DETAILED ACTION
Claims 1-2, 4-5, 8, 10-11, 13-14, 17, & 19-20 have been amended. Claims 6-7 & 15-16 have been canceled. Claims 1-4, 8-14, 17-20 remain pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Jonathon P. Western on March, 03, 2021. The application has been amended as follows: 
In the claims:
1.  (Currently Amended)  A method comprising:
	receiving, at a service, data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device;
	analyzing, by the service, the received data to determine whether the administration traffic is resulting from an administration session involving a trusted administrator, wherein the analysis of the received data is based at least on user information characterizing the control device
flagging, by the service, a first portion of the received data associated with the administration session involving the trusted administrator as authorized, based on the analysis of the received data, wherein a second portion of the received data is non-flagged; and
	using, by the service, a machine learning-based traffic classifier to distinguish between benign traffic and malicious traffic in the network, wherein the machine learning-based traffic classifier is trained using samples of benign traffic and malicious traffic and using the first portion of the received data that is flagged as authorized, and wherein the machine learning-based traffic classifier assesses only the non-flagged second portion of the received data, such that the first portion of the received data that is flagged as authorized is excluded from assessment by the machine learning-based traffic classifier.	 

2.  (Currently Amended)  The method as in claim 1, wherein analyzing the received data 
	determining, by the service, that the control device was operated by the trusted

3.  (Original)  The method as in claim 1, wherein at least a portion of the received data comprises data generated by a monitoring process executed by the control device.

4.  (Currently Amended)  The method as in claim 3, wherein at least a portion of the received data comprises data generated by a network traffic monitor between the control device and the client device in the network, and wherein analyzing the received data 
	matching, by the service, a network address captured by the monitoring process executed by the control device to a network address captured by the network traffic monitor.

5.  (Currently Amended)  The method as in claim 3, wherein analyzing the received data 
	identifying, by the service and from the data generated by the monitoring process executed by the control device, a particular process that was executed by the control device to initiate the remote administration session with the client device; and
	determining, by the service, whether the particular process is authorized.	

6-7.  (Canceled)  

8.  (Currently Amended)  The method as in claim 1, wherein the malicious traffic is indicative of malfeasance by the trusted

9.  (Original)  The method as in claim 1, wherein the remote administration session comprises at least one of: a remote desktop administration session, a Secure Shell (SSH) session, or Secure Copy (SCP) session.

10.  (Currently Amended)  An apparatus, comprising:
one or more network interfaces to communicate with a network;
a processor coupled to the one or more network interfaces
a memory storingcomprising
receiving
	analyzingresulting from an administration session involving a trusted administrator, wherein the analysis of the received data is based at least on user information characterizing the control device
	flagging aassociated with the administration session involving the trusted administrator as authorized, based on the analysis of the received data, wherein a second portion of the received data is non-flagged; and
	using a machineusing samples of benign traffic and malicious traffic and using the first portion of the received data that is flagged as authorized, and wherein the machine learning-based traffic classifier assesses only the non-flagged second portion of the received data, such that the first portion of the received data that is flagged as authorized is excluded from assessment by the machine learning-based traffic classifier.	

11.  (Currently Amended)  The apparatus as in claim 10, wherein the apparatus analyzes the received data 
	determining that the control device was operated by the trusted

12.  (Original)  The apparatus as in claim 10, wherein at least a portion of the received data comprises data generated by a monitoring process executed by the control device.

13.  (Currently Amended)  The apparatus as in claim 12, wherein at least a portion of the received data comprises data generated by a network traffic monitor between the control device and the client device in the network, and wherein the apparatus analyzes the received data 
	matching a network address captured by the monitoring process executed by the control device to a network address captured by the network traffic monitor.

14.  (Currently Amended)  The apparatus as in claim 12, wherein the apparatus analyzes the received data 
	identifying, from the data generated by the monitoring process executed by the control device, a particular process that was executed by the control device to initiate the remote administration session with the client device; and
	determining whether the particular process is authorized.	

15-16.  (Canceled)  

17.  (Currently Amended)  The apparatus as in claim 10, wherein the malicious traffic is indicative of malfeasance by the trusted

18.  (Original)  The apparatus as in claim 10, wherein the remote administration session comprises at least one of: a remote desktop administration session, a Secure Shell (SSH) session, or Secure Copy (SCP) session.

19.  (Currently Amended)  A tangible, non-transitory, computer-readable medium storing program instructions that cause a device to execute a process comprising:
 	receiving data regarding administration traffic in a network associated with a remote administration session in which a control device remotely administers a client device;
	analyzing the received data to determine whether the administration traffic is resulting from an administration session involving a trusted administrator, wherein the analysis of the received data is based at least on user information characterizing the control device
	flagging a first portion of the received data associated with the administration session involving the trusted administrator as authorized, based on the analysis of the received data, wherein a second portion of the received data is non-flagged; and
	using a machine learning-based traffic classifier to distinguish between benign traffic and malicious traffic in the network, wherein the machine learning-based traffic classifier is trained using samples of benign traffic and malicious traffic and using the first portion of the received data that is flagged as authorized, and wherein the machine learning-based traffic classifier assesses only the non-flagged second portion of the received data, such that the first portion of the received data that is flagged as authorized is excluded from assessment by the machine learning-based traffic classifier.	 

20.  (Currently Amended)  The computer-readable medium as in claim 19, wherein analyzing the received data 
	determining, by the service, that the control device was operated by an authorized administrator during the remote administration session.

 

PLEASE CANCEL CLAIMS 6-7 & 15-16. 

Allowable Subject Matter
Claims 1-5, 8-14, 17-20 are allowed. No reason for allowance is needed as the record is clear in light of applicant’s arguments and examiner amendment above. See MPEP 1302.14(l).

According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF ULLAH whose telephone number is (571)272-5453.  The examiner can normally be reached on Mon-Fri 7:30-5:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SHARIF E ULLAH/Primary Examiner, Art Unit 2495