Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is in response to the communication filed on 11/25/2020.
Claims 1-20 are examined and rejected. 
Claims 1, 3, 6, 7, 9, 17 are amended.  

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Applicant's submission filed on 12/25/2020 has been entered.
 
Response to Arguments
Applicant’s arguments dated 11/25/2020 with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference for teaching or matter specifically challenged in the argument.



In summary applicant argues that combination of Banga - DiGiambattista – Zhang fail to teach above claimed combination of limitations. 
Examiner does not find argument persuasive. 
In view of claim terms, description of claim(s) in specification and reference teaching, examiner notes that combination of reference of Banga - DiGiambattista – Zhang teaches the claimed limitation. 
First, in terms of claim amendment(s) being interpreted with broad and reasonable interpretation – limitation of .. ‘combination of specific port open and closed’ is generic limitation as known in art. Example – an application (executable) cannot run on a closed port and further that a system has multiple ports open or closed in any combination given the situation, therefore unless the claim(s) specifies – that the application only runs on specific combination of open and closed port, is more direct than mentioning a generic condition example port A is open, B and C are closed then application runs on port A only. Further the claim terms of ‘without open’ is interpreted as closed. 



Regarding A - determine that an executable runs with a specific port open (Banga para 71 teaches discovery of node using API or collected information of node and Fig 6 element 612 para 75 teaches discovering information about node for classification of node. Information about node includes – software version number, patch installations, authorized or unauthorized modifications and other information about node). Examiner notes that application running on specific open port is generic example any regular modem connection to TCP/IP packets only run on open ports, they cannot run on closed ports. Further, as claim describes specific open port is generically interpreted as any open port till claim(s) described authenticated or mapped or authorized open port. The reason for interpretation even in case of malware operation, the malware can target any open port which is specific as per malware standards therefore specific open port is generically interpreted as ‘open port’. Same arguments are valid for closed ports of the system, unless specified what type of ports are closed (example mapped, authenticated, authorized, verified ports). 
Regarding the amended limitation, examiner describes that ‘the executable runs without one or more other ports open’ (Zhang para 68 teaches where port engine is configured to analyze open and closed ports of the device as a signature of device to run the packet engine protocol (process)). Zhang teaches a device identifier being generated based on combination of open and closed ports to run the analysis application.  Zhang’s interpretation of combination of open and closed ports 
Further Banga teaches classification model (para 102) to detect nodes on device, where node is interpreted as port. Further para 71 and 75 teaches extracting information about the node such as configuration of software, version of software which is interpreted by examiner as Examiner interprets that checking of authorized software version on node is similar to claimed function of checking executable likely to execute on a particular machine with specific port open. Examiner further explains that Banga distinctly teaches that - based on configuration of node – it is determined what software can be installed or patches can be authorized on the node or port. Therefore examiner interprets that authorized software installed or running on authenticated node or port is similar to claimed function of ‘executable is likely to execute on a particular machine with a specific open port open’, as it is well known in art that software can only be installed on open port.  
Therefore considering that all references are related to ‘classification of open port / node for security purpose and closing of open port as described in specification para 43’ which is distinctly taught by combination of all references with ‘broad and reasonable interpretation of generic claim language’, and including of new reference to teach the amended limitation, examiner concludes that new combination of references teach the argued limitation.  
Any objections or rejections not set forth below have been withdrawn.  


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 2, 3, 4, 5, 8-13, 14, 16, 17 and 18 are rejected under 35 U.S.C. 103(a) as being unpatentable by U.S. Publication 2018/0048534 to Banga et al. (hereinafter known as "Banga”) and U.S. Publication 2018/0159887 to DiGiambattista et al. (hereinafter known as " DiGiambattista”) and further in view of U.S. Publication 2018/0270229 to Zhang et al. (hereinafter known as " Zhang”).  
As per claim 1 Banga teaches Currently Amended) A system, comprising:
one or more processors (Banga Fig 1 elements 112a .. q teaches device with processor); and a memory (Banga Fig 2 element 206 teaches client with memory) having instructions stored thereon, which when executed by the one or more processors (Banga Fig 1 elements 112a .. q teaches device with processors) cause the one or more processors to perform operations to:
(Banga para 102 teaches hierarchal device classifier (machine learning model) to determine that an executable runs with a specific port open (Banga para 71 teaches discovery of node using API or collected information of node and Fig 6 element 612 para 75 teaches discovering information about node for classification of node. Information about node includes – software version number, patch installations, authorized or unauthorized modifications and other information about node); and
determine that a particular machine has an unused open port when the classification model determines that the executable is running on the particular machine with at least one of the one or more other ports open (DiGiambattista para 97 teaches scripted security tests for open / closed port to check for CVE (common vulnerability exposure). Further para 68-69 teaches detection of unauthorized access threat to open unused port).
Banga teaches assignment of categories to network entities (devices) based on data observation with plurality of nodes with machine learning and probabilistic model (abstract). Banga does note however DiGiambattista teaches classification based on open port data screening (para 97). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Banga – DiGiambattista before him or her, to combine, Banga’s device classification with open ports and machine learning model with DiGiambattista’s open port classification. The 
Banga – DiGiambattista does not teach however Zhang teaches, 
and that the executable runs without one or more other ports open (Zhang para 68 teaches where port engine is configured to analyze open and closed ports of the device as a signature of device to run the packet engine protocol (process). Examiner ). 
Banga – DiGiambattista teaches assignment of categories to network entities (devices) based on data observation with plurality of nodes with machine learning and probabilistic model. Banga – DiGiambattista does not teach however Zhang teaches combination of ports open and close to run application (para 68). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Banga – DiGiambattista – Zhang before him or her, to combine, Banga – DiGiambattista’s device classification with open ports to combine with Zhang’s machine learning model to analyze combination of port(s). The suggestion/motivation for doing so would have been to prevent unauthorized or rogue devices from accessing network resources (para 2).  
As per claim 2 combination of Banga – DiGiambattista - Zhang teaches the system of claim 1, wherein the instructions stored on the memory, when executed by the one or more processors further cause the one or more processors to perform operations to:
the classification models, the at least one feature vector indicating which executables from a set of commonly-used executables the particular machine processes (Banga Fig 3 para 52 - teaches detection of risk categories on machine by attack vectors or breach vectors. Examiner summarizes the claim function of generation and analysis of attack vectors on machine to detect node’s local risk to include malware, which the node is further classified as risky node based on attack vector, which covers claimed function). 
As per claim 4 combination of Banga – DiGiambattista - Zhang teaches the system of claim 1, wherein the particular machine comprises a virtual machine (Banga para 106 teaches virtual machine with ML (machine learning) process). 
As per claim 5 combination of Banga – DiGiambattista - Zhang teaches the system of claim 1, wherein a port is configured with a Transmission Control Protocol (TCP) port number and/or User Datagram Protocol port number (Banga para 102 teaches TCP port / UDP model in Fig 10).  
As per claim 6 combination of Banga – DiGiambattista - Zhang teaches the system of claim 1, wherein the instructions stored on the memory (Banga Fig 2 element 206 teaches client with memory), when executed by the one or more processors further cause the one or more processors to perform operations to: 
generate the classification models from training data extracted from a plurality of machines running an executable with at least one port open (Zhang para 28-29 teaches implementation of ML model to analyze and categorize nodes based on identified scripts running on port(s). Examiner notes that categorizing of ports – authorized / unauthorized / open / closed – are interpreted as classification models of claimed function which covers the claimed function and motivation as explained in claim 1). 
 As per claim 7 combination of Banga – DiGiambattista – Zhang teaches the system of claim 6, wherein the classification model is based on a neural network, a decision tree classifier, a rule-based classifier, a support vector machine, or naive Bayes classifier (Banga para 83 and 89 teaches rule based classification and categorization and para 103 teaches tree classifier. Additionally reference of Kailas para 91 teaches additional models such as neural networks, Bayesian networks which are known protocols to preprocess data in ML model).  
As per claim 8 combination of Banga – DiGiambattista - Zhang teaches the system of claim 1, wherein the system is a cloud service (Banga Fig1 element 160 teaches cloud service).  
Claim 9,
Claim 9 is rejected in accordance with method of claim 1.
As per claim 10 combination of Banga – DiGiambattista - Zhang teaches the method of claim 9, further comprising: 
training the classification model with a plurality of feature vectors that represent executables running on a machine with the first open port and a plurality of feature (Banga Fig 8 element 850, para 96 teaches ML (machine learning) model with aggregate data as training data to analyze how to place weight on function calls for secure or unsecure call, by creation of probability vectors. Further para 52 teaches creation and detection of attack vectors for port(s) – open, closed, authorized and opaque ports. Examiner summarizes para 52 and 96 as following – ML model teaches aggregation of large data and creation of vector (probability vector) to analyze if the script call is secure or unsecure, for various functions including analysis of port status – open / closed / authorized / unauthorized).  
As per claim 11 combination of Banga – DiGiambattista - Zhang teaches the method of claim 9, further comprising: 
obtaining log data from a plurality of machines, the log data including one or more executables running on a machine concurrently with one or more ports open (DiGiambattista teaches para 110 teaches analysis of data and audit log of that data with timestamp and date to identify changes to data and remediation required). 
As per claim 12 combination of Banga – DiGiambattista - Zhang teaches the method of claim 11, further comprising: aggregating the log data to determine a set of commonly-used executables, wherein a commonly-used executable is run more frequently on the plurality of machines (DiGiambattista teaches para 111 – 112 teaches aggregation of data to compare with administrator’s guidelines or security rules. Examienr notes that it is known in ML model to collect, log, aggregate and train data for data analytics step – these are known steps to implement ML model). 
As per claim 13 combination of Banga – DiGiambattista - Zhang teaches the method of claim 12, further comprising: training the classification model using the log data from the set of commonly-used executables (DiGiambattista – para 113-114 teaches ML model to trained using the log data as input data for analytics platform). 
Claim 15,
Claim 15 is rejected in accordance with system of claim 7.
Claim 16,
Claim 16 is rejected in accordance with system of claim 5.

Claim 17,
Claim 17 is rejected in accordance with system of claim 1.

Claim 19,
Claim 19 is rejected in accordance with system of claim 7.
Claim 20,
Claim 20 is rejected in accordance with system of claim 6.

Claims 3, 14 and 18 are rejected under 35 U.S.C. 103(a) as being unpatentable by U.S. Publication 2018/0048534 to Banga et al. (hereinafter known as "Banga”) and U.S. Publication 2018/0159887 to DiGiambattista et al. (hereinafter known as " DiGiambattista”) and further in view of U.S. Publication 2018/0270229 to Zhang et al. (hereinafter known as " Zhang”) and addtionally in view of U.S. Publication 2018/0129961 to Kailas et al. (hereinafter known as "Kailas”).   
As per claim 3 combination of Banga – DiGiambattista - Zhang teaches the system of claim 1. 
Banga – DiGiambattista - Zhang does not teach however, wherein the classification models is based on a random forest classifier (Kailas para 91 teaches random forest classifier which is known protocol to preprocess data from open source libraries in ML model). 
Banga – DiGiambattista - Zhang teaches assignment of categories to network entities (devices) based on data observation with plurality of nodes with machine learning and probabilistic model. Banga – DiGiambattista - Zhang does note however Kailas teaches random forest classifier in system (para 91). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Banga – DiGiambattista - Zhang – Kailas before him or her, to combine, Banga – DiGiambattista - Zhang’s device classification with open ports and machine learning model with Kailas’s random forest classifier. The suggestion/motivation for doing so would have been to accurately extract hidden data from large section of data to enhance security in system during (para 2).  

Claim 14,
Claim 14 is rejected in accordance with system of claim 3.

Claim 18,
Claim 18 is rejected in accordance with system of claim 3.

Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Yadav et al US Publication 2016/0359872 discloses secure analysis of data flow in datacenters using sensors, packets and other various collectors by analytics mode of datacenter. 
Song et al US Patent 9,275,345 discloses system to monitor and measure of different features such as process creation, registry key changes and model port behavior. 
Vallone et al US Patent 9,571,517 discloses assessing target network’s vulnerability to real cyber threat based on policy-based synthetic tests on system nodes (hardware). 
Segal et al US Patent 10,068,095 discloses secure penetration testing in network system by controlled user interface and node combination(s) being manually and explicitly selected and termination condition. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Viral Lakhia whose telephone number is (571) 270 - 3363.  The examiner can normally be reached on Mon-Fri – 8-:530 pm.



Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/VIRAL S LAKHIA/Examiner, Art Unit 2431