Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
The instant application having Application No. 16/381,887 is presented for examination by the examiner.  Claims 

Response to Amendment

Drawings

Claim Objections
Claims *** are objected to because of the following informalities:  

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim Rejections - 35 USC § 112

Response to Arguments
Applicant's arguments filed 10/26/20 have been fully considered but they are not persuasive.
(I) With respect to the 35 USC § 102, the point is still being argued for claim 1, that prior art Vasseur does not explicitly teach a condensed version of a machine-learned model.   As already argued in the previous Final Office Action, the Examiner finds a broader scope to the term “version of”.  A condensed version of the model is not the same as a “condensed model”.   Examiner maintains the BRI of “version of” extends to more than the model per se.  If one were to hash a set of data, that is a version of that data but it is not original data nor the same size.  The attributes represent what is needed to make similar decisions to the model.  This argument is rendered moot for claim 6 because Applicant has clearly amended the claim to overcome this BRI by specifically stating that a condensed model is generated from the model.  
(II)  With the respect to 35 USC § 103 there are two main arguments.  The first is that the Examiner did not make a prima facie case of obviousness.   Applicant points to the last sentence to make this argument because part of that sentence is cut off.  However Applicant fails to consider the entire paragraph that clearly, despite the typographical error, establishes a prima facie case obviousness.  The paragraph for setting out the 35 USC §103 rejection followed as such. Prior art does not teach (Vasseur is silent in explicitly teaching generating a condensed version of the machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model when interpreted as the condensed version of the machine-learned model is actually a condensed model).  Diao explicitly teaches generating a condensed version of the machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model as a lightweight model based on the complete server side model (col. 5, lines 3-20) that is distributed to devices that have lower processing power (col. 3, lines 42-51)]. Motivation for the combination is explicitly recited ([u]sing less computation intensive models once already trained reduce the overall power requirement to protect the system’s device across the network).  The last sentence was intended to make the formal rationale statement and began with “[t]he claim is obvious because one of ordinary skill in the art” and should have continued with “can combine known methods which do not produce unpredictable results” as was written for claim 16.  While this was an unintended oversight Examiner believes the record is clear and makes a prima facie case of obvious even if the Applicant does not agree with the case.  For clarity, Examiner has finished the incomplete sentence with the same language from claim 16.
The second argument contends that Diao does not explicitly teach a condensed model because Diao’s simplified model removes features and thus somehow cannot make similar decisions to the model.  This argument is illogical on the face.  If one has a microwave oven with a spinning tray and a light and those features are removed from a second microwave unit, the two units would still operate in a similar manner.  The condensed or simplified unit still will cook food similarly.  The claims places no requirements on exactly what condensed means nor to what degree are the decisions similar.  Applicant admits the features that are removed from Diao’s model are insignificant to classifying messages.  So why would they not make similar decision .  


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-5 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP 9,413,779 to Vasseur et al hereinafter Vasseur.

As per claim 1, Vasseur teaches a method comprising: 
receiving, at a behavior analysis engine, training data for a machine-learned model stored by the behavior analysis engine, the machine-learned model being configured to identify malicious behavior in a local network (col. 11, lines 30-35); 

generating a condensed version of the machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model (col. 15, lines 12-20); and 
transmitting the condensed version of the machine-learned model (col. 14, lines 60-64) to one or more network traffic hubs in one or more local networks to identify malicious behavior in the local networks (col. 15, lines 21-23 and col. 16, lines 12-20).
As per claim 2, Vasseur teaches the training data comprises one of device identification data or network traffic data (col. 12, lines 1-50).
As per claim 3, Vasseur teaches the machine-learned model is an execution model, a network address model, or an entity model (col. 12, lines 20-22).
As per claim 4, Vasseur teaches the condensed version of the machine-learned model comprises a decision tree (col. 14, line 66-col. 15, line 8).
As per claim 5, Vasseur teaches transmitting a plurality of condensed versions of a plurality of machine-learned models to the one or more network traffic hubs (col. 15, lines 7-15).

Claim Rejections - 35 USC § 103


	Claims 1-15 and 17-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Vasseur in view of USP 8,023,974 to Diao et al hereinafter Diao.

As per claim 1, Vasseur teaches a method comprising: 
receiving, at a behavior analysis engine, training data for a machine-learned model stored by the behavior analysis engine, the machine-learned model being configured to identify malicious behavior in a local network (col. 11, lines 30-35); 
updating the machine-learned model based on the received training data (col. 11, lines 47-53 and col. 15, line 10); 
 and 
transmitting the condensed version of the machine-learned model (col. 14, lines 60-64) to one or more network traffic hubs in one or more local networks to identify malicious behavior in the local networks (col. 15, lines 21-23 and col. 16, lines 12-20).
Vasseur is silent in explicitly teaching generating a condensed version of the machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model when interpreted as the condensed version of the machine-learned model is actually a condensed model.  On the other hand, Diao explicitly teaches generating a condensed version of the machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model as a lightweight model based on the complete server side model (col. 5, lines 3-20) that is distributed to devices that have lower processing power (col. 3, lines 42-51).  Using less computation intensive models once already trained reduce the overall power requirement to protect the system’s device across the network.  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.   

As per claim 6, Vasseur teaches a method comprising: 

receiving, at a behavior analysis engine, training data for a machine-learned model stored by the behavior analysis engine, the machine-learned model being configured to identify malicious behavior in a local network (col. 11, lines 30-35); 
updating the machine-learned model based on the received training data (col. 11, lines 47-53 and col. 15, line 10); 
 and 
transmitting the condensed version of the machine-learned model (col. 14, lines 60-64) to one or more network traffic hubs in one or more local networks to identify malicious behavior in the local networks (col. 15, lines 21-23 and col. 16, lines 12-20).

Vasseur is silent in explicitly teaching generating a condensed machine-learned model from the machine-learned model, the condensed machine-learned model being configured to make similar decisions to the machine-learned model.  On the other hand, Diao explicitly teaches generating a condensed version of the machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model as a lightweight model based on the complete server side model (col. 5, lines 3-20) that is distributed to devices that have lower processing power (col. 3, lines 42-51).  Using less computation intensive models once already trained reduce the overall power requirement to protect the system’s device 
  
As per claim 11, Vasseur teaches a system comprising: 
A memory; and
a processor coupled to the memory, the processor configured to”
receive, at a behavior analysis engine, training data for a machine-learned model stored by the behavior analysis engine, the machine-learned model being configured to identify malicious behavior in a local network (col. 11, lines 30-35); 
update the machine-learned model based on the received training data to generate an updated machine-learned model (col. 11, lines 47-53 and col. 15, line 10); 
transmit the condensed version of the machine-learned model (col. 14, lines 60-64) to one or more network traffic hubs in one or more local networks to identify malicious behavior in the one or more local networks (col. 15, lines 21-23 and col. 16, lines 12-20).


Vasseur is silent in explicitly teaching generating a condensed version of the machine-learned model from the updated machine-learned model, the condensed version of the machine-learned model being configured to make similar decisions to the machine-learned model and requiring the condensed version of the machine-learned model requires less memory and/or less processor utilization when making the similar decisions than the memory and/or processor utilization required by the updated 
As per claims 2, 7 and 12, Vasseur teaches the training data comprises one of device identification data or network traffic data (col. 12, lines 1-50).
As per claims 3, 8 and 13, Vasseur teaches the machine-learned model is an execution model, a network address model, or an entity model (col. 12, lines 20-22).
As per claims 4, 9 and 14, Vasseur teaches the condensed version of the machine-learned model comprises a decision tree (col. 14, line 66-col. 15, line 8).
As per claims 5, 10 and 15, Vasseur teaches transmitting a plurality of condensed versions of a plurality of machine-learned models to the one or more network traffic hubs (col. 15, lines 7-15).
As per claim 17, Vasseur teaches the condensed version of the machine- learned model requires less memory to apply to local network behavior than the 
As per claim 18, Vasseur teaches the condensed version of the machine- learned model requires less processing power to apply to local network behavior than the machine-learned model(the parameter models are a fraction of the size of the model they are injected into, thus the resources to transfer and process them are smaller; col. 15, lines 12-15).
As per claim 19, Vasseur teaches the condensed version of the machine- learned model requires less networking resources to apply to local network behavior than the machine-learned model (the parameter models are a fraction of the size of the model they are injected into, thus the resources to transfer and process them are smaller; col. 15, lines 12-15).


Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over Vasseur and Diao as applied to claim 11 above, and further in view of USP Application Publication 2012/0158620 to Paquet et al hereinafter Paquet.
As per claim 16, Vasseur teaches the training data is 1) representative of behavior within the local network that the machine-learned model is not certain is malicious [data is unknown and therefore unclassified before it is analyzed by the machine leaner; col. 11, lines 36 and 48-50).  Vasseur and Diao are silent in explicitly teaching the training data is manually classified by a human reviewer as malicious or .  


Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over Vasseur and Diao as applied to claim 1 above and further in view of USP Application Publication 2018/0124085 to Frayman et al., hereinafter Frayman.
As per claim 20, Vasseur and Diao are silent in explicitly teaching the condensed version of the machine- learned model comprises a gradient boosting machine, and wherein the machine-learned model does not comprise a gradient boosting machine.  Diao teaches a lightweight version of a model can be derived from an intermediate size machine learning model that has less resources (col. 2, lines 57-62).  Frayman teaches that threat detection models can be equipped with any one of known machine learning models including gradient boosting machine (0066).  The claim merely represents a design choice that employs the suitable model in a given environment.  The claim is obvious because one of ordinary skill in the art can choose design options from a finite .  

Conclusion

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431