Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
This action is in reply to the amendments and remarks filed on 02/04/2021.
Claims 1-8 and 10-20 are pending.
Claims 1, 2, 7, 10-11, 16, and 19 have been amended.
Examiner Note: The examiner will interpret “processor” to be a well-known hardware processor.

Response to Arguments
Applicant’s arguments, with respect to the claim interpretations of claim(s) 1, 4-5, 7, and 19-20 under 35 U.S.C. 112(f), have been fully considered and are persuasive.  The 112(f) interpretations of “a device in a network” in claims 1, 4-5, 7, and 19-20 has been withdrawn. 

Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 10, and 19 under 35 U.S.C. 112(b), have been considered but they are not persuasive. More specifically, applicant argues that in view of amendments to the claims, the rejections have been overcome. The amendments to claims 1, 10, and 19 now merely state that “a training dataset” is generated “based on one or more counts included in the training dataset dictionary”, and “a particular weight assigned to a particular feature vector of the 

Applicant’s arguments, with respect to the rejection(s) of claim(s) 1, 10, and 19 under 35 U.S.C. 103, have been considered but they are not persuasive. Specifically, the applicant argues that no art of record teaches the amended claims 1, 10, and 19 limitations, which now recite “adjusting, by the device, a particular weight assigned to a particular feature vector of the training dataset based on a type of machine learning-based model to be trained”, since “the manner in which Rajesh ‘continually updat[es] weights’ is distinguishable from the adjustment of a weight assigned to a particular feature vector of a training dataset as presently claimed” and “weights may be updated merely ‘based on the occurrence of features representative of received malicious packets in a network’…[and] has no relation to the type of machine learning-based model that is to be trained”. The examiner respectfully disagrees. Applicant’s spec, pages 9-10 state employing and training “supervised, unsupervised, or semi-supervised machine learning models”. Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach forming a feature set, also referred to as “the training set”, with assigned weights that, as taught in sections 3.2-3.3.1, are excluded from specific features (adjusting a particular weight assigned to a particular feature vector of the training dataset) to form a “third category” for training supervised machine learning models (based on a type of machine learning-based model to be trained). The “training data set” is segregated into a “training set” and 
See 35 U.S.C 103 section for full mapping of claim limitations necessitated by applicant’s amendments.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 10, and 19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 1, 10, and 19 recite (or analogously recite) the limitation "based on one or more counts” in line 18 (of claim 1), but it is unclear to the examiner if this refers to the “a count associated with a particular feature vector” of the preceding limitation or different “counts”. 
of the counts included…”

Claims 1, 10, and 19 recite the limitation “and a weight assigned to each of the feature vectors” in lines 18-19 and "adjusting, by the device, a particular weight assigned to a particular feature vector” in line 20 (of claim 1), but it is unclear to the examiner if the “weight assigned” is a single weight that is assigned to all of the feature vectors or different weights assigned.
An optional method to overcome this rejection is to amend the limitation to read “…and s assigned to each of the feature vectors...”

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-5, 7-8, 10-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chavez et al (US Patent 9985984) hereinafter Chavez, in view of Rajesh et al (“Droidswan: Detecting Malicious Android Applications based on Static Feature Analysis”, 2015), hereinafter Rajesh.
Regarding claims 1, 10, and 19, Chavez teaches a method, an apparatus, comprising one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor (Col. 10, line 63-Col. 11, line 45, and Col. 26, line 38-Col. 27, line 60 and Fig. 13 teach a computing device comprising “network connection[s]” and interfaces, a data store with “executable instructions” executed by a processor to perform the embodiments); and a tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising (Col. 10, line 63-Col. 11, line 45, and Col. 26, line 38-Col. 27, line 60 and Fig. 13 teach a computing device comprising “network connection[s]” and interfaces, “computer-readable storage media” with “executable instructions” executed by a processor to perform the embodiments):
generating, by a device in a network, a feature vector based on traffic flow data regarding one or more traffic flows in the network (Col. 6, line51-Col. 7, line 35, Col. 8, lines 11-48, Col. 12, lines 16-43 and Figs. 1-3 teach “one or more feature vectors 316 can be generated”, by a host device with a “data analyzer component” (device in a network), from (based on) the raw dataset 305 that includes “any of data packets 135, 139” sent from “a known, authentic source” or “a malicious entity” (traffic flow data regarding one or more traffic flows in the network));
making, by the device, a determination as to whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the training dataset dictionary (Col. 13, line 62-Col. 14, line 56 and Figs. 2-3 teach a host device with a “data analyzer component” (device in a network) processing the feature vectors of new data (generated feature vectors) for “determining (making a determination) the newness of data (e.g., newness of data 135, 139 as determined from the old datasets 230.sub.1-230.sub.n)” held in the data store 220 (training dataset dictionary) by comparing the “feature vectors” of each (whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the training dataset dictionary));
updating, by the device, the training dataset dictionary based on the determination as to whether the generated feature vector is already represented in the training dataset dictionary by one or more feature vectors in the training dataset dictionary (Col. 13, line 62-Col. 14, line 56 and Figs. 2-3 teach a host device with a “data analyzer component” (device in a network) processing the feature vectors of new data (generated feature vectors) for “determining (making a determination) the newness of data (e.g., newness of data 135, 139 as determined from the old datasets 230.sub.1-230.sub.n)” held in the data store 220 (training dataset dictionary) by comparing the “feature vectors” of each (whether the generated feature vector is already represented in a training dataset dictionary by one or more feature vectors in the training dataset dictionary), and further that “any feature vectors that are generated…can be stored…in the data store 220” (updating the training dataset dictionary) by the host device), wherein updating the training dataset dictionary comprises one of:
adding the generated feature vector to the training dataset dictionary when the generated feature vector is not already represented by one or more feature vectors in the training dataset dictionary (Col. 13, line 62-Col. 14, line 56, Col. 15, lines 22-53, and Figs. 2-3 teach “determining (making a determination) the newness of data (e.g., newness of data 135, 139 as determined from the old datasets 230.sub.1-230.sub.n)” held in the data store 220 (training dataset dictionary) by comparing the “feature vectors” of each (generated feature vector is not already represented by one or more feature vectors in the training dataset dictionary), and further that “any feature vectors adding the generated feature vector to the training dataset dictionary)), or 
incrementing a count associated with a particular feature vector in the training dataset dictionary when the generated feature vector is already represented by the particular feature vector in the training dataset dictionary; and 
generating, by the device, a training dataset based on the training dataset dictionary (Col. 15, lines 22-53 teach a host device creating (generating) a “retraining dataset” (training dataset) once “200,000 new feature vectors 316 have been processed” and determined to not be in the old data in the data store (based on the training dataset dictionary)), the training dataset comprising feature vectors included in the training dataset dictionary and a weight assigned to each of the feature vectors based on one or more counts included in the training dataset dictionary associated with the feature vectors; 
adjusting, by the device, a particular weight assigned to a particular feature vector of the training dataset based on a type of machine learning-based model to be trained, the machine learning-based model comprising computer-executable instructions that, when executed by a processor, are configured to analyze traffic flows in a target network in which the machine learning-based model is to be deployed (Col. 10, line 63-Col. 11, line 45, and Col. 26, line 38-Col. 27, line 6 teach the “data analyzer component” with “machine learning model(s)” (machine learning-based model) comprising “processor 240 and instructions (computer-executable instructions) that can be executed by the processor 240” in order to detect (configured to analyze) whether received data packets “transmitted to a network” (traffic flows in a target 
training, by the device, the machine learning-based model using the training dataset having the adjusted particular weight.

However, while Chavez does teach training set feature vectors that are well known to have associated weights and further training machine learning models with the training set to detect malicious network activity, Chavez does not explicitly teach incrementing a count associated with a particular feature vector in the training dataset dictionary when the generated feature vector is already represented by the particular feature vector in the training dataset dictionary; and…the training dataset comprising feature vectors included in the training dataset dictionary and a weight assigned to each of the feature vectors based on one or more counts included in the training dataset dictionary associated with the feature vectors; adjusting, by the device, a particular weight assigned to a particular feature vector of the training dataset based on a type of machine learning-based model to be trained…and training, by the device, the machine learning-based model using the training dataset having the adjusted particular weight. 
Rajesh teaches incrementing a count associated with a particular feature vector in the training dataset dictionary when the generated feature vector is already represented by the particular feature vector in the training dataset dictionary (sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and ; and…the training dataset comprising feature vectors included in the training dataset dictionary and a weight assigned to each of the feature vectors based on one or more counts included in the training dataset dictionary associated with the feature vectors (sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program creating a “training data set” from the associated feature vectors and weights (comprising feature vectors included in the training dataset dictionary and a weight assigned to each of the feature vectors) determined from feature occurrence summation (based on one or more counts/associated with the feature vectors)  stored by the program on local server database (included in the training dataset dictionary));
adjusting, by the device, a particular weight assigned to a particular feature vector of the training dataset based on a type of machine learning-based model to be trained (Examiner note: Applicant’s spec, pages 9-10 state employing and training “supervised, unsupervised, or semi-supervised machine learning models”.
Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program, well understood to operate on a computer/server (device), forming a feature set, also referred to as “the training set”, with assigned weights that, as taught in sections 3.2-3.3.1, are excluded from specific features …and
training, by the device, the machine learning-based model using the training dataset having the adjusted particular weight (Rajesh, sections 3.2-3.4 and Figs. 4 and 9 teach a program, understood to operate on a computer/server (device), building/training a machine learning algorithm (model) on (using) the “training data set” (training dataset) with all three categories of features vectors (having the particular adjusted weight)).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Rajesh’s teachings of malicious data detecting machine learning algorithm training and training set development into Chavez’s teaching of training machine learning algorithms/models for detecting received malicious entity packets in order to build an optimized training set for memory storage and prediction accuracy (Rajesh, sections 3.1-3.4 and Figs. 4 and 9).

Regarding claims 2 and 11, the combination of Chavez and Rajesh teach all the claim limitations of claims 1 and 10 above, and further teach wherein the adjusting of the particular weight assigned to the particular feature vector of the training dataset is based further on a particular traffic type for the target network (Rajesh, .
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Rajesh’s teachings of malicious network data detecting machine learning algorithm training and training set development and tuning into Chavez’s teaching of training machine learning algorithms/models for detecting received malicious entity packets in order to build an optimized training set for memory storage and prediction accuracy (Rajesh, sections 3.1-3.4, Figs. 4 and 9, and Table 2).

Regarding claims 3 and 12, the combination of Chavez and Rajesh teach all the claim limitations of claims 1 and 10 above, and further teach the traffic flow data comprises header information for one or more encrypted traffic flows (Rajesh, sections 3.1.4-3-3.2, and Table 2 teach retrieving the header field data (header information) for the received malicious packets with embedded/injected encoded “executable code” in a network (encrypted traffic flows)).


Regarding claims 4 and 13, the combination of Chavez and Rajesh teach all the claim limitations of claims 1 and 10 above, and further teach adding the generated feature vector to the training dataset dictionary comprises:
initializing, by the device, a count associated with the generated feature vector (Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program, understood to operate on a computer/server (device), detecting a feature of malicious activity and assigning a weight to the feature based on occurrence summation (initializing a count), and further taught to have associated feature vectors and weights (associated with the generated feature vector)).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Rajesh’s teachings of malicious data detecting machine learning algorithm training and training set development into Chavez’s teaching of training machine learning algorithms/models for detecting received malicious entity packets in order to build an optimized training set for memory storage and prediction accuracy (Rajesh, sections 3.1-3.4 and Figs. 4 and 9).

Regarding claims 5, 14, and 20, the combination of Chavez and Rajesh teach all the claim limitations of claims 1, 10, and 19 above, and further teach making the determination as to whether the generated feature vector is already represented in the training dataset dictionary comprises:
computing, by the device, function values between the generated feature vector and feature vectors in the training dataset dictionary (Examiner note: according to applicant’s spec, page 16, paragraph 2, line 5, a function value can be a “similarity score, analyzed rule, etc.”
Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program, understood to operate on a computer/server (device), detecting a feature of malicious activity and assigning a weight to the feature based on occurrence summation when already accounted for (already represented), and further taught to have associated feature vectors and weights with calculated “Euclidean distance[s]” (function values between the generated feature vector and feature vectors), understood to be stored by the program on local server database (training dataset dictionary)).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Rajesh’s teachings of malicious data detecting machine learning algorithm training and training set development with calculated feature vector Euclidean distances into Chavez’s teaching of training machine learning algorithms/models for detecting received malicious entity packets in 

Regarding claims 7 and 16, the combination of Chavez and Rajesh teach all the claim limitations of claims 1 and 10 above, and further teach generating the training dataset based on the training dataset dictionary comprises:
receiving, at the device, one or more parameters of the target network, the one or more parameters indicative of a particular traffic type for the target network (Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program, understood to operate on a computer/server (device), summing weights of feature vectors based on the occurrence of features representative of received malicious data in a network (receiving one or more parameters of the target network are indicative of a particular traffic type for the target network)); 
identifying, by the device, one or more feature vectors in the training dataset dictionary that are associated with the particular traffic type (Chavez, Col. 13, line 62-Col. 14, line 56 and Figs. 2-3 teach a host device with a “data analyzer component” (device) processing the feature vectors of new data (associated with the particular traffic type), being received malicious packets (alternative associated with the particular traffic type), for “determining (identifying) the newness of data (e.g., newness of data 135, 139 as determined from the old datasets 230.sub.1-230.sub.n)” held in the data store 220 (training dataset dictionary) by comparing the “feature vectors” of each (identifying feature vectors)); and
determining, by the device, a representation of the identified one or more feature vectors in the generated training dataset based on the received one or more parameters (Examiner note: according to applicant’s spec, pages 16-17, a “training dataset dictionary…maintains a reduced representation of all observed traffic flows” by incrementing “the count associated with each of the feature vectors”.
Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program, understood to operate on a computer/server (device), detecting a feature of malicious activity and assigning a weight to the feature based on occurrence summation (determining a representation), and further taught to have associated feature vectors and weights (identified feature vectors) in a created “training data set” of features representative of received malicious data in a network (parameters), understood to be stored by the program on local server database).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Rajesh’s teachings of malicious data detecting machine learning algorithm training and training set development with calculated feature vector Euclidean distances into Chavez’s teaching of training machine learning algorithms/models for detecting received malicious entity packets in order to build an optimized training set for memory storage and prediction accuracy (Rajesh, sections 3.1-3.4 and Figs. 4 and 9).

Regarding claims 8 and 17, the combination of Chavez and Rajesh teach all the claim limitations of claims 7 and 16 above, and further teach the representation of the identified one or more feature vectors in the generated training dataset excludes the identified one or more feature vectors in the dictionary associated with the particular traffic type from the generated training dataset (Examiner note: according to applicant’s spec, page 18, paragraph 2 states a feature vector having a count being equal to zero will render it excluded in the training dataset dictionary.
Chavez, Col. 13, line 62-Col. 14, line 56, Col. 15, lines 22-53, and Figs. 2-3 teach a host device with a “data analyzer component” (device) processing the feature vectors of new data (associated with the particular traffic type), being received malicious packets (alternative associated with the particular traffic type), for “determining the newness of data (e.g., newness of data 135, 139 as determined from the old datasets 230.sub.1-230.sub.n)” held in the data store 220 (training dataset dictionary) by comparing the “feature vectors” of each (identified feature vectors), and further creating a “retraining dataset” (generated training dataset) once “200,000 new feature vectors 316 have been processed” (identified feature vectors), and determining if more than a threshold of “feature vectors” are repeated, not including specific ones to “achieve a balance” from the data store (excludes the identified one or more feature vectors in the dictionary)).

Regarding claim 18, the combination of Chavez and Rajesh teach all the claim limitations of claim 10 above, and further teach the machine learning-based traffic flow model is configured to detect malicious traffic flows (Rajesh, sections 3.1.3-3.1.5, last paragraphs of each section, sections 3.2-3.4 and Figs. 4 and 9 teach a program building/training a machine learning algorithm (machine learning-based traffic flow model) based on the occurrence of features representative of received malicious .
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to implement Rajesh’s teachings of malicious data detecting machine learning algorithm training and training set development into Chavez’s teaching of training machine learning algorithms/models for detecting received malicious entity packets in order to build an optimized training set for memory storage and prediction accuracy (Rajesh, sections 3.1-3.4 and Figs. 4 and 9).

Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chavez et al (US Patent 9985984) hereinafter Chavez, in view of Rajesh et al (“Droidswan: Detecting Malicious Android Applications based on Static Feature Analysis”, 2015), hereinafter Rajesh, and in further view of Choudhury et al (US Pub 20160063372) hereinafter Choudhury.
Regarding claims 6 and 15, the combination of Chavez and Rajesh teach all the claim limitations of claims 5 and 14 above. However the combination does not explictly teach the function values are computed using a squared exponential function.
Choudhury teaches the function values are computed using a squared exponential function (paragraph 0060 teaches calculating (computing) Euclidean distances to define a membership function (function value). The “defined membership function may include a variety of different membership functions (function values) including, for example, the inverse of the natural exponential function having the .
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify training machine learning algorithms/models for detecting received malicious entity packets, as taught by Chavez as modified by malicious data detecting machine learning algorithm training and training set development as taught by Rajesh, to include calculating membership functions as taught by Choudhury in order to determine similarity between the current value and learned value for training a neural network (Choudhury, paragraphs 59-60).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLINT MULLINAX whose telephone number is 571-272-3241.  The examiner can normally be reached on Mon - Fri 8:00-4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 571-270-3428.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.M./Examiner, Art Unit 2123                                                                                                                                                                                                        
/MICHAEL J HUNTLEY/Primary Examiner, Art Unit 2116