Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Applicant is advised that should claim 6 be found allowable, claim 15 will be objected to under 37 CFR 1.75 as being a substantial duplicate thereof. When two claims in an application are duplicates or else are so close in content that they both cover the same thing, despite a slight difference in wording, it is proper after allowing one claim to object to the other as being a substantial duplicate of the allowed claim. See MPEP § 608.01(m).

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-4, 6, 8-13, and 15-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Pevny et al. (US 2018/0063163 A1 – hereinafter referred to as Pevny).
In regards to claim 1, Pevny discloses a method comprising:  

4forming, by the device, a bag representation of a particular one of the bags by saggregating the feature vectors in the particular bag;  (Pevny para. [0009] teaches aggregating feature vectors into a domain vectors and then aggregating those into a user vector.)
6extending, by the device, one or more feature vectors in the particular bag with 7the bag representation, wherein the extended one or more feature vectors are positive 8examples of a classification label for the network traffic; and (Pevny para. [0012] teaches providing a user at the user level with a label as being an infected user. As there are user bags of activity and the user is labeled as infected, then so are the features vectors in the user bag. Thus they are extended.)
9training, by the device, a network traffic classifier using training data that 10comprises the one or more feature vectors extended with the bag representation. (Pevny para. [0012, 0013 and 0018] teaches training the classifier using the labeled data.)

In regards to claim 2, Pevny discloses the method of claim 1, wherein the trained classifier is configured to identify 2malicious traffic flows, and wherein the one or more feature vectors extended with the 3bag representation are positive examples of a malicious traffic flow classification label.  (Pevny para. [0018] teaches identifying malicious traffic flows wherein it states “This enables automatic learning from large data sets. Malware detection logic 200 is further configured to automatically reveal to human analysts previously unknown patterns in data that signify malicious activity (i.e. automatically discover previously unknown IOCs).”)

In regards to claim 3, Pevny discloses the method of claim 1, further comprising:  deploying, by the device, the trained classifier to one or more networks.  (Pevny fig. 4 element 420)

In regards to claim 4, Pevny discloses the method of claim 1, wherein grouping the feature vectors representing the network traffic flows into bags comprises: 
forming, by the device, the feature vectors using measured characteristics of the network traffic flows; (Pevny para. [0032-0033] teaches measure characteristics of network traffic, included, but not limited to, maximum, average, number of subdomains present in URL, bytes transferred from client to server, bytes transferred from server to client, duration of TCP connection, and so on.)
grouping, by the device, the feature vectors associated with the same host name, targeting domain, and time window into a single bag. (Pevny, see figure 3 wherein the features are grouped by host, target domain, and time window into a single bag.)

In regards to claim 6, Pevny discloses 1the method of claim 1, wherein the bag representation of the particular bag 2comprises at least one of: a maximum, minimum, mean, or 


In regards to claim 8, Pevny discloses the method of claim 1, further comprising:  
sub-dividing, by the device, the feature vectors in the particular bag into a set of sub-bags;  (Pevny para. [0041] teaches further dividing into sub-groupings based on meta-information) 
determining, by the device and for each of the sub-bags, a sub-bag representation of a sub-bag by aggregating the feature vectors in the sub-bag; (Pevny para. [0009] teaches aggregating feature vectors into a domain vectors and then aggregating those into a user vector.) and  
extending, by the device, the one or more feature vectors in the particular bag that are positive examples of the classification label with the sub-bag representations of their respective sub-bags, (Pevny para. [0012] teaches providing a user at the user level with a label as being an infected user. As there are user bags of activity and the user is labeled as infected, then so are the features vectors in the user bag. Thus they are extended.) wherein the training data used to train the classifier comprises the one or more feature vectors extended with the bag representation of the particular bag and the sub-bag representations of their respective sub-bags.  (Pevny para. [0012, 0013 and 0018] teaches training the classifier using the labeled data.)

In regards to claim 19, Pevny discloses the method of claim 8, wherein sub-dividing the feature vectors in the particular 2bag into the set of sub-bags comprises:  3sub-dividing the feature vectors by common user information or connection 4information. (Pevny fig. 4 shows information being grouped or bag based on common user information and paragraph [0041] teaches subgroup or sub-bags.)

In regards to claim 10, it is the apparatus embodiment of claim 1 and thus rejected using the reasoning found in claim 1.
In regards to claim 11, it is the apparatus embodiment of claim 2 and thus rejected using the reasoning found in claim 2.
In regards to claim 12, it is the apparatus embodiment of claim 3 and thus rejected using the reasoning found in claim 3.
In regards to claim 13, it is the apparatus embodiment of claim 4 and thus rejected using the reasoning found in claim 4.
In regards to claim 15, is a duplicate of claim 6 and thus rejected using the reasoning found in claim 6. 

In regards to claim 16, Pevny discloses the apparatus of claim 10, wherein the process when executed is further 2configured to:  3represent a second set of traffic flows as a second set of feature vectors; (Pevny see figure 4 element 350 shows a different user with a second set of traffic flows and feature vectors.)  4form bags by grouping the second set of feature vectors;  (Pevny para. [0009] teaches aggregating feature vectors into a domain vectors and then aggregating those into a user vector.) sextend the feature vectors in the second set with representations of the bags in 6which they are 

In regards to claim 17, it is the apparatus embodiment of claim 8 and thus rejected using the reasoning found in claim 8. 
In regards to claim 18, it is the apparatus embodiment of claim 8 and thus rejected using the reasoning found in claim 9. 
In regards to claim 19, it is the non-transitory computer readable medium storing embodiment of claim 1 and thus rejected using the reasoning found in claim 1.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Pevny et al. (US 2018/0063163 A1 – hereinafter referred to as Pevny). and further in view of Elkan et al. (“Learning Classifiers from Only Positive and Unlabeled Data” – hereinafter referred to as Elkan.)

In regards to claim 7, Pevny discloses the method of claim 1, but fails to disclose further comprising:  excluding, by the device, one or more feature vectors in the particular bag that are negative examples of the classification label from the training data used to train the classifier.  
Elkan discloses excluding negative examples from the training data used to train a classifier. (Elkan abstract teaches training a classifier using only positive examples, thus excluding negative examples.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pevny with that Elkan in order to allow for training a classifier with training data that excludes negative examples as both references deal using and training a classifer and the benefit of doing so it allow the system to more accurate and performs better as suggest in the last sentence of the abstract of Elkan.


Allowable Subject Matter
Claims 5, 14 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PAULINHO E SMITH whose telephone number is (571)270-1358.  The examiner can normally be reached on Mon-Fri. 10AM-6PM CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamran Afshar can be reached on (571) 272-7796.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/PAULINHO E SMITH/Primary Examiner, Art Unit 2125