DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending in this Office Action.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/11/2020 filed is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The formal drawings received on 06/19/2020 have been entered.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over O’Neil, John (Pub. No.: WO 2018/152303, hereinafter, “O’Neil,” provided in the IDS by the applicant) in view of Kuperman et al. (Pub. No.: US 2017/0244737, hereinafter, “Kuperman”).
Claims 1, 11. O’Neil teaches:
A method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising: – on pages 3, 7 (Referring to FIG. 1, a dataflow diagram is shown of a system 100 for generating network application security policies according to one embodiment of the present invention. Referring to FIG. 2, a flowchart is shown of a method 200 performed by the system 100 according to one embodiment of the present invention.)
(A) for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications; – on pages 3, 7 (The system 100 and method 200 collect information about which applications are communicating with each other in the system 100. As the system 100 gathers network communication information (e.g., by using the 
(B) generating a network communication model based on the observed communications data; – on page 3 (The system 100 and method 200 apply machine learning to such gathered information to create a model 104 based on the collected network communication information.)
(C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications; and – on pages 3, 4 (As will be described in more detail below, the system 100 and method 200 may generate the model 104 even in the absence of training data in which particular network communications are labeled as "healthy" (i.e., desired to be permitted) or "unhealthy" (i.e., desired to be blocked). One benefit of embodiments of the present invention is that they may generate the model 104 in absence of such training data, while striking a balance between being permissive enough to permit healthy but previously unseen network communications (e.g., network communications that have properties different than the communications that were used to generate the model 104) and being restrictive enough to block previously-unseen and unhealthy network communications.)
(D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; – on pages 3, 4, 20 (As will be described in more detail below, the system 100 and method 
(E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and – on pages 3, 4 (As will be described in more detail below, the system 100 and method 200 may generate the model 104 even in the absence of training data in which particular network communications are labeled as "healthy" (i.e., desired to be permitted) or "unhealthy" (i.e., desired to be blocked).) 

O’Neil does not explicitly teach:
(F) calculating an accuracy of the network communication model based on the allowed data and the positive data.
However, Kuperman teaches:
(F) calculating an accuracy of the network communication model based on the allowed data and the positive data. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include (F) calculating an accuracy of the network communication model based on the allowed data and the positive data, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 2, 12. Combination of O’Neil and Kuperman teaches The method of claim 1 – refer to the indicated claim for reference(s). 
O’Neil teaches:
wherein the plurality of observed communications does not include any of the plurality of hypothetical communications. – on page 3 (The system 100 and method 200 apply machine learning to such gathered information to create a model 104 based on the collected network communication information.)

Claims 3, 13. Combination of O’Neil and Kuperman teaches The method of claim 1 – refer to the indicated claim for reference(s).
O’Neil teaches:
wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication. – on pages 5, 6 (The network information collection agent 106a on the source system 102a may collect, for each network communication (e.g., connection request, message, packet) transmitted or received by the source system 102a, any one or more of the following units of information (FIG. 2, operation 202): the local IP address and port of the communication; the remote IP address and port of the 

Claims 4, 14. Combination of O’Neil and Kuperman teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 5, 15. Combination of O’Neil and Kuperman teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data; (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data; (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 6, 16. Combination of O’Neil and Kuperman teaches The method of claim 5 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F)(3) comprises calculating F as (2XPXR)/(P+R). – in paragraph [0079] (Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)


Claims 7, 17. Combination of O’Neil and Kuperman teaches The method of claim 6 – refer to the indicated claim for reference(s).  

Kuperman further teaches:
wherein (F)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include wherein (F)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 8, 18. Combination of O’Neil and Kuperman teaches The method of claim 7 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include wherein (F)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 9, 19. Combination of O’Neil and Kuperman teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network. – in paragraph [0079] (The model generator 209 utilizes a set of requests 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 10, 20. Combination of O’Neil and Kuperman teaches The method of claim 1 – refer to the indicated claim for reference(s).  

Kuperman further teaches:
wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model. – in paragraph [0054] (Profile/Anomaly detection WAFs differ from this approach in that they are unsupervised and the number of labeled positive examples is zero. Positive examples (e.g., malicious requests) may be utilized to verify a profile/anomaly detection WAF but are not considered in generating profiles themselves. In contrast, the model generator 209 ingests both positively labeled (e.g., known malicious requests) and negatively labeled (e.g., known non-malicious requests) 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify O’Neil with Kuperman to include wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734.  The examiner can normally be reached on Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MUHAMMAD RAZA/Examiner, Art Unit 2449