DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/03/2020 has been entered.
 
Response to Amendment
This is in response to the amendments filed on 05/03/2021. Claims 1, 3, 4, 8, 10, 11, 15, and 18 have been amended. Claims 2, 9, 16, and 21 are canceled. Claims 22-25 are added in this amendment. Claims 1, 3-8, 10-15, 18-20, and 22-25 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see page 10, filed 05/03/2021, with respect to the rejection(s) of claim 21 under 35 U.S.C. 112(a), has been fully considered and are persuasive.  The rejection has been withdrawn.

Applicant’s arguments, see pages 10-11, filed 05/03/2021, with respect to the rejection(s) of claim(s) 1-16, and 18-21 under 35 U.S.C. 103, have been considered but are 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3-8, 10-15, 18-20, and 22-25 are rejected under 35 U.S.C. 103 as being unpatentable over Reddy et al. (US 2017/0374016 A1; hereinafter "Reddy") in view of Baldi et al. (US 2018/0062950 A1; hereinafter, “Baldi”), and further in view of Kohout et al. (US 2018/0103056 A1; hereinafter "Kohout").

Regarding Claim 1: 
Reddy teaches:
A method (claim 1: A method) comprising: 
obtaining telemetry data for a plurality of domains within a network, the telemetry data for the plurality of domains including both encrypted traffic analytics information associated with network traffic in the network and traffic flow information associated with the network traffic (para. [0054]: the device may detect an encrypted traffic flow associated with the domain. For example, the device may determine that a given traffic flow is being sent to the domain or is being sent by the domain, based on the header information of packets in the flow; para. [0048]: If the IP address is shared by multiple domains then the database lookup will return all the services offered by those domains and the flow classifier determines the service among the services offered by those domains. In turn, the networking device may determine a priority for the encrypted traffic flow based on the identified service associated with the flow; para. [0027]: The techniques herein provide a mechanism that leverages external information to more accurately classify encrypted flows. In some aspects, the techniques herein propose using service tags as part of a DNS lookup, to identify the types of services associated with a particular domain and classify its associated traffic flows; para. [0055]: At step 520, the device may identify a service associated with the encrypted traffic flow based on the one or more service tags for the domain; see also paras. [0043]-[0047]:. --- It is noted that detect an encrypted traffic flow associated with the domain and the services offered by those domains teaches obtaining telemetry data for a plurality of domains; FIGs. 4A-4D teaches within a network; identify a service associated with the encrypted traffic flow based on the one or more service tags (also external information) for the domain teaches the telemetry data for the plurality of domains including both encrypted traffic analytics information associated with network traffic in the network and traffic flow information associated with the network traffic, here, the encrypted traffic flow (also the information listed in paras. [0043]-[0047]) teaches encrypted traffic analytics information, the one or more service tags (also the information listed in para. [0013]) teaches traffic flow information); 
... generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature (para. [0043]: The networking device may train a given traffic flow classifier by analyzing any number of characteristics of traffic flows associated with the possible services; para. [0055]: At step 520, the device may identify a service associated with the encrypted traffic flow based on the one or more service tags for the domain … For example, the device may train such a classifier by assessing traffic characteristics of traffic flows for the various services (e.g., in terms of SPLT information, byte distribution information, flow statistics or counts, combinations thereof, or any other traffic characteristics available to the device; para. [0023]: After this optimization/learning phase, flow classifier process 248 can use the model M to classify new data points, such as information regarding new traffic flows in the network. --- It is noted that train such a classifier by assessing traffic characteristics of traffic flows for the various services teaches generating a model; the one or more service tags teaches a plurality of traffic flow information features; characteristics of traffic flows (e.g., in terms of SPLT information …) teaches at least one encrypted traffic analytics feature; and based on teaches mapping);
generating a database by combining models generated for each of the plurality of domains (para. [0042]: In some embodiments, the device may maintain any number of machine learning classifiers, to distinguish among the reduced sets of possible services of the traffic flows; para. [0050]: In one example, assume that the device has trained a set of binary classifiers for each type of service. If the device then detects a new encrypted traffic flow associated with a particular domain, the device may identify the services associated with the domain; para. [0048]: If the IP address is shared by multiple domains then the database lookup will return all the services offered by those domains and the flow classifier determines the service among the services offered by those domains. --- It is noted that maintain any number of machine learning classifiers teaches generating a database by combining models generated for each of the plurality of domains, here, classifiers is trained for each type of service and all the services offered by those domains, thus which teaches models generated for each of the plurality of domains); 
obtaining telemetry data for a target domain that includes traffic flow information without encrypted traffic analytics information (para. [0027]: In some aspects, the techniques herein propose using service tags as part of a DNS lookup, to identify the types of services associated with a particular domain and classify its associated traffic flows; para. [0054]: At step 515, as detailed above, the device may detect an encrypted traffic flow associated with the domain. For example, the device may determine that a given traffic flow is being sent to the domain or is being sent by the domain, based on the header information of packets in the flow. In addition, the device may analyze the TLS information of the packets, to determine that the flow is encrypted, thereby requiring additional classification; para. [0055]: At step 520, the device may identify a service associated with the encrypted traffic flow based on the one or more service tags for the domain, as described in greater detail above. --- It is noted that detect an encrypted traffic flow associated with a (particular) domain teaches obtaining telemetry data for a target domain; a particular domain teaches a target domain; identify a service based on the one or more service tags (also the information listed in para. [0013]) teaches telemetry data that includes traffic flow information without encrypted traffic analytics information);  
selecting a model …, for the target domain, based on similarities between the traffic flow information of the target domain and the plurality of traffic flow information features of the model (para. [0050]: In one example, assume that the device has trained a set of binary classifiers for each type of service. If the device then detects a new encrypted traffic flow associated with a particular domain, the device may identify the services associated with the domain. In turn, the device may select the binary classifiers that correspond to these services and apply these classifiers to the encrypted traffic flow. Doing so greatly reduces the number of classifiers that need to be applied to the traffic flow by limiting the classifiers to only the services associated with the domain. Next, the device may assess the classification results to determine which classification label is most applicable to the traffic. For example, the device may choose the label reported by the classifier with the highest classification score, to identify the service that is most likely associated with the encrypted traffic; para. [0049]: where a label describes the type of service offered by a domain (e.g., “webmail” or “video conference”). In some embodiments, the device can use this corpus of labeled data to train a single binary classifier for each type of service; para. [0055]: At step 520, the device may identify a service associated with the encrypted traffic flow based on the one or more service tags for the domain … In further embodiments, and particularly when multiple service tags are associated with the domain, the device may use a machine learning classifier, to determine which of the services is being employed by the traffic flow. For example, the device may train such a classifier by assessing traffic characteristics of traffic flows for the various services (e.g., in terms of SPLT information, byte distribution information, flow statistics or counts, combinations thereof, or any other traffic characteristics available to the device. --- It is noted that select the binary classifiers that correspond to these services and limiting the classifiers to only the services associated with the domain teaches selecting a model, here, the service is associated with a domain, thus corresponding to services means corresponding to domain especially when a domain hosts one service, which teaches for the target domain; choose the label reported by the classifier with the highest classification score, to identify the service teaches based on similarities between information; based on the one or more service tags for the domain teaches the traffic flow information of the target domain; and train such a classifier by assessing traffic characteristics of traffic flows (e.g., in terms of SPLT information) teaches the plurality of traffic flow information features of the model); 
determining at least one encrypted traffic analytics feature for the target domain based on a plurality of traffic flow information features of the target domain using the model (para. [0050]: Next, the device may assess the classification results to determine which classification label is most applicable to the traffic. For example, the device may choose the label reported by the classifier with the highest classification score, to identify the service that is most likely associated with the encrypted traffic; para. [0055]: the device may train such a classifier by assessing traffic characteristics of traffic flows for the various services (e.g., in terms of SPLT information, byte distribution information, flow statistics or counts, combinations thereof, or any other traffic characteristics available to the device. --- It is noted that choose the label with the highest classification score teaches determining at least one encrypted traffic analytics feature; to identify the service teaches for the target domain; train a classifier by assessing traffic characteristics of traffic flows for the various services (e.g., in terms of SPLT information, byte distribution information, flow statistics or counts, combinations thereof), or any other traffic characteristics available to the device teaches based on a plurality of traffic flow information features of the target domain using the model); and 
determining whether a service is … by identifying the service hosted on the target domain based on the at least one encrypted traffic analytics feature (para. [0050]: Next, the device may assess the classification results to determine which classification label is most applicable to the traffic. For example, the device may choose the label reported by the classifier with the highest classification score, to identify the service that is most likely associated with the encrypted traffic; para. [0056]: At step 525, as detailed above, the device may prioritize the encrypted traffic flow based on the identified service associated with the traffic flow. In particular, the device may maintain a mapping of traffic priorities for the different service types, based on the QoS requirements of each type of traffic flow. For example, the device may assign a high priority to traffic for a real-time media streaming service, since delays, jitter, packet loss, etc., can impact the user experience. Conversely, the device may assign a lower priority to traffic associated with an online email service, as a slight delay is unlikely to impact the user experience. In further embodiments, the device may base the priority in part on the reputation score of the domain. For example, if the domain has a low reputation score, the device may nonetheless assign a low priority to the encrypted traffic, regardless of the associated service. Procedure 500 then ends at step 530. --- It is noted that to identify the service that is most likely associated with the encrypted traffic based on the label reported by the classifier teaches determining by identifying the service hosted on the target domain based on the at least one encrypted traffic analytics feature; prioritize the encrypted traffic flow based on the identified service associated with the traffic flow based on the priority in part on the reputation score of the domain, which suggests a possibility to determine whether a service is benign or malware).
Reddy is silent about: 
for each domain of the plurality of domains, generating a model …;
[selecting] a model among the models in the database …;
determining whether [a service] is benign or malware …
Baldi, in the same field of endeavor, teaches: 
for each domain of the plurality of domains, generating a model … (para. [0069]: The method further comprises, for each of the plurality of core domains, generating one or more models of traffic activity resulting from access to the corresponding primary service by a network flow);
[selecting] a model among the models in the database … (para. [0069]: The method further comprises, for each of the plurality of core domains, generating one or more models of traffic activity resulting from access to the corresponding primary service by a network flow. The method also comprises, based on the one or more models of traffic activity, associating real-time network traffic flows to a selected one of the core domains. --- It is noted that based on the one or more models teaches a model among the models in the database; generated one or more models corresponds to the database; to a selected one of the core domains corresponds to for the target domain).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Reddy’s system by enhancing Reddy’s system to generate a model for each domain, as taught by Baldi, in order to limit the classifiers to only the services associated with the domain. 
The motivation is to reduce the number of classifiers that need to be applied to the traffic flow by limiting the classifiers to only the services associated with the domain.
Reddy in view of Baldi is silent about: 
determining whether [a service] is benign or malware …
Kohout, in the same field of endeavor, teaches: 
determining whether [a service] is benign or malware … (para. [0032]: In general, classifier process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network for any number of purposes. In one embodiment, classifier process 248 may assess captured traffic data to determine whether a given traffic flow or set of flows are caused by malware in the network. … In further embodiments, classifier process 248 may classify the gathered traffic data to detect other anomalous behaviors (e.g., malfunctioning devices, misconfigured devices, etc.), traffic pattern changes (e.g., a group of hosts begin sending significantly more or less traffic), or the like. --- It is noted that determine whether a given traffic flow or set of flows are caused by malware in the network teaches determining whether a service (by monitoring a given traffic flow) is benign or malware).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Reddy in view of Baldi’s system by enhancing Reddy in view of Baldi’s system to determine whether a given traffic flow is caused by malicious service, as taught by Kohout, in order to identify any harmful activities taking place on services over computer network. 
The motivation is to protect the computer network from malicious traffic generated by malicious service even though the traffic exchanged by these services is encrypted.

Regarding Claim 3: 
Reddy in view of Baldi and Kohout teaches:
The method of claim 1, 
Reddy further teaches:
(paras. [0043]-[0047]: The networking device may train a given traffic flow classifier by analyzing any number of characteristics of traffic flows associated with the possible services. For example, the classifier may take into account any or all of the following information, among other flow information: Sequence of packet lengths and arrival times (SPLT) information; Byte distribution information (e.g., relative frequency for each byte in a flow, entropy of the flow computed over the full byte distribution, mean and standard deviation of the bytes, etc.); TLS data types (e.g., a list of offered cipher suites, the selected cipher suite, the length of the clientKeyExchange field, etc.); Flow statistics or counts (e.g., the number of inbound bytes, the number of outbound bytes, the number of outbound packets, the source port and destination port. --- It is noted that the classifier may take into account any or all of the following information…, for example, Sequence of packet lengths and arrival times (SPLT) information teaches the traffic flow information for the target domain is enriched with the at least one encrypted traffic analytics feature).

Regarding Claim 4: 
Reddy in view of Baldi and Kohout teaches:
The method of claim 3.
Reddy further teaches:
wherein the target domain hosts at least two different services; and wherein identity information associated with each service of the at least two different services is obtained using the traffic flow information that has been enriched with the at least one encrypted traffic analytics feature (para. [0042]: In particular, if there is more than one service associated with the domain, the device may use a classifier that has been trained to distinguish between those services, to monitor the flow; paras. [0043]-[0047]: The networking device may train a given traffic flow classifier by analyzing any number of characteristics of traffic flows associated with the possible services. For example, the classifier may take into account any or all of the following information, among other flow information: Sequence of packet lengths and arrival times (SPLT) information; Byte distribution information (e.g., relative frequency for each byte in a flow, entropy of the flow computed over the full byte distribution, mean and standard deviation of the bytes, etc.); TLS data types (e.g., a list of offered cipher suites, the selected cipher suite, the length of the clientKeyExchange field, etc.); Flow statistics or counts (e.g., the number of inbound bytes, the number of outbound bytes, the number of outbound packets, the source port and destination port. --- It is noted that there is more than one service associated with the domain teaches the target domain hosts at least two different services; the classifier may take into account any or all of the following information…, for example, Sequence of packet lengths and arrival times (SPLT) information teaches identity information associated with each service of the at least two different services is obtained using the traffic flow information that has been enriched with the at least one encrypted traffic analytics feature).

Regarding Claim 5: 
Reddy in view of Baldi and Kohout teaches:
The method of claim 4, further comprising …
Reddy further teaches:
identifying one of the at least two different services … (para. [0042]: In particular, if there is more than one service associated with the domain, the device may use a classifier that has been trained to distinguish between those services, to monitor the flow. --- It is noted that there is more than one service associated with the domain teaches identifying one of the at least two different services).
Reddy in view of Baldi is silent about: 
identifying … services as malware. 
Kohout teaches: 
identifying … services as malware (para. [0032]: In general, classifier process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network for any number of purposes. In one embodiment, classifier process 248 may assess captured traffic data to determine whether a given traffic flow or set of flows are caused by malware in the network. … In further embodiments, classifier process 248 may classify the gathered traffic data to detect other anomalous behaviors (e.g., malfunctioning devices, misconfigured devices, etc.), traffic pattern changes (e.g., a group of hosts begin sending significantly more or less traffic), or the like. --- It is noted that determine whether a given traffic flow or set of flows are caused by malware in the network teaches identifying services (by monitoring a given traffic flow) as malware). 
The motivation for claim 1 is applicable for claim 5.

Regarding Claim 6: 
Reddy in view of Baldi and Kohout teaches:
The method of claim 1.
Reddy further teaches:
wherein the encrypted traffic analytics information includes one or more of sequence of packet lengths and times (SPLT), byte distribution, initial data packet (IDP) information, or transport layer security (TLS) data (paras. [0043]-[0047]: The networking device may train a given traffic flow classifier by analyzing any number of characteristics of traffic flows associated with the possible services. For example, the classifier may take into account any or all of the following information, among other flow information: Sequence of packet lengths and arrival times (SPLT) information; Byte distribution information (e.g., relative frequency for each byte in a flow, entropy of the flow computed over the full byte distribution, mean and standard deviation of the bytes, etc.); TLS data types (e.g., a list of offered cipher suites, the selected cipher suite, the length of the clientKeyExchange field, etc.); Flow statistics or counts (e.g., the number of inbound bytes, the number of outbound bytes, the number of outbound packets, the source port and destination port).

Regarding Claim 7: 
Reddy in view of Baldi and Kohout teaches:
The method of claim 1.
Reddy further teaches:
wherein the traffic flow information includes one or more of a port number, transferred bytes, transferred packets, Internet Protocol (IP) addresses, elapsed time, periodicity, flow rate, protocol, collector interface, or Transmission Control Protocol (TCP) flags (para. [0013]: The various nodes/devices 200 may exchange data packets 106 (e.g., traffic/messages) via communication network 100 over links 102 using predefined network communication protocols such as the Transmission Control Protocol/Internet Protocol (TCP/IP), User Datagram Protocol (UDP), Asynchronous Transfer Mode (ATM) protocol, Frame Relay protocol, or any other suitable protocol).

Regarding claim 8:
Claim 8 recites a non-transitory computer readable storage media which corresponds to a method of claim 1, and additionally contains a processor and instructions. 
However, Reedy teaches a processor and instructions (claim 10: a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor).
Therefore claim 8 is rejected by applying the same rationale used to reject claim 1 above and the teachings discussed above.

Regarding claim 10:
Claim 10 recites the non-transitory computer readable storage media which corresponds to the method of claim 3, and contains no additional limitations. Therefore claim 10 is rejected by applying the same rationale used to reject claim 3 above.

Regarding claim 11:
Claim 11 recites the non-transitory computer readable storage media which corresponds to the method of claim 4, and contains no additional limitations. Therefore claim 11 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 12:
Claim 12 recites the non-transitory computer readable storage media which corresponds to the method of claim 5, and contains no additional limitations. Therefore claim 12 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 13:
Claim 13 recites the non-transitory computer readable storage media which corresponds to the method of claim 6, and contains no additional limitations. Therefore claim 13 is rejected by applying the same rationale used to reject claim 6 above.

Regarding claim 14:
Claim 14 recites the non-transitory computer readable storage media which corresponds to the method of claim 7, and contains no additional limitations. Therefore claim 14 is rejected by applying the same rationale used to reject claim 7 above.

Regarding claim 15:
.
However, Reddy further teaches: 
a communication interface configured to enable network communications with a plurality of devices in a network; and a processor coupled with the communication interface (claim 10: a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor).
Therefore claim 15 is rejected by applying the same rationale used to reject claim 1 above and the teachings discussed above.

Regarding claim 18:
Claim 18 recites the apparatus which corresponds to the method of claim 4, and contains no additional limitations. Therefore claim 18 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 19:
Claim 19 recites the apparatus which corresponds to the method of claim 5, and contains no additional limitations. Therefore claim 15 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 20:
Claim 20 recites the apparatus which corresponds to the method of claim 6, and contains no additional limitations. Therefore claim 20 is rejected by applying the same rationale used to reject claim 6 above.

Regarding claim 22:
Reddy in view of Baldi and Kohout teaches: 
The method of claim 1. 
Reddy further teaches: 
wherein the target domain hosts at least two different services, and the method further comprising: identifying type of each of the at least two different services based on the at least one encrypted traffic analytics feature (para. [0042]: In particular, if there is more than one service associated with the domain, the device may use a classifier that has been trained to distinguish between those services, to monitor the flow; para. [0056]: In particular, the device may maintain a mapping of traffic priorities for the different service types, based on the QoS requirements of each type of traffic flow. For example, the device may assign a high priority to traffic for a real-time media streaming service, since delays, jitter, packet loss, etc., can impact the user experience. Conversely, the device may assign a lower priority to traffic associated with an online email service, as a slight delay is unlikely to impact the user experience; para. [0027]: The techniques herein provide a mechanism that leverages external information to more accurately classify encrypted flows. In some aspects, the techniques herein propose using service tags as part of a DNS lookup, to identify the types of services associated with a particular domain and classify its associated traffic flows. --- It is noted that there is more than one service associated with the domain teaches the target domain hosts at least two different services; maintain a mapping of traffic priorities for the different service types and assign a priority to traffic according to a real-time media streaming service or an online email service teaches identifying type of each of the at least two different services based on the at least one encrypted traffic analytics feature).

Regarding claim 23:


Regarding claim 24:
Claim 24 recites the apparatus which corresponds to the method of claim 22, and contains no additional limitations. Therefore claim 24 is rejected by applying the same rationale used to reject claim 22 above.

Regarding claim 25:
Claim 25 recites the apparatus which corresponds to the method of claim 6, and contains no additional limitations. Therefore claim 25 is rejected by applying the same rationale used to reject claim 6 above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Katzir et al. (US 2018/0109542 A1; hereinafter, “Katzir”) discloses a method to ascertain the correspondence between the encrypted blocks and the unencrypted blocks by comparing respective durations of the encrypted blocks to respective durations of the unencrypted blocks, and Ollmann (US 2010/0107257 A1; hereinafter, “Ollmann”) discloses computer systems and software for detecting presence of malicious software, such as, a malicious service agent running on a computer system.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR PATEL can be reached on (571)-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/W.Y./Examiner, Art Unit 2491                                                                                                                                                                                                        





/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491