DETAILED ACTION
This action is in response the communications filed on 04/22/2021 in which claims 1, 3, 4, 7-9, 11, 13, 14, and 17-19 are amended, claims 2 and 12 are canceled and therefore claims 1, 3-11, and 13-20 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 04/22/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Objections
Claims 10 and 20 are objected to because of the following informalities:
In claims 10 and 20, line 1, “groupings of network addresses” should be “the groupings of network addresses.”
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 4-11 and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kirner (US 20140373091 A1) in view of Niu ("Network Steganography based on Traffic Behavior in Dynamically Changing Wireless Sensor Networks") in further view of Lee ("iVisClustering: An Interactive Visual Document Clustering via Topic Modeling").
In regard to claims 1 and 11, Kirner teaches: A method of specifying security policies for applications executing on computers in a datacenter comprising a network and associated with network addresses, the method comprising: (Kirner, [0033] "For example, in the case of security, segmentation can be used with access control policies to define groups of managed servers 130 that are subject to particular policies [security policies]."; [0049] "the label/CC engine calculates labels/CC values based on cluster analysis. For example, the label/CC engine uses a combination of min-cut and K-means algorithms, with additional heuristics, of connected graphs to automatically identify a cluster of highly-connected managed servers 130. The cluster of managed servers 130 [computers] might correspond to an 'application' (see Table 1) in the administrative domain 150"; [0031] "M: The logical application (higher-level grouping of managed servers) to which the managed server belongs."; [0201] "The categories can be, for example, the top individual nodes that are communicating, the top pairs of nodes that are communicating, the top IP addresses [network addresses] blocked by managed servers 130, datacenter, per business unit, and per administrative domain 150.")
… defining security policies for a set of applications associated with a set of network addresses based on a set of groupings generated for the set of network addresses. (Kirner, [0032] "The logical management model enables multiple managed servers 130 to be grouped together by specifying one or more labels (referred to herein as a 'label set') that describe all of the managed servers 130 in the group."; [0033] "For example, in the case of security, segmentation can be used with access control policies to define groups of managed servers 130 that are subject to particular policies [security policies based on groupings]. Similarly, segmentation can be used with secure connectivity policies to define groups of managed servers 130 and the policies that apply to intra-group communications and inter-group communications. So, communications among a first group of managed servers 130 (specified by a first label set) can be restricted to a first secure connection setting (e.g., secure connection not required), and communications between the first group of managed servers and a second group of managed servers (specified by a second label set) can be restricted to a second secure connection setting (e.g., IPsec Encapsulating Security Payload (ESP)/Authentication Header (AH) Advanced Encryption Standard (AES)/Secure Hash Algorithm-2 (SHA-2)).[more examples of security policies based on groupings]"; [0049] "the label/CC engine calculates labels/CC values based on cluster analysis [a common technique for statistics]. For example, the label/CC engine uses a combination of min-cut and K-means algorithms, with additional heuristics, of connected graphs to automatically identify a cluster of highly-connected managed servers 130. [e.g. groupings based on statistics] The cluster of managed servers 130 might correspond to an 'application' [a set of applications] (see Table 1) in the administrative domain 150"; [0108] "an actor-set might include actor-set records whose IP addresses [network addresses] correspond to all of the managed servers 130 covered by the label set of <Role, Statistical analysis of information stored in the global security data repository 335—The global security module 390 analyzes information stored in the global security data repository 335 to determine the top 'N' items in different categories. [more examples of  groupings / categories / top addresses based on statistics] The categories can be, for example, the top individual nodes that are communicating, the top pairs of nodes that are communicating, the top IP addresses [e.g. a set of network addresses based on groupings / top addresses] blocked by managed servers 130, and the top IP addresses allowed by managed servers with high risk scores.")
Kirner fails to teach, but Niu teaches: identifying flows associated with a plurality of network addresses, and (Niu, p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network address] are included in the packet header. In this paper, we utilize this feature to achieve accurate inference by applying both word-topic and author-topic probability to infer the network flow [flows]"; p. 5 "In the same topic, 36, the top authors are 74.125.19.97, 199.7.51.72 and 98.129.192.234...")
statistics associated with the identified flows, said statistics including probabilistic values specifying a frequency for occurrence of the flow; (Niu, p. 2 IV. PROPOSED SCHEME "... We mainly use ATM [LDA / a statistical model] to discover the traffic behavior in terms of which packets are usually sent together in the flow...";  p. 4 "… ranked by the probability of a word given a topic..."; see Table II "> TCP-Data - S VIII / 0.13273, < TLSv1-Data - R VIII / 0.09138, etc. [flow information with probabilistic values]"; see Table II, User Address, e.g. 74.125.19.97 / 0.19326, 199.7.51.72 / 0.06708 [network addresses with probabilistic values)
identifying a set of traffic patterns through the network based on the identified statistics associated with the plurality of flows; (Niu, p. 2 IV. PROPOSED SCHEME "... We mainly use ATM [a statistical model] to discover the traffic behavior in terms of which packets are usually sent together in the flow (traffic pattern)...")
associating each of the plurality of network addresses with a set of traffic patterns, (Niu, p. 2 IV. PROPOSED SCHEME "In ATM, each author [network address] is associated with a multinomial distribution over topics [patterns] …"; "… what are the active/inactive times of nodes (business pattern), what traffic patterns and business patterns a given source node is likely to follow and which nodes act similarly... [nodes / network addresses with similar patterns]")
each traffic pattern associated with a particular network address with a particular probability; (Niu, p. 4-5 D. Network Behavior Discovered with ATM "In Table II... the top 3 authors for each topic [traffic pattern], ranked by... the probability of a topic given an author .., respectively."; see Table II, User Address, e.g. 74.125.19.97 / 0.19326, 199.7.51.72 / 0.06708 [topic 36: network address / a particular probability])
generating groupings of network addresses with similar distributions of traffic pattern probabilities (Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node or group of nodes"; p. 2 IV. PROPOSED SCHEME "In ATM, each author is associated with a multinomial distribution over topics… [pattern distribution]"; p. 4-5 D. Network Behavior Discovered with ATM "We list... the top 3 authors for each topic, ranked by... the probability of a topic given an author... "; p.5 "In the same topic, 36, the top authors are 74.125.19.97, 199.7.51.72 and 98.129.192.234 with a sum of probability of 0.3. These three IP addresses are assigned to Google, Verisign, and Rackspace, respectively, which are web service companies. We can deduce that these nodes have similar traffic behavior, or topic that consists of similar packets to and from these nodes.; These three IP addresses can be an example of addresses in the same group.)


Kirner and Niu fail to teach, but Lee teaches: for display in a user interface. (Lee, see Figure 2 and 4 [user interface], p. 1158 "The Cluster Relation View, shown in Figure 2A, represents an overview of the LDA clustering results of a document set."; p. 1161 "Figure 4: Interactive clustering by filtering noisy data. Filtering out noisy documents leads to a clear clustering results.")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Kirner and Niu to incorporate the teachings of Lee by including an interactive visual analytics system for document clustering. Doing so would provide a summary of each cluster and visualize soft clustering results in parallel coordinates. (Lee, Abstract "This paper proposes an interactive visual analytics system for document clustering, called iVisClustering, based on a widely-used topic modeling method, latent Dirichlet allocation (LDA). iVisClustering provides a summary of each cluster in terms of its most representative keywords and visualizes soft clustering results in parallel coordinates. The main view of the system provides a 2D plot that visualizes cluster similarities and the relation among data items with a graph-based representation.")
Claim 11 recites substantially the same limitation as claim 1, therefore the rejection applied to claim 1 also apply to claim 11. In addition, Niu teaches: A non-transitory machine readable medium storing a program for execution by at least one processing unit, the program for generating groupings of network addresses, the program comprising sets of instructions for: (Niu, p. 4 "In this section, we CPU and 16GB RAM)…")
In regard to claims 4 and 14, Kirner, Niu and Lee teach: The method of claim 1, wherein identifying the set of traffic pattern comprises using probabilistic topic modeling to identify the set of traffic patterns. (Niu, p.2 "Author-topic model (ATM) introduced by [13] is an extended Latent Dirichlet Allocation (LDA) model [probabilistic topic modeling] that includes authorship information in addition to finding latent topics. [generate the set of topics / traffic patterns]") 
The motivation rationale for combining Kirner with Niu is the same as explained on page 7.
In regard to claims 5 and 15, Kirner, Niu and Lee teach: The method of claim 4, wherein the probabilistic topic modeling is latent Dirichlet allocation (LDA). (Niu, p.2 "Author-topic model (ATM) introduced by [13] is an extended Latent Dirichlet Allocation (LDA) model that includesauthorship information in addition to finding latent topics.")
The motivation rationale for combining Kirner with Niu is the same as explained on page 7.
In regard to claims 6 and 16, Kirner, Niu and Lee teach: The method of claim 5, wherein the LDA uses network addresses of computers in networks as the documents for its analysis. (Niu, p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document [documents] that the authors write about."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses of computers] are included in the packet header. In this paper, we utilize this feature to achieve accurate inference by applying both word topic and author-topic probability to infer the network flow.")
The motivation rationale for combining Kirner with Niu is the same as explained on page 7.
In regard to claims 7 and 17, Kirner, Niu and Lee teach: The method of claim 6, wherein the LDA uses a particular plurality of statistics associated with a particular network address as a plurality of flows associated with a particular document defined by the particular network address. (Niu p.2 "We protocol, message type, packet length, and time interval in a day [e.g. statistics of flow characteristics], to construct words for ATM"; p. 3 "p. 3 IV. PROPOSED SCHEME "In Fig. 1(b), x indicates a given author chosen from a group of authors and d denotes a document [documents] that the authors write about."; p.3 "However, different from general text data, for network packets, the authors (source/destination addresses) [network addresses] are included in the packet header...") (More details in Niu, p. 2, III. SYSTEM MODEL "With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval [e.g. statistics of flow characteristics] for any node or group of nodes [particular network address]. The result will then allow us to purposefully craft cover packets that follow certain behavior (e.g., typical behavior in the given network environment)..."; IV. PROPOSED SCHEME "... We mainly use ATM to discover the traffic behavior in terms of which packets are usually sent together in the flow (traffic pattern), what are the active/inactive times of nodes (business pattern), what traffic patterns and business patterns a given source node is likely to follow and which nodes act similarly."; p. 4-5 D. Network Behavior Discovered with ATM "In Table II, selected topics discovered by ATM are listed. We list the top 7 most likely packets (words) and the top 3authors for each topic, ranked by the probability of a word given a topic ..and the probability of a topic given an author .., respectively."; see Table II, User Address, e.g. 74.125.19.97, 199.7.51.72 [network address])
The motivation rationale for combining Kirner with Niu is the same as explained on page 7.
In regard to claims 8 and 18, Kirner, Niu and Lee teach: The method of claim 7, wherein the statistics that are associated with a particular flow comprise at least one of a flow direction, a source port, and a destination port. (Niu, p.2 "We use protocol, message type, packet length, and time interval in a day, to construct words for ATM. For example, we can encode such information as shown in Table I (only four protocols and some common message types are shown) based on the forensics dataset used for training our model. For instance, the word TCP — ACK — B — VIII means a TCP ACK [a flow direction] packet of 64 bytes sent or received during 4-6pm."; e.g. the receiver sends an ACK back to the sender)
The motivation rationale for combining Kirner with Niu is the same as explained on page 7.
In regard to claims 9 and 19, Kirner, Niu and Lee teach: The method of claim 7, wherein the statistics that are associated with a particular flow comprise at least one of a number of bytes exchanged, a number of packets exchanged, and a duration of the flow. (Niu, p.2 "We use protocol, message type, packet length, and time interval in a day, to construct words for ATM. For example, we can encode such information as shown in Table I (only four protocols and some common message types are shown) based on the forensics dataset used for training our model. For instance, the word TCP — ACK — B — VIII means a TCP ACK packet of 64 bytes [a number of bytes exchanged] sent or received during 4-6pm.")
The motivation rationale for combining Kirner with Niu is the same as explained on page 7.
In regard to claims 10 and 20, Kirner, Niu and Lee teach: The method of claim 6, wherein generating groupings of network addresses comprises using k-means clustering. (Kirner, [0049] "the label/CC engine calculates labels/CC values based on cluster analysis. For example, the label/CC engine uses a combination of min-cut and K-means algorithms, with additional heuristics, of connected graphs to automatically identify a cluster of highly-connected managed servers 130. [e.g. groupings of network addresses]"; [0042] "The network exposure information concerns the managed server's network interfaces. In one embodiment, the network exposure information includes, for each of the managed server's network interfaces, an identifier of a ‘bidirectionally-reachable network’ (BRN) to which the network interface is attached and zero or more IP addresses [network addresses] (and their subnets) that are used for operating within the BRN")
Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kirner in view of Niu in view of Lee in further view of Ghafir ("A Survey on Network Security Monitoring Systems").
In regard to claims 3 and 13, Kirner, Niu and Lee fail to teach, but Ghafir teaches: The method of claim 1, wherein the identified statistics comprise at least one of internet protocol flow information export (IPFIX) data (Ghafir, p. 81, C. Flow-based Observation Representatives "Flow-based observation architecture contains two main components; a flow exporter and a flow collector… 1) Flow Exporters: nProbe [29] is a commercial open-source flow exporter. Data can be exported in NetFlow v5, NetFlow v9, and IPFIX formats... 2) Flow Collectors: nProbe is not only a flow exporter, it is also a flow collector... IPFIXcol [35] is an IPFIX collector designed for high throughput networks...") and tcpdump data. (Ghafir, p. 77, A. Packet Capture Representatives "1) Tcpdump: Tcpdump is a command line tool for packet capture analysis. Tcpdump can analyze both live traffic using the libpcap library and captured packet traces in PCAP format.")
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to have modified Kirner, Niu and Lee to incorporate the teachings of Ghafir by including IPFIX or tcpdump. Doing so would include and implement the network security monitoring in the model. (Ghafir, p. 77 "This section classifies the current network security monitoring implementations into packet capture representatives, deep packet inspection representatives and flow-based observation representatives.")
Response to Arguments
Applicant's amendments with respect to claim objections have been fully considered. Claims 1 and 11 have been amended, therefore the objections to claims 1 and 11 have been withdrawn. Claims 10 and 20 have not been amended, therefore the objections to the claims 10 and 20 are maintained.
Applicant's amendments with respect to rejection of claims under 35 U.S.C. 112(b) have been fully considered and are sufficient to overcome the rejection. The rejection to the claims under 35 U.S.C. 112(b) has been withdrawn.
Applicant's arguments with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but they are not persuasive:
(a) Applicant argues: (see p. 7 bottom, claims 1, 10): “… Niu does not disclose grouping network addresses together based on similar distributions of traffic pattern probabilities for a set of traffic patterns to generate groupings of the network addresses… Lee does not disclose further grouping network addresses based on network addresses' distributions traffic pattern probabilities and displaying those groupings in a user interface. …” 

    PNG
    media_image1.png
    255
    269
    media_image1.png
    Greyscale

    PNG
    media_image2.png
    308
    397
    media_image2.png
    Greyscale

    PNG
    media_image3.png
    115
    316
    media_image3.png
    Greyscale
(b) Examiner answers: As cited in the previous office action, one example of the group is 74.125.19.97, 199.7.51.72 and 98.129.192.234. In addition, Niu recites: “With this modeling, we can find out the most dominant sequences of packets forming some behavior, during any time interval for any node or group of nodes” and “In topic 24, the top words are TCP data and TCP retransmission packets, and the top authors are 65.54.95.* which are from Microsoft in Redmond. This topic has a probability of 
Fig. 2 and 5(a) shows the distribution of the topic / traffic pattern, and those addresses with similar distribution are selected / grouped in the table II. Another example of the group is 65.54.95.* Therefore, Niu teaches the claimed invention.
Examiner does not use Lee to teach this feature. Lee is used to teach LDA clustering (grouping) results displaying in a user interface. 
Applicant's arguments with respect to the rejection of the claims under 35 U.S.C. 103 have been fully considered but they are moot:
(a) Applicant argues: (see p. 8 middle, claims 1, 10): “… the cited references do not disclose or suggest defining security policies for a set of applications associated with a set of network addresses based on a set of groupings generated for the set of network addresses.” 
(b) Examiner answers: the arguments do not apply to the references (Kirner) being used in the current rejection.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SU-TING CHUANG whose telephone number is (408)918-7519.  The examiner can normally be reached on Monday - Thursday 8-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kakali Chaki can be reached on (571)272-3719.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.C./Examiner, Art Unit 2122

/LUIS A SITIRICHE/Primary Examiner, Art Unit 2126