering, and self-organizing maps.")

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SU-TING CHUANG whose telephone number is (408)918-7519.  The examiner can normally be reached on Monday - Thursday 8-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571)272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
/S.C./Examiner, Art Unit 2122

/LUIS A SITIRICHE/Primary Examiner, Art Unit 2126