Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Claims 1, 2, 5, 7-9, 12, 14-16 and 19 are allowed.
The following is an examiner’s statement of reasons for allowance:

Regarding independent claims 1, 9 and 16, the closest prior art are the following:
1. The previously cited reference Bingham (US 2015/0215334) as evidenced by “Common Ports” teaches An apparatus (see Fig. 1 and [0032]: a machine learning system 124) for determining whether an Internet Protocol (IP) address is malicious (see [0034]: “The processing cluster 104 parses the weighted threat attributes and uses the parsed weighted threat attributes to generate a baseline reputation score for each IP address”), the apparatus comprising: 
means for gathering (see [0030], [0020] and Fig. 1: “The processing cluster 104 serializes and stores the security data 102 and/or the other data 112”) a first data set representing Internet Protocol (IP) telemetry data for a HyperText Transfer Protocol (HTTP) protocol (see [0034]: “the reputation score 116 involves weighting threat attributes of the security data 102 to identify and/or predict the presence of malicious activity. … a low weight may be assigned to threat attributes related to port 80”. The Examiner included an evidential reference entitled “Common Ports” in the Office Action dated 2/20/2020. The Examiner interprets security data related to port 80, which corresponds to the HTTP protocol as “a first data set representing Internet Protocol (IP) telemetry data for a HyperText Transfer Protocol (HTTP) protocol”), 
the means for gathering to gather a second data set representing IP telemetry data for an email protocol (see [0034]: “the reputation score 116 involves weighting threat attributes of the security data 102 to identify and/or predict the presence of malicious activity. … sending spam may receive a lower weight than participation in a botnet”. The Examiner interprets the data set indicating sending spam as “a second data set representing IP telemetry data for an email protocol”); 
means for identifying first features from the first data set and second features from the second data set (see [0017]: “The threat attributes supply a behavior profile of the IP address with the various activities of the IP address over a time frame”. And see [0034]: “the reputation score 116 involves weighting threat attributes of the security data 102 to identify and/or predict the presence of malicious activity. … a low weight may be assigned to threat attributes related to port 80… sending spam may receive a lower weight than participation in a botnet”. And see [0060]: “an operation 406 identifies threat attributes for an IP address based on the correlation of the network traffic dataset with the CDN log. For example, the correlation may reveal a pattern of network traffic exchanged between an IP address known to engage in malicious activity and other IP addresses, thereby indicating that the other IP addresses are participating in or otherwise susceptible to an attack”. And see [0049] and Fig. 1: “The network traffic dataset 106 provides information about sources, destinations, ingress/egress points, and other information about network traffic across the primary network 202”. The Examiner interprets “information about sources, destinations, ingress/egress points, and other information about network traffic” related to port 80 and “information about sources, destinations, ingress/egress points, and other information about network traffic” related to sending spam as “first features” and “second features”, respectively); 
means for selecting first labels from the first data set and second labels from the second data set (see [0035]: “The reputation score 116 is a single value (e.g., a percentage) representing a confidence level in a likelihood of whether– an IP address engages in or is otherwise susceptible to the reputation score 116 involves weighting threat attributes of the security data 102 to identify and/or predict the presence of malicious activity. The processing cluster 104 assigns a weight to each threat attribute in a record that corresponds to a nature of the associated threat, including a type of activity and a source of data indicating the activity. For example, a low weight may be assigned to threat attributes related to port 80 (i.e., the default port for insecure Internet connection) because it is common to have traffic on port 80. Conversely, a higher weight may be assigned to threat attributes related to other ports with lower traffic activity because any traffic on through such ports is rare, which may be indicative of malicious activity. Similarly, sending spam may receive a lower weight than participation in a botnet”. And see [0060] and Fig. 4: “An operation 408 weights each of the threat attributes. Each of the threat attributes are weighted based on the type of activity, the source, and other factors, established, for example, via machine learning. An operation 410 generates a reputation score for the IP address based on the weighted threat attributes.” The Examiner interprets “threat attributes related to port 80” for a HTTP protocol and threat attributes related to sending spam for an email protocol as first labels from the first data set and second labels from the second data set, respectively), 
the means for selecting to generate a training data set (see [0032]: “The processing cluster 104 may generate the threat intelligence 114 using machine learning techniques deployed with a machine learning system 124”. And see [0033]: The threat intelligence 114 may include a reputation score 116 and a reputation profile 118 associated with an IP address. And see [0039]: “the processing cluster 104 and/or the machine learning system 124 evaluates the reputation score 116 to generate the reputation profile 118, which provides detail regarding the weighted threat attributes and/or the basis of the reputation score, including activity of the IP address demonstrating that the IP address is engaging in or vulnerable to malicious activity”. The Examiner interprets the threat intelligences 114 for a plurality of IP a training data set) based on records in the first data set and the second data set having matching IP addresses (see claim 1: “A method for identifying network threats, the method comprising: obtaining a network traffic dataset representative of network traffic for an Internet Protocol address across one or more ports of a primary network”. And see [0034]: “the reputation score 116 involves weighting threat attributes of the security data 102 to identify and/or predict the presence of malicious activity. The processing cluster 104 assigns a weight to each threat attribute in a record that corresponds to a nature of the associated threat, including a type of activity and a source of data indicating the activity. For example, a low weight may be assigned to threat attributes related to port 80 (i.e., the default port for insecure Internet connection) because it is common to have traffic on port 80. Conversely, a higher weight may be assigned to threat attributes related to other ports with lower traffic activity because any traffic on through such ports is rare, which may be indicative of malicious activity. Similarly, sending spam may receive a lower weight than participation in a botnet”. The Examiner interprets “network traffic for an Internet Protocol address across” port 80 and a port other that port 80 as records in the first data set and the second data set having matching IP addresses.  And see [0026]. The Examiner further interprets generating the reputation scores 116 associated with IP addresses by weighting (combining) threat attributes related to two ports, e.g., port 80 associated with the HTTP protocol and another port “with lower traffic activity” and associated with another protocol as to generate a training data set based on records in the first data set and the second data set having matching IP addresses), 
the training data set to include combined labels indicating whether each of the respective matching IP addresses is malicious, benign, or unknown (see [0017] and [0035]: “Based on the weighted threat attributes, network threat intelligence, including a reputation score, is generated. The reputation score represents a confidence level in a likelihood of whether an IP address engages in or is the reputation score 116 involves weighting threat attributes of the security data 102 to identify and/or predict the presence of malicious activity. The processing cluster 104 assigns a weight to each threat attribute in a record that corresponds to a nature of the associated threat, including a type of activity and a source of data indicating the activity. For example, a low weight may be assigned to threat attributes related to port 80 (i.e., the default port for insecure Internet connection) because it is common to have traffic on port 80. Conversely, a higher weight may be assigned to threat attributes related to other ports with lower traffic activity because any traffic on through such ports is rare, which may be indicative of malicious activity. Similarly, sending spam may receive a lower weight than participation in a botnet”. The Examiner interprets the reputation score 116 associated with an IP address calculated by weighting (combining) threat attributes related to two ports, e.g., port 80 associated with the HTTP protocol and another port “with lower traffic activity” and associated with another protocol, where the reputation score 116 represents a confidence level in a likelihood of whether an IP address engages in or is otherwise susceptible to malicious activity, as a combined label indicating whether each of the respective matching IP addresses is malicious, benign, or unknown. And see [0033]: The threat intelligence 114 may include a reputation score 116 and a reputation profile 118 associated with an IP address. And see [0039]: “the processing cluster 104 and/or the machine learning system 124 evaluates the reputation score 116 to generate the reputation profile 118, which provides detail regarding the weighted threat attributes and/or the basis of the reputation score, including activity of the IP address demonstrating that the IP address is engaging in or vulnerable to malicious activity”. The Examiner further interprets the threat intelligences 114 for a plurality of IP addresses, including “a reputation score 116 and a reputation profile 118 associated with” each IP address, taught in [0033],  as the training data set to include combined labels indicating whether each of the respective matching IP addresses is malicious, benign, or unknown); and 
means for training a machine learning model using the training data set (see [0032]: “The processing cluster 104 may generate the threat intelligence 114 using machine learning techniques deployed with a machine learning system 124. The machine learning techniques provided by the machine learning system 124 generally involve a machine learning through observing data that represents incomplete information about statistical happenings and generalizing such data to rules and/or algorithms that make predictions for future data, trends, and the like. Machine learning typically includes "classification" where machines learn to automatically recognize complex patterns and make intelligent predictions for a class”. The Examiner interprets “observing data that represents incomplete information about statistical happenings and generalizing such data to rules and/or algorithms that make predictions for future data, trends” as training a machine learning model using the training data set); 
means for executing, the machine learning model to indicate (emphasis added to show the difference between the reference and the claim), based on the first features and the second features, whether a requested IP address is malicious, benign, or unknown (see [0060] and Fig. 4: “An operation 408 weights each of the threat attributes. Each of the threat attributes are weighted based on the type of activity, the source, and other factors, established, for example, via machine learning. An operation 410 generates a reputation score for the IP address based on the weighted threat attributes”. And see [0035]: “The reputation score 116 is a single value (e.g., a percentage) representing a confidence level in a likelihood of whether an IP address engages in or is otherwise susceptible to malicious activity. The higher the reputation score 116 the higher the confidence that the IP address engages in or is otherwise susceptible to malicious activity”. Therefore, the Examiner interprets generating the reputation score 116 representing a confidence level in a likelihood of whether an IP address engages in or is otherwise susceptible to malicious activity (The higher the score, the higher the confidence that the IP address engages in or is otherwise susceptible to malicious activity) as to indicate whether a requested IP address is malicious, benign, or unknown).

2. The previously cited reference Ronen (US 2018/0324193) teaches means for executing the machine learning model (see abstract: “calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features”. The Examiner interprets the classifier 58 in Fig. 1 generated by training “based on predetermined examples and the features” as the machine learning model) to output a first value indicating whether a requested IP address is malicious, benign, or unknown; and means for generating a second value separate from the first value, the second value representing a confidence that the first value is correct (see [0062] and Fig. 1: “the classifier 58 classifies each of the suspect external IP addresses in the second subset for which most (or more than a predetermined percentage) of the traffic for the corresponding suspect external IP address occurred on a single source port of an external device and/or machine having the suspect external IP address. The classifications may indicate whether each of the suspect external IP addresses in the second subset are malicious and/or include a score indicating a probability and/or likelihood that the suspect external IP address is malicious”. The Examiner interprets the classification indicating “whether each of the suspect external IP addresses in the second subset are malicious” as to output a first value indicating whether a requested IP address is malicious, benign, or unknown. The Examiner further interprets including “a score indicating a probability and/or likelihood that the suspect external IP address is malicious” as generating a second value separate from the first value, the second value representing a confidence that the first value is correct. Also see [0036).
means for executing, responsive to a request (see [0051] and Fig. 1: “At 204, the pre-filter 48 pre-filters the external IP addresses to determine suspect external IP addresses having interaction events with cloud-based internal IP addresses. … In another embodiment, external IP addresses having: greater than or equal to a predetermined number of requests per second; a minimum amount of traffic; and/or greater than or equal to a predetermined amount of data flow in a predetermined period of time, are considered suspect external IP addresses”) from a client device (see [0026] and Fig. 1: “the access server computers 20 are implemented as client access server computers and facilitate providing services, such as services associated with software as a service (SaaS) applications, from the server computers 24 to the client computers 12”. The Examiner interprets the access server computer 20, which is implemented as a client access server computer accessing server computer 24, as a client device. Because the access server computer 20 relays a request for a service from a client computer 12 to the server computer 24 providing services, the Examiner interprets the request relayed to the server computer 24 by the access server computer 20 (client access server computers) as a request from a client device ), the machine learning model (see abstract: “calculate features for the first suspect external IP address, where the features include exploration type features and exploitation type features; train a classifier based on predetermined examples and the features to generate and update a model; classify the first suspect external IP address based on the model and at least some of the features”. The Examiner interprets the classifier 58 in Fig. 1 generated by training “based on predetermined examples and the features” as the machine learning model) to output a first value indicating whether a requested IP address is malicious, benign, or unknown (see [0062] and Fig. 1: “the classifier 58 classifies each of the suspect external IP addresses in the second subset for which most (or more than a predetermined percentage) of the traffic for the corresponding suspect external IP address occurred on a single source port of an external device and/or machine having the suspect The classifications may indicate whether each of the suspect external IP addresses in the second subset are malicious”).

3. The previously cited reference Sargent (US 2010/0115040) teaches means for providing the first value and the second value to the client device (see [0039] and Figs. 1, 4: “reputation clients 410 and alert subscriber clients 412 may be embodied in one or more of reputation client servers 110”. Also see [0092] and Fig. 4: “reputation consumers, customers, or client may send a query (e.g., a "get reputation" request), to one of the gateways 424. The gateway may processes the incoming query, extract the key, and encrypt the key. The encrypted key may then be sent from the gateway to anti-spam reputation server 106. Anti-spam reputation server 106 may look-up the encrypted key in cache complex 414 and return the query results to the gateway, which decrypts the key, and sends it back to the reputation client, along with the reputation category (e.g., trusted, untrusted), the reputation score, the confidence factor”. The Examiner interprets a reputation client 410 embodied in a reputation client server 110 as the client device. The Examiner further interprets the reputation score and the confidence factor as the first value and the second value, respectively), 
the providing of the first value and the second value to the client device to enable the client device to block a message corresponding to the IP address in response to the first value satisfying a first threshold (see [0102]: “each reputation key may be a unique identification for each entity, such as GUID, IP address”. And see [0021]: “The ESP [email service provider] may then calculate a reputation score associated with one or more senders of communications over the network, and then filter a sender's communications if the sender's reputation is below a predetermined threshold”. And see [0100] and Fig. 1: “One or more of the reputation client servers 110 and email servers 104 may perform filtering of email messages sent by an entity, based on a reputation score stored in a reputation record associated with the entity's reputation key (Step 680)”. The Examiner interprets filtering of email to block a message. And see [0027] [0049], [0051] [0068] and Fig. 5) and the second value (see [0108]: “the systems and methods disclosed herein may be configured to perform filtering of electronic messages to reduce spam and/or spam campaigns. In addition, the systems and methods disclosed herein may be configured to determine a level of confidence to associate with a user report to improve the reliability of a spam filtering system, which, in turn, improves performance and reduces costs”. And see [0027]).

4. The previously cited reference Copty (US 2018/0232523) teaches blocking a message in response to the second value (the confidence value) satisfying a second threshold (see [0052]: “if Input 142 is classified as unsafe and the confidence level is above a predetermined threshold, the responsive action may be to block Input 142”).

5. A new reference Vaystikh (US 9,154,516) teaches means for separating the features into separate time windows, the separate time windows to include at least a daily time window, a weekly time window, and a monthly time window (see col. 8, lines 20-32: “for each user-agent string (UAS) encountered in the prior network communications data 140, the risk engine 100 can automatically compute the following metrics from the prior network communications data 140 as follows: For the last 1 day, 1 week, 2 weeks, 4 weeks and 6 months, the risk engine 100 generates for each UAS the following data: 
Number of distinct Source IP addresses 
Number of distinct Destination IP addresses 
Number of distinct Domains this UAS has communicated with 
Frequency of each HTTP Method 
Frequency of returned HTTP Status Code”).

Independent claims 1, 9 and 16 are allowable for the following reason: before the effective filing date of the claimed invention, it would not have been obvious to a person of ordinary skill in the art 
first to let the executed machine learning model taught in Bingham indicate whether the IP address is malicious, benign, or unknown by outputting a first value indicating whether the entity is malicious, benign, or unknown; and generating a second value separate from the first value, the second value representing a confidence that the first value is correct, as taught by Ronen, 
second to let the executing the machine learning model to output a first value indicating whether a requested IP address is malicious, benign, or unknown taught by Bingham be responsive to a request from a client device, as taught by Ronen,
third to include in the apparatus for determining whether an Internet Protocol (IP) address is malicious taught by Bingham modified in view of Ronen means for providing the first value and the second value (a confidence level) to the client device, the providing of the first value and the second value to the client device to enable the client device to block a message corresponding to the IP address in response to the first value satisfying a first threshold and the second value (a confidence level), as taught by Sargent, 
fourth to let blocking the message in response to the second value (the confidence value) taught by Bingham modified in view of Ronen and Sargent comprise blocking the message in response to the second value (the confidence value) satisfying a second threshold, as taught by Copty, and
finally to include in the apparatus for determining whether an Internet Protocol (IP) address is malicious taught by Bingham modified in view of Ronen, Sargent and Copty means for separating the features into separate time windows, the separate time windows to include at least a daily time window, a weekly time window, and a monthly time window, as taught by Vaystikh.



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHIMEI ZHU whose telephone number is (571)270-7990.  The examiner can normally be reached on 10am-6pm Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495