DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 13-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  Claim 13 sets forth a “machine readable medium.”  However, the specification as originally filed does not explicitly define the machine readable medium, but it does define a “tangible computer readable storage medium (Para. 75). The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO.  See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow).  The broadest reasonable interpretation of a claim drawn to a machine readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is absent an explicit definition or is silent.  See MPEP 2111.01.  When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter.  See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8, 10-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Anderson (2018/01139214) in view of Hart (US 10,452,993).
Regarding claim 1, Anderson discloses a device, comprising:
a processing system including a processor (see at least Fig. 2); and
a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations (see at least Fig. 2), the operations comprising:
collecting encrypted network traffic flow data from user interaction with an application (capturing traffic data; see at least paragraphs 0030-0031 and 0036-0039);
deriving a first set of traffic feature from the encrypted network traffic flow data collected (determining one or more data features; see at least paragraphs 0030, 0034, 0043-0044 and 0065-0070);
training a machine learning algorithm on the first set of traffic feature to classify each traffic feature in the first set of traffic feature  as associated with a type of the application or not associated with the type of the application (using a machine learning-based classifier to perform a classification of 
classifying whether an encrypted network traffic flow is associated with the type of the application by applying the machine learning algorithm to a traffic feature of the encrypted network traffic flow (using a machine learning-based classifier to perform a classification of an application executed by the client node; see at least paragraphs 0030, 0034, 0043-0044 and 0065-0070).
Anderson discloses the traffic features but is not clear about the feature vectors. 
Hart discloses a machine learning model with feature vectors; see at least the Abstract.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify Anderson by the teachings of Hart by having the above limitations so to be able to determine which users of a plurality of users are likely to access one of a plurality of files; see at least the Abstract.	

Regarding claim 2, Anderson in view of Hart disclose the device of claim 1, wherein the operations further comprise applying a generative model to the first set of traffic feature vectors to generate a second set of traffic feature vectors (the combination of the traffic features of Anderson; see at least the rejection of claim 1 and the feature vectors o Heart; see at least col. 6, lines 50-65).

Regarding claim 3, Anderson in view of Hart disclose the device of claim 2, wherein the operations further comprise training the machine learning algorithm on the second set of traffic feature vectors (the combination of the traffic features of Anderson; see at least the rejection of claim 1 and the feature vectors o Heart; see at least col. 6, lines 50-65).



Regarding claim 5, Anderson in view of Hart disclose the device of claim 4, wherein the second set of traffic feature vectors includes the first set of traffic feature vectors (the combination of the traffic features of Anderson; see at least the rejection of claim 1 and the feature vectors o Heart; see at least col. 6, lines 50-6).

Regarding claim 6, Anderson in view of Hart disclose the device of claim 1, wherein each traffic feature vector in the first set of traffic feature vectors is derived from a plurality of traffic counters, wherein each traffic counter in the plurality of traffic counters includes a domain name, a service provider, a flow size, a flow duration, a flow throughput, a periodic traffic pattern, a transport control protocol flag info, or a combination thereof (Anderson; derived from certificate data associated with the traffic flow. Such a flow may be, a TLS or SSL traffic flow; see at least paragraph 0030).

Regarding claim 7, Anderson in view of Hart disclose the device of claim 6, wherein the operations further comprise mapping the each traffic counter in the plurality of traffic counters to a traffic feature vector (Anderson; traffic features are derived from certificate data associated with the traffic flow. Such a flow may be, a TLS or SSL traffic flow; see at least paragraph 0030 in combination with Hart’s feature vector; see at least the rejection of claim 1).

Regarding claim 8, Anderson in view of Hart disclose the device of claim 7, wherein the mapping applies signature processing to the plurality of traffic counters to create the first set of traffic feature vectors (Anderson; see at least paragraph 0043 in combination with Hart’s feature vector; see at least the rejection of claim 1).

Regarding claim 10, Anderson in view of Hart disclose the device of claim 1, wherein a reward function trains the machine learning algorithm (the machine learning of Anderson and Hart; see at least the rejection of claim 1).

Regarding claim 11, Anderson in view of Hart disclose the device of claim 1, wherein the processor comprises a plurality of processors operating in a distributed processing environment (one or more processors; Anderson’ see at least paragraph 0026).

Regarding claim 12, Anderson in view of Hart disclose the device of claim 1, wherein the type of the application comprises a video application (videoconferencing application; Anderson; see at least paragraph 0038).

Claim 13 is rejected on the same grounds as claim 1.
Claim 14 is rejected on the same grounds as claims 7 and 8.
Claim 15 is rejected on the same grounds as claim 6.
Claim 16 is rejected on the same grounds as claim 8.
Claim 18 is rejected on the same grounds as claims 10, 11 and 12.
Claim 19 is rejected on the same grounds as claim 1.
Claim 20 is rejected on the same grounds as claim 10.
Claims 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Anderson in view of Hart and further in view of El-Moussa (US 2018/0115567).
Regarding claim 9, Anderson in view of Hart disclose the device of claim 8, and disclose the signature processing; as above, but are not clear about a fast Fourier transform.
El-Moussa discloses similar system and discloses a fast Fourier transform’ see at least paragraph 0061.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify Anderson in view of Hart by the teachings of El-Moussa by having the above limitations so to be able to identify malicious encrypted network traffic associated with a malware software component communication via a network; see at least the Abstract.	

Claim 17 is rejected on the same grounds as claim 9.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASSIN ALATA whose telephone number is (571)270-5683.  The examiner can normally be reached on Mon-Fri 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nasser Goodarzi can be reached on 571-272-4195.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/YASSIN ALATA/Primary Examiner, Art Unit 2426