DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims:
Claims 1-7, 9-13 and 15-22 are pending in this Office Action.
Claims 1, 6, 9-12, 15, 17-18 and 20 are amended.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
s 1-7, 9-11 and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al. (US 2015/0113132 A1) in view of Bhagavatula et al. (US 2016/0007218 A1).

In regards to claim 1, Srinivas teaches a method comprising:
automatically discovering, by a packet broker in a visibility network, an entity in a core network (For packet broker see Fig. 1 and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs”; where the packet broker is part of a collector per paragraph [0078]; and the collector automatically discovers network elements in an enterprise network from the raw data, see Fig. 2A-2B for enterprise network and see paragraph [0075], “The raw data includes data that can be collected or crawled by a collector or a manager... The raw data can further include statistical, topological and configuration data--received either from network elements directly, or via an intervening controller or a manager... Similarly, topology information can be gleaned from a SDN controller if available” and see paragraph [0183], “While an explicit machine-to-machine programmability (e.g., SDN controller) may not be required in some embodiments, it may be required for the present system to discover the configuration state and capabilities of the various network elements in other embodiments”);
setting up, by the packet broker in the visibility network, a filter associated with the discovered entity of the core network (collector can access network traffic of the wireless controller or network element including access point per paragraph [0065]; and for filters specifically see paragraph [0077], “Crawling herein refers to an act of dynamically selecting a different set of raw data for the collectors to examine at any given time. For example, crawling includes observing different physical or virtual links, and applying different filters to the raw data”);
selecting, by the packet broker in the visibility network (See Fig. 1 and paragraph [0055] In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs; and for selecting see citation below), based on a pattern of network traffic of the core network (see trends/patterns in paragraph [0067], “For example at a particular time interval, a user/device may have poor page load times, high transmission control protocol (TCP) retransmits, low signal-to-noise ratio (SNR), high AP channel utilization. The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions”), a machine learning model (selects to use machine learning for higher layer information in paragraph [0055], “A portion of the present system and method performs as a network security and performance tool…The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”) to be trained (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]);
training, by the packet broker in the visibility network, the machine learning model (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]);
applying, by the packet broker in the visibility network (a “collector” includes a “network packet broker equivalent (NPBE) functionality”, where the collector additionally can perform all the functionality of a “manager”; for collector including NPBE functionality see paragraph [0078], “The present system and method dynamically programs one or more NPBE devices with filtering and steering rules to get selected access to the data… In one embodiment, the NPBE is one or more software elements, for example, running as part of the collector; and for collector including manager functionality see paragraph [0137], “Summarization and indexing functionalities are implemented in a manager although it is possible to embed some or all of this functionality in a collector as well”) the trained machine learning model to the network traffic that is replicated from the core network (For applying the machine learning model Summarization and indexing functionalities can be embedded in collector, see paragraph [0054], “The network packet broker 126 (or a matrix switch) gathers, aggregates and filters network traffic from port mirrors, network TAPs, and probes”; and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs. The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”));
detecting, by the packet broker based on the applying of the trained machine learning model, that a network traffic anomaly has occurred or is occurring in the core network (see paragraph [0154], “Another example concerns detecting application behaviors. For example, the machine learning at the manager can identify that the presence of certain packets (e.g., HTTP error packets) indicate certain types of errors; and paragraph [0178], “According to some embodiments, the present system and method involves using the visibility of the network and controlling the network. An example of controlling the network is enforcing a higher-layer policy throughout the network. Another example is automatic problem and security/anomaly/performance remediation where applicable”); and 
in response to the detecting, applying, by the packet broker (see paragraphs [0178-0182], “Another example is automatic problem and security/anomaly/performance remediation where applicable. The present system and method may implement a network control in (a) a manual, or prescribed control, and (b) an automatic closed loop control... Examples of the high-level control objectives include, but are not limited to: Block user X from accessing the network, Maintain high performance for Application Y, Detect and mitigate denial of service (DOS) attacks, and Prioritize user class Z traffic”), the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools (see applying various filters to the data in paragraph [0077] including filtering and steering rules per paragraph [0078]; and for steering to tools including a network manager see paragraph [0054], “The network packet broker 126 serves the filtered network traffic to network security and performance tools as per their network security and performance tools” and paragraph [0131] Small raw data (e.g., statistics, topology) can be compressed and sent to the manager. However, intelligent feature extraction is required to send a large data to the manager. An example of a large data is statistical data (e.g., average link utilization). Similarly, the performance test results might be reduced down to specific features (e.g., average HTTP response time, presence of an anomaly in the performance test”).
Although Srinivas teaches selecting, by the packet broker in the visibility network, based on a pattern of network traffic of the core network, a machine learning model as shown above, Srinivas does not specifically disclose: the selecting is also based from a plurality of machine learning models associated with a parameter of the core network.
Bhagavatula teaches selecting a machine learning model based from a plurality of machine learning models associated with a first parameter of the core network (first parameter is interpreted as performance including “throughput” per paragraph [0003]; and performance estimation algorithm described in paragraph [0042] uses one of the machine learning algorithms/models described in paragraphs [0043-0044]).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of Srinivas which teaches applying a machine learning model to further include where the selecting is also based from a plurality of machine learning models associated with a first 

In regards to claim 2, the modified Srinivas teaches the method of claim 1, wherein the plurality of machine learning models comprise a plurality of time-series models configured to model changes in value of the parameter of the core network over time (see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”; and see [Bhagavatula] paragraph [0041], “the performance estimation algorithm 102 for each device is adaptively tuned. In one embodiment, the one or more communication devices 103.sub.1-N are operable to train the performance estimation algorithm 102 by updating the performance estimation algorithm 102 as a function of one or more criteria including at least one of: time of day, time of the week”).

In regards to claim 3, the modified Srinivas teaches the method of claim 1, wherein the plurality of machine learning models comprise a plurality of protocol language models configured to model valid message exchanges with respect to a particular network protocol in the core network (see paragraph [0068], “According to some embodiments, the present system and method analyzes for trends/patterns is across networks. For example, the present system and method identifies the specific network/protocol/wireless metrics to determine the application performance”; and see paragraphs [0140-0151], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data… The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”).

In regards to claim 4, the modified Srinivas teaches the method of claim 1, wherein the training comprises: 
training, by the packet broker, the machine learning model (see claim 1 citations for training the machine learning model) using historical traffic data collected from the core network (see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”; and paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data)”; and see [Bhagavatula] paragraph [0023], “In one embodiment, active probing is initiated when there is a need to update the performance estimation algorithm. Thereafter, the performance estimation algorithm is trained via passive operational probing data”; where passive data is collected operational data per [Bhagavatula] paragraph [0013]).

In regards to claim 5, the modified Srinivas teaches the method of claim 1, wherein the training comprises: 
training, by the packet broker, the machine learning model (see claim 1 citations for training the machine learning model) using live traffic data replicated from the core network (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features; and paragraph [0156] According to another embodiment, the present system and method performs, in real time, a segment-by-segment analysis of a particular user/application/device's traffic”).

In regards to claim 6, the modified Srinivas teaches the method of claim 1, wherein the applying the trained machine learning model comprises: 
determining, from the network traffic replicated from the core network, an actual value of the parameter of the core network modeled by the trained machine learning model (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features”); and
determining, using the trained machine learning model, an expected value of the parameter of the core network (see paragraphs [0140-0151], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth”).

In regards to claim 7, the modified Srinivas teaches the method of claim 6, wherein the detecting comprises: 
determining that a discrepancy between the actual value and the expected value (see paragraph [0151], “Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”) exceeds a predefined threshold (performance can be compared to threshold, see [Bhagavatula] paragraph [0019], “the performance estimation algorithm performs updates as follows. First, an initial step size is defined. If the throughput estimation using passive data is determined to be too low by the active probing data, then this throughput estimation is increased proportional to the step size. If the throughput estimation using passive data is determined to be too high by the active probing data, then this throughput estimation is decreased proportional to the step size. The terms "low" and "high" refer to programmable or predetermined thresholds distinct from one another”).

In regards to claim 9, the modified Srinivas teaches the method of claim 1, wherein the parameter of the core network comprises at least one of a subscriber attach rate, a paging rate, a data throughput, or packets per second (see claim 1 [Bhagavatula] performance estimation algorithm in paragraph [0041] where performance includes “throughput” per paragraph [0003]).

In regards to claim 10, the modified Srinivas teaches the method of claim 1, wherein the applying the filter further comprises generating and sending metadata information associated with the steered the network traffic to the one or more analytic tools (see claim 1 for packet broker/collector steering data to analytic tools including a network manager; and see paragraph [0060], “The collector 202 captures all of these data, extracts key metadata or features, and compresses and sends the key metadata or features to the manager 201 that is located in a public cloud 220”), and the method further comprising:
in response to the detecting, metering the network traffic from the core network related to the network traffic anomaly (see claim 1 and paragraphs [0178-0182], “Another example is automatic problem and security/anomaly/performance remediation where applicable. The present system and method may implement a network control in (a) a manual, or prescribed control, and (b) an automatic closed loop control... Examples of the high-level control objectives include, but are not limited to: [0179] Block user X from accessing the network, [0180] Maintain high performance for Application Y, [0181] Detect and mitigate denial of service (DOS) attacks, and [0182] Prioritize user class Z traffic”; and also see rate-limits in paragraph [0190], “Another use case of an automatic closed loop control is where the control objective is to maintain high performance for application X. In this case, the present system and method simply programs rules that place all traffic corresponding to that application into the highest performing queue. If improved application X performance is not observer, the present system and method attempts to program rules that re-routes or rate-limits traffic from applications that share common network links with application X. If improvements are observed, the present system and method restores the performance of other applications”).

In regards to claim 11, the modified Srinivas teaches the method of claim 1, further comprising:
predicting, by the packet broker and based on the applying of the trained machine learning model, another network traffic anomaly will occur in the core network at a future point in time (see predicts in paragraph [0068], “According to some embodiments, the present system and method analyzes for trends/patterns is across networks. For example, the present system and method identifies the specific network/protocol/wireless metrics to determine the application performance. As an example, the present system and method analyzes a bad Microsoft Lync.RTM. voice application performance (e.g., mean opinion score (MOS)) across many customer networks. The present system and method learns that the most important indicator is high levels of layer 2 packet retransmissions. Based on this assessment, the present system and method predicts, for a new customer network that has high levels of layer 2 packet retransmissions, that Microsoft Lync.RTM. performance would be poor unless the packet retransmissions problem is rectified”); and
in response to the predicting, performing, by the packet broker, one or more predefined actions (paragraph [0183], “The present system computes how the control is to be achieved in a distributed manner. The control instruction sets may be probabilistically ranked in the order of predicted effectiveness”).

(See Fig. 1 and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs”), the program code causing the packet broker to:
automatically discover an entity in a core network (The packet broker is part of a collector per paragraph [0078]; and the collector automatically discovers network elements in an enterprise network from the raw data, see Fig. 2A-2B for enterprise network and see paragraph [0075], “The raw data includes data that can be collected or crawled by a collector or a manager... The raw data can further include statistical, topological and configuration data--received either from network elements directly, or via an intervening controller or a manager... Similarly, topology information can be gleaned from a SDN controller if available” and see paragraph [0183], “While an explicit machine-to-machine programmability (e.g., SDN controller) may not be required in some embodiments, it may be required for the present system to discover the configuration state and capabilities of the various network elements in other embodiments”), 
wherein the core network comprises a mobile network (See Fig. 2B where enterprise network comprises access points and mobile devices per paragraph [0062], “FIG. 2B illustrates system architecture of an exemplary system deployed in an enterprise network… The wireless controller 265 controls and/or configures the access points 256 and terminates data plane traffic coming from mobile devices that are wirelessly connected to the access points 256” );
set up a filter associated with the discovered entity of the core network (collector can access network traffic of the wireless controller or network element including access point per paragraph [0065]; and for filters specifically see paragraph [0077], “Crawling herein refers to an act of dynamically selecting a different set of raw data for the collectors to examine at any given time. For example, crawling includes observing different physical or virtual links, and applying different filters to the raw data”); 
select, based on a pattern of network traffic of the core network (see trends/patterns in paragraph [0067], “For example at a particular time interval, a user/device may have poor page load times, high transmission control protocol (TCP) retransmits, low signal-to-noise ratio (SNR), high AP channel utilization. The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions” ; and for selecting see citation below), a machine learning model (selects to use machine learning for higher layer information in  paragraph [0055], “A portion of the present system and method performs as a network security and performance tool…The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”) to be trained (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]);
train the machine learning model (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]);
apply the machine learning model to the network traffic that is replicated from the core network (a “collector” includes a “network packet broker equivalent (NPBE) functionality”, where the collector additionally can perform all the functionality of a “manager”; for collector including NPBE functionality see paragraph [0078] and for collector including manager functionality see paragraph [0137]; and for applying the machine learning model Summarization and indexing functionalities can be embedded in collector, see paragraph [0054], “The network packet broker 126 (or a matrix switch) gathers, aggregates and filters network traffic from port mirrors, network TAPs, and probes”; and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs. The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”);
detect, based on the applying of the machine learning model, that a network traffic anomaly has occurred or is occurring in the core network (see paragraph [0154], “Another example concerns detecting application behaviors. For example, the machine learning at the manager can identify that the presence of certain packets (e.g., HTTP error packets) indicate certain types of errors; and paragraph [0178] According to some embodiments, the present system and method involves using the visibility of the network and controlling the network. An example of controlling the network is enforcing a higher-layer policy throughout the network. Another example is automatic problem and security/anomaly/performance remediation where applicable”); and 
in response to the detecting, (see paragraphs [0178-0182], “Another example is automatic problem and security/anomaly/performance remediation where applicable. The present system and method may implement a network control in (a) a manual, or prescribed control, and (b) an automatic closed loop control... Examples of the high-level control objectives include, but are not limited to: Block user X from accessing the network, Maintain high performance for Application Y, Detect and mitigate denial of service (DOS) attacks, and Prioritize user class Z traffic”) apply the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools (see applying various filters to the data in paragraph [0077] including filtering and steering rules per paragraph [0078]; and for steering to tools including a network manager see paragraph [0054], “The network packet broker 126 serves the filtered network traffic to network security and performance tools as per their network security and performance tools” and paragraph [0131] Small raw data (e.g., statistics, topology) can be compressed and sent to the manager. However, intelligent feature extraction is required to send a large data to the manager. An example of a large data is statistical data (e.g., average link utilization). Similarly, the performance test results might be reduced down to specific features (e.g., average HTTP response time, presence of an anomaly in the performance test”).
Although Srinivas teaches selecting based on a pattern of network traffic of the core network a machine learning model to be trained as well as training the machine learning model as shown above, Srinivas does not specifically disclose: the selecting is also based from a plurality of machine learning models associated with a first parameter of the core network; train a plurality of variations of the machine learning model associated with the first parameter of the core network; and the applying the machine learning model is with regards to one of the plurality of trained variations of the machine learning model based on a second parameter.
Bhagavatula teaches the selecting is also based from a plurality of machine learning models associated with a first parameter of the core network (first parameter is interpreted as performance including “throughput” per paragraph [0003]; and performance estimation algorithm described in paragraph [0042] uses one of the machine learning algorithms/models described in paragraphs [0043-0044]);
train a plurality of variations of the machine learning model associated with the first parameter of the core network; and the applying the machine learning model is with regards to one of the plurality of trained variations of the machine learning model based on a second parameter (second parameter relates to one or more criteria for “tuning” the performance estimation algorithms as described in paragraph [0041] including the criteria of time of the week; and for applying the tuned model see paragraphs [0043] and [0045]).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of Srinivas which teaches applying a machine learning model to further include where the selecting is also based from a plurality of machine learning models associated with a first parameter of the core network and training a plurality of variations of the machine learning model associated with the first parameter of the core network as well as applying one of the plurality of variations of the machine learning model based on a second parameter such as taught by Bhagavatula in order that “The embodiments herein disclose a method and system for improving performance estimation of a communication device by using operational data together with active probing data to train a performance estimation algorithm. In one embodiment, after training the performance estimation algorithm using both active probing data that is accurate and passive probing data that is not intrusive, operational data is monitored regularly and used to accurately update the performance estimation without interrupting customer traffic over the network” (see paragraph [0022]).

In regards to claim 16, the modified Srinivas teaches the non-transitory computer readable storage medium of claim 15, wherein to apply the one of the plurality of trained variations of the machine learning model, the program code causes the packet broker to:
determine, from the network traffic replicated from the core network, an actual value of the first parameter of the core network modeled by the one of the plurality of trained variations of the machine learning model (paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features”); and
determine, using the one of the plurality of trained variations of the machine learning model, an expected value of the first parameter of the core network (see paragraphs [0140-0151], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth”),
wherein to detect that the network traffic anomaly has occurred or is occurring in the core network, the program code causes the packet broker to determine that a discrepancy between the actual value and the expected value (paragraph [0151], “Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”) exceeds a predefined threshold (performance can be compared to threshold, see [Bhagavatula] paragraph [0019], “the performance estimation algorithm performs updates as follows. First, an initial step size is defined. If the throughput estimation using passive data is determined to be too low by the active probing data, then this throughput estimation is increased proportional to the step size. If the throughput estimation using passive data is determined to be too high by the active probing data, then this throughput estimation is decreased proportional to the step size. The terms "low" and "high" refer to programmable or predetermined thresholds distinct from one another”).

In regards to claim 17, the modified Srinivas teaches the non-transitory computer readable storage medium of claim 15, wherein the program code further causes the packet broker to:
predict, based on the applying of the one of the plurality of trained variations of the machine learning model, another network traffic anomaly will occur in the core network at a future point in time (paragraph [0068], “According to some embodiments, the present system and method analyzes for trends/patterns is across networks. For example, the present system and method identifies the specific network/protocol/wireless metrics to determine the application performance. As an example, the present system and method analyzes a bad Microsoft Lync.RTM. voice application performance (e.g., mean opinion score (MOS)) across many customer networks. The present system and method learns that the most important indicator is high levels of layer 2 packet retransmissions. Based on this assessment, the present system and method predicts, for a new customer network that has high levels of layer 2 packet retransmissions, that Microsoft Lync.RTM. performance would be poor unless the packet retransmissions problem is rectified”); and
in response to the predicting, perform one or more predefined actions (paragraph [0183], “The present system computes how the control is to be achieved in a distributed manner. The control instruction sets may be probabilistically ranked in the order of predicted effectiveness”).

Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al. in view of Bhagavatula et al., and further in view of Rosensweig et al. (US 2014/0351414 A1).


retrieving a plurality of historical values of the parameter of the core network that is modeled by the trained machine learning model (see claim 1 and 11 for machine learning model and paragraph [0068] for predicting, and see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”).
Srinivas does not disclose fitting the plurality of historical values to a linear regression model; and extrapolating a value of the parameter of the core network at the future point in time.
Rosensweig teaches fitting a plurality of historical values to a linear regression model (see [Rosensweig] paragraph [0007], “Yet further, a method may additionally comprise generating, by the controller, the predictive indication by: (i) applying a multi-dimensional, regression analysis process to the collected state information (e.g., linear regression process), or (ii) applying a Bayesian analysis process to the collected state information, to name two examples of processes that may be applied to the collected state information”; and paragraph [0008], “The collected state information may comprise recent and past information concerning the operation of each element in the network, or information from outside of the network, for example, and may be selected from among the group consisting of at least load-based information, error-based information and power-based information, for example”); and 
extrapolating a value of the parameter of the core network at the future point in time (determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009], “In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches retrieving a plurality of historical values of the first parameter of the core network that is modeled by the one of the plurality of variations of the machine learning model to further include fitting a plurality of historical values to a linear regression model and extrapolating a value of the parameter of the core network at the future point in time such as taught by Rosensweig in order that “Advantageously, by providing prediction-based dynamic monitoring, the amount of overhead required to monitor elements of a network may be reduced without compromising the quality of the monitoring services provided. Moreover, the manner in which elements of a cloud-based network are monitored may be improved without exceeding overhead capabilities” (see paragraph [0025]).

In regards to claim 13, the modified Srinivas teaches the method of claim 12, wherein the predicting further comprises:
comparing the extrapolated value of the parameter of the core network at the future point in time with a predefined threshold (see claim 12 and determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009] In addition to the exemplary methods described above, the present invention is also directed at a system or systems for setting a monitoring rate of an element of a network. In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period).

Claims 18-20 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al. in view of Bhagavatula et al., and further in view of Francisco et al. (US 2016/0248655 A1).

In regards to claim 18, it is rejected for the same reasoning as claim 15 (see claim 15 citations with regards to [Srinivas] in view of [Bhagavatula]) as they are analogous in scope except for the limitations of automatically discover one or more properties associated with the entity; and wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network.
Srinivas discloses automatically discover one or more properties associated with the entity (the collector automatically discovers network elements in an enterprise network from the raw data including statistical and configuration data, see paragraph [0075], “The raw data includes data that can be collected or crawled by a collector or a manager... The raw data can further include statistical, topological and configuration data--received either from network elements directly, or via an intervening controller or a manager... Similarly, topology information can be gleaned from a SDN controller if available” and see paragraph [0183], “While an explicit machine-to-machine programmability (e.g., SDN controller) may not be required in some embodiments, it may be required for the present system to discover the configuration state and capabilities of the various network elements in other embodiments”) ).

Francisco teaches a similar system of filtering network traffic (see paragraph [0053], “The network filters 306 are modules for receiving and processing particular types of the network traffic 108”) wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network (filters relate to 3G and LTE data networks per paragraphs [0059-0060], “A filter-3 318 can be configured to process GPRS Tunneling Protocol-Control Plane ( GTP-C) data... The General Packet Radio Service (GPRS) is a packet orientated mobile data service of 2G (2.sup.nd generation) and 3G (3.sup.rd generation) cellular communication systems… The GPRS tunneling protocol is a group of IP-based communications protocols used to carry GPRS (General Packet Radio Service) data with GSM (Global System for Mobile communications), UMTS (Universal Mobile Telecommunication Service), and LTE (Long Term Evolution) networks”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches filtering network traffic with relation to an enterprise network to further include filtering network traffic with relation to a 3G or LTE network such as taught by Francisco in order that “Thus, it has been discovered that the network traffic system of the present invention furnishes important and heretofore unknown and unavailable solutions, capabilities, and functional aspects for a network traffic system” (see paragraph [0221]).

In regards to claims 19-20, they are rejected for the same reasoning as claims 16-17 respectively as they are analogous in scope. 

In regards to claim 22, the modified Srinivas teaches the method of claim 1, wherein:
(See Fig. 2B where enterprise network comprises access points and mobile devices per paragraph [0062], “FIG. 2B illustrates system architecture of an exemplary system deployed in an enterprise network… The wireless controller 265 controls and/or configures the access points 256 and terminates data plane traffic coming from mobile devices that are wirelessly connected to the access points 256” ),
the training comprises training, by the packet broker, the machine learning model (see claim 1 citations for training the machine learning model) using historical traffic data collected from the core network (see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”; and paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data)”; and see [Bhagavatula] paragraph [0023], “In one embodiment, active probing is initiated when there is a need to update the performance estimation algorithm. Thereafter, the performance estimation algorithm is trained via passive operational probing data”; where passive data is collected operational data per [Bhagavatula] paragraph [0013]) and using live traffic data replicated from the core network (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features; and paragraph [0156] According to another embodiment, the present system and method performs, in real time, a segment-by-segment analysis of a particular user/application/device's traffic”),
(see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features”); and 
determining, using the trained machine learning model, an expected value of the parameter of the core network (see paragraphs [0140-0151], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth”), and
the detecting comprises determining that a discrepancy between the actual value and the expected value (see paragraph [0151], “Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”) exceeds a predefined threshold (performance can be compared to threshold, see [Bhagavatula] paragraph [0019], “the performance estimation algorithm performs updates as follows. First, an initial step size is defined. If the throughput estimation using passive data is determined to be too low by the active probing data, then this throughput estimation is increased proportional to the step size. If the throughput estimation using passive data is determined to be too high by the active probing data, then this throughput estimation is decreased proportional to the step size. The terms "low" and "high" refer to programmable or predetermined thresholds distinct from one another”).
Although Srinivas discloses a mobile network as shown above, Srinivas does not disclose wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network, and the network traffic comprises general packet radio service (GPRS) tunneling protocol (GTP) traffic.
Francisco teaches a similar system of filtering network traffic (see paragraph [0053], “The network filters 306 are modules for receiving and processing particular types of the network traffic 108”) wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network (filters relate to 3G and LTE data networks per paragraphs [0059-0060], “A filter-3 318 can be configured to process GPRS Tunneling Protocol-Control Plane ( GTP-C) data... The General Packet Radio Service (GPRS) is a packet orientated mobile data service of 2G (2.sup.nd generation) and 3G (3.sup.rd generation) cellular communication systems… The GPRS tunneling protocol is a group of IP-based communications protocols used to carry GPRS (General Packet Radio Service) data with GSM (Global System for Mobile communications), UMTS (Universal Mobile Telecommunication Service), and LTE (Long Term Evolution) networks”), and 
the network traffic comprises general packet radio service (GPRS) tunneling protocol (GTP) traffic (See GTP-C cited in paragraph [0059] above; and also see paragraph [0060], “GTP is the main protocol used by the GPRS core network to allow 2G, 3G, and WCDMA mobile networks to transmit IP packets to external networks” and also see paragraph [0061], “A filter-4 320 can be configured to process GPRS Tunneling Protocol-User plane ( GTP-U) data… The GTP-U data can be used for the transfer of user data in separated tunnels for each Packet Data Protocol (PDP) context”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches filtering network traffic with relation to an enterprise network to further include filtering network traffic with relation to a 3G or LTE network as well as the network traffic comprising GTP traffic such as taught by Francisco in order that “GTP is the main protocol used by the GPRS core network to allow 2G, 3G, and WCDMA mobile networks to transmit IP packets to external networks” (see paragraph [0060]) and “Thus, it has been discovered that the network traffic system of the present invention furnishes important and heretofore unknown and unavailable solutions, capabilities, and functional aspects for a network traffic system” (see paragraph [0221]).

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al. in view of Bhagavatula et al., and further in view of Francisco et al. (US 2016/0248655 A1), and further in view of Rosensweig et al. (US 2014/0351414 A1).

In regards to claim 21, the modified Srinivas teaches the packet broker of claim 20, wherein to predict that another network traffic anomaly will occur the program code further causes the processor to:
retrieve a plurality of historical values of the first parameter of the core network that is modeled by the one of the plurality of trained variations of the machine learning model (see claims 18 and 20 for machine learning model and paragraph [0068] for predicting, and see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”).

Rosensweig teaches fit the plurality of historical values to a linear regression model (see [Rosensweig] paragraph [0007], “Yet further, a method may additionally comprise generating, by the controller, the predictive indication by: (i) applying a multi-dimensional, regression analysis process to the collected state information (e.g., linear regression process), or (ii) applying a Bayesian analysis process to the collected state information, to name two examples of processes that may be applied to the collected state information”; and paragraph [0008], “The collected state information may comprise recent and past information concerning the operation of each element in the network, or information from outside of the network, for example, and may be selected from among the group consisting of at least load-based information, error-based information and power-based information, for example”); and 
extrapolate a value of the first parameter of the core network at the future point in time (determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009], “In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period”); and 
(determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009] In addition to the exemplary methods described above, the present invention is also directed at a system or systems for setting a monitoring rate of an element of a network. In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches retrieving a plurality of historical values of the first parameter of the core network that is modeled by the one of the plurality of variations of the machine learning model to further include fitting a plurality of historical values to a linear regression model and extrapolating a value of the first parameter of the core network at the future point in time as well as comparing the extrapoldated parameter with a predefined threshold such as taught by Rosensweig in order that “Advantageously, by providing prediction-based dynamic monitoring, the amount of overhead required to monitor elements of a network may be reduced without compromising the quality of the monitoring services provided. Moreover, the manner in which elements of a cloud-based network are monitored may be improved without exceeding overhead capabilities” (see paragraph [0025]).

Response to Arguments
Applicant's arguments filed 04/26/2021 have been fully considered but they are not persuasive. 	

The applicant has argued:
“Srinivas states that its “network packet broker 126 (or a matrix switch) gathers, aggregates and filters network traffic from port mirrors, network TAPs, and probes. The network packet broker 126 serves the filtered network traffic to network security and performance tools as per their network security and performance tools.” (Srinivas, ]} 54.) Although Srinivas discusses filtering network traffic, Srinivas does not disclose or suggest that its filtering is in response to the detecting that a network traffic anomaly has occurred or is occurring in the core network, as recited in the independent claims (using their respective language.)
Srinivas’s paragraphs 77 and 78 are directed to crawling raw data as “an act of dynamically selecting a different set of raw data for the collectors to examine at any given time.” (Srinivas, ]} 77. ) For example, “the total amount of traffic exceeds the bandwidth of a collector. This necessitates a device with network packet broker equivalent (NPBE) functionality that is capable of driving mirrored and filtered traffic from multiple parts of the network to the collector.” (Srinivas, ]} 78. ) Again, although Srinivas discusses crawling raw data, Srinivas does not disclose or suggest that its crawling is in response to the detecting that a network traffic anomaly has occurred or is occurring in the core network, as recited in the independent claims (using their respective language.)
Srinivas’s paragraphs 178-182 are directed to “using the visibility of the network and controlling the network,” for example, “automatic problem and security/anomaly/performance remediation where applicable.” (Srinivas, ]} 178.) “The present system and method may implement a network control in (a) a manual, or prescribed control, and (b) an automatic closed loop control.” {Id.) Srinivas provides examples of a high-level control objectives such as “Block user X from accessing the network,” “Maintain high performance for Application Y,” “Detect and mitigate denial of service (DOS) attacks,” and “Prioritize user class Z traffic.” (Srinivas, fflf 178-182.) Even assuming that Srinivas’ “automatic problem and security/anomaly/performance remediation” can be analogized to the claimed “detecting ... that a network traffic anomaly has occurred or is occurring in the core network” (which Applicant does not concede), Srinivas does not disclose or suggest that its filtering network traffic or crawling raw data (discussed above) is in response to its automatic problem and security/anomaly/performance remediation. Srinivas’ “Block user X from accessing the network,” “Maintain high performance for Application Y,” “Detect and mitigate denial of service (DOS) attacks,” and “Prioritize user class Z traffic” (Srinivas, fflf 178-182) is not the same as (and does not suggest) “applying, by the packet broker, the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools,” as recited in the independent claims (using their respective language.)
In summary, Srinivas’ filtering network traffic (or crawling raw data) and Srinivas’ automatic problem and security/anomaly/performance remediation do not disclose or suggest “in response to the detecting [that a network traffic anomaly has occurred or is occurring in the core network], applying, by the packet broker, the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools.” Independent claims 15 and 18 recite similar features, using their respective language” (see remarks page 10 last paragraph to page 12 second paragraph).

The examiner respectfully disagrees.
As cited in the office action, Srinivas discloses performing control (automatic remediation) in response to a problem or security/anomaly/performance issue, see paragraph [0178], “According to some embodiments, the present system and method involves using the visibility of the network and controlling the network. An example of controlling the network is enforcing a higher-layer policy throughout the network. Another example is automatic problem and security/anomaly/performance remediation where applicable. The present system and method may implement a network control in (a) a manual, or prescribed control, and (b) an automatic closed loop control. In both cases, one of the distinctions from the visibility perspective is that the binding of a higher layer policy or a control objective needs to be tracked to the specific low layer control primitives that the underlying network elements can be programmed with”.
Srinivas further discloses that specific traffic forwarding decisions are bound to an application/network performance issue in paragraph [0184], “According to some embodiments, the present system and method binds an application/network performance issue to specific traffic forwarding decisions (e.g., application slowness is caused by a set of particular source/destination IP address pairs that are highly utilizing a particular link) or a network configuration (e.g., a misconfigured maximum transmission unit (MTU))”.
Thus the examiner maintains that Srinivas teaches the argued claim limitations including being in response to detecting as well as applying the filter for the reasoning as cited in the office action as noted above.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FARHAD ALI whose telephone number is (571)270-1920.  The examiner can normally be reached on 11:00 AM - 7:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Edan Orgad can be reached on (571) 272-7884.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FARHAD ALI/Examiner, Art Unit 2478    

/KODZOVI ACOLATSE/Primary Examiner, Art Unit 2478