DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Office Action Summary
Instant application was files 11/29/2018 with priority to 11/30/2017. Claims 1-26 are pending in the instant application. Claims 1-26 are rejected.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-26 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Wang et al. (US Patent No: 10,469,514) hereinafter referred to as Wang .

claim 1, Wang teaches A method of monitoring network traffic in a communication network with a sentinel module to detect malicious activity, the method comprising: using a gateway sentinel module to receive network traffic directed through a gateway installed for a local distribution of the network, the gateway connecting the local distribution of the network to a core of the network; and (figures 1, 3 and column 4, lines 29-38, teaches a multitier security system, also see figure 4, network sensor engine 200 collects the data, and column 3 line 64 through column 10 line 10 teaches communication through routers etc between networks i.e. gateways.)
detecting malicious activity in the local distribution based on a combination of: a local machine-learning model for identifying malicious activity in the local distribution, the local machine-learning model modelling network traffic from the local distribution; and (figures 1, 3 and column 4, lines 29-38, teaches a multitier security system, also see figure 4, items 440 and 445, teaches local detection modules, also see column 10, lines 29-60, teaches local threat intelligence module)
a global machine-learning model, the global machine-learning model modelling network traffic from a plurality of local distributions of the network based training data from a plurality of local sentinel modules executed on a respective plurality of computing nodes, the computing nodes respectively receiving network traffic from the plurality of location distributions. (figures 1, 3 and column 4, lines 29-38, teaches a multitier security system, also see figure 4, items 440 and 445, teaches local detection modules, also see column 10, lines 29-60, teaches local threat intelligence module sending information to global model which is a machine learning model)

As per claim 2, Wang teaches The method according to claim 1, wherein the method further comprises training the local machine-learning model based on received network traffic directed through a gateway. (figures 1, 3 and column 10, lines 29-60, teaches local threat intelligence module)

As per claim 3, Wang teaches The method according to claim 2, wherein training the local machine- learning model comprises at least one of: deriving the local machine-learning model based on training data extracted from network traffic directed through a gateway; and updating the local machine-learning model based on training data extracted from network traffic directed through a gateway. (figure 6 and column 19, lines 40-62)

As per claim 4, Wang teaches The method according to claim 1, wherein the local machine learning model models network traffic from the local distribution by mapping, for at least one type of device connected to the gateway, a characteristic of traffic from the device. (column 22, lines 37-52)

claim 5, Wang teaches The method according to claim 1, wherein detecting malicious activity based on a combination of the local model and the global model comprises: determining a first correlation score based on a correlation between received traffic and the local model; in an event that the first correlation score satisfies a first predefined criterion, determining a second correlation score, the second correlation score being based on a correlation between received traffic and at least the global model; and in an event that the second correlation score satisfies a second predefined criterion, deciding that the traffic is at least potentially malicious. (column 6, lines 53-67)

As per claim 6, Wang teaches The method according to claim 5, wherein the second correlation score is additionally based on a correlation between received traffic and the local model. (column 12, lines 29-41)

As per claim 7, Wang teaches The method according to claim 1, wherein detecting malicious activity based on a combination of the local model and the global model comprises: determining a first correlation score based on a correlation between received traffic and the local model; determining a second correlation score based on a correlation between received traffic the global model; and combining the first correlation score and the second correlation score; and in an event that the combined correlation score satisfies a predefined criterion, deciding that the traffic is at least potentially malicious. (column 12, lines 29-41 and column 18, lines 14-36)

As per claim 8, Wang teaches A method according to claim 1, wherein the method comprises: receiving the global machine-learning model from a remote computing node connected a Wide Area Network, the remote computing node using a remote sentinel module to manage the global machine-learning, the remote computing node being outside the local distribution. (figure 2A, column 4, lines 58-67)

As per claim 9, Wang teaches A method according to claim 8, wherein the method comprises maintaining the global machine-learning model in the remote computing node, wherein maintaining the global machine-learning model comprises updating the machine learning-model based on the training data. (figure 6 and column 19, lines 40-62)

As per claim 10, Wang teaches A method according to claim 8, wherein the method comprises: receiving, at the remote computing node, network traffic from each of the plurality of computing nodes; based on the global machine-learning model, detect malicious activity of the received network traffic from any one of the local distributions. (figure 7)

As per claim 11, Wang teaches A method according to claim 8, wherein the method further comprises: based on at least the local machine-learning module, detecting unusual network activity in network traffic received by the gateway sentinel module; and instructing transmission of data relating to the unusual network activity to the remote computing node. (figure 7)

As per claim 12, Wang teaches A method according to claim 1, wherein the method comprises: extracting a parameter set from network traffic received by the gateway sentinel module; and based on a relationship between the parameter set and at least the local machine learning model, deciding whether the network traffic from which the parameters was extracted is malicious. (figure 7)

claim 13, Wang teaches A method according to claim 12, wherein the decision is based on an estimated probability of the parameter set occurring from non-malicious network activity. (column 10, lines 29-60, teaches)

As per claim 14, Wang teaches A method according to claim 12, wherein extracted parameter set comprises at least one of: packet-rate; data-rate; and a highest frequency component of a frequency spectrum of the received data. (figure 7 and column 21, lines 35-54)

As per claim 15, Wang teaches A method according to claim 12, wherein the parameter set consists of packet-rate. (figure 7 and column 21, lines 35-54)

As per claim 16, Wang teaches A method according to claim 1, wherein the training data for maintaining the local-machine learning model comprises data from at least one device communicating with an Internet-of-Things (IoT) service. (figure 2a)

As per claim 17, Wang teaches A method according to claim 1, wherein the received network traffic is Internet-of-Things (IoT) traffic. (figure 2a)

Claims 18-26 teach substantially the same limitation as claim 1-17 and are rejected using the same rational.

Other Related Art of Record 
Zhang et al. (10522609) teaches “A malicious object detection system for use in managed runtime environments includes a check circuit to receive call information generated by an application, such as an Android application. A machine learning circuit coupled to the check circuit applies a machine learning model to assess the information and/or data included in the call and detect the presence of a malicious object, such as malware or a virus, in the application generating the call. The machine learning model may include a global machine learning model distributed across a number of devices, a local machine learning model based on use patterns of a particular device, or combinations thereof. A graphical user interface management circuit halts execution of applications containing malicious objects and generates a user perceptible output.”
Patinkin (7574409) teaches “The invention provides a method, apparatus and system for classification and clustering electronic data streams such as email, images and sound files for identification, sorting and efficient storage. The inventive systems disclose labeling a document as belonging to a predefined class though computer methods that comprise the steps of identifying an electronic data stream using one or more learning machines and comparing the outputs from the machines to determine the label to associate with the data. The method further utilizes learning machines in combination with hashing schemes to cluster and classify documents. In one embodiment hash apparatuses and methods taxonomize clusters. In yet another embodiment, clusters of documents utilize geometric hash to contain the documents in a data corpus without the overhead of search and storage.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SIMON P KANAAN/Primary Examiner, Art Unit 2492