DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 17 is objected to because of the following informalities:  the claims refers to “at the network based security platform”. There is no previous mention of a network based security platform.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Kootayi, publication number: US 2018/0288063 in view of Yadav, publication number: US 2016/0359695.

As per claim 1, Kootayi teaches a system for accurate detection and identification of application-level threats in a computer network, said system comprising:

a network-based security platform communicatively coupled to receive data collected by the one or more nodes, said security platform including a machine learning engine configured to reconstruct each protected system’s application business logic, identify associated endpoints, data boundaries, and customary user behaviors based on said data collected by the one or mode nodes, and to create customized profiles for said protected systems and make said profiles available to said nodes instantiated at the protected systems (Updating models using machine learning, [0063][088][0095] Machine learning [0092][0094]).

Kootayi does not teach inspecting application-level requests in inbound network traffic to a respective protected system at which said respective node is instantiated.

In an analogous art, Yadav teaches inspecting application-level requests in inbound network traffic to a respective protected system at which said respective node is instantiated (granular inspection, [0032][0035]).

Therefore, it would have been obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to modify Kootayi’s network analysis system by having a more detailed deep dive into the traffic information as described in Yadav’s for the advantage of creating better models that more accurately capture the functionality of a node in the network. 

As per claim 2, the combination teaches wherein the machine learning engine includes detection logic configured to apply feedback from respective monitored applications at respective ones of the protected systems to refine a respective one of the security profiles for the protected system (Kootayi: Updating, [0088][0095]).

As per claim 3, the combination teaches wherein the feedback comprises one or more of: an application response behavior analysis, a scanning approach, use of logs, hooks, or traps, or a network administrator supervised approach (Kootayi: Updating, [0088][0095]).

As per claim 4, the combination teaches wherein the nodes employ deep packet inspection to decode and analyze the network traffic (Yadav: granular inspection, [0032][0035]).

As per claim 5, the combination teaches wherein each respective one of the nodes is configured to calculate local traffic metrics that characterize applications running on a respective one of the protective systems using statistical algorithms based on character distribution functions and send said metrics to the security platform (Yadav: local analysis, [0048]).



As per claim 7, the combination teaches wherein the machine learning engine is configured to determine functions of monitored applications at the protected systems through pattern recognition by identifying features in the data provided by the nodes (Kootayi: Behavior model, [0007]).

As per claim 8, the combination teaches wherein the machine learning engine is configured to create a behavior profile for each of the application functions determined, said behavior profile consisting of a data format model and a user behavior model (Kootayi: Behavior model, [0007][0032]).

As per claim 9, the combination teaches wherein the security platform is configured to detect anomalies in the data provided by the nodes through comparisons with the behavior profile (Kootayi: Deviation, [0021][0027][0109]).



As per claim 11, the combination teaches wherein prior to providing the data, each node precalculates a profile of request features by calculating correlation metrics between request objects to understand which request parameters represent different application functions (Yadav: local analysis, [0048]).

As per claim 12, the combination teaches wherein prior to providing the data, each node precalculates a profile of request features by calculating correlation metrics between request objects to understand which request parameters represent different application functions (Yadav: Updating, [0058][0095]).

As per claim 13, Yadav teaches a method for accurate detection and identification of application-level threats in a computer network, comprising:
at one or more nodes, each respective node associated with a respective protected system, inspecting network traffic and communicating data collected by said respective node to a network-based security platform (agent, [0063][0066][0075]);

making said profiles available to said nodes instantiated at the protected systems, and at the network-based security platform applying feedback from respective monitored applications at respective ones of the protected systems to refine the security profiles for the protected system (Updating models, [0095]).


inspecting application-level requests in inbound network traffic to the respective protected system at which said respective node is instantiated using deep packet inspection 

Kootayi does not teach inspecting application-level requests in inbound network traffic to the respective protected system at which said respective node is instantiated using deep packet inspection. 



Therefore, it would have been obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to modify Kootayi’s network analysis system by having a more detailed deep dive into the traffic information as described in Yadav’s for the advantage of creating better models that more accurately capture the functionality of a node in the network. 

As per claim 14, the combination teaches wherein each respective one of the nodes calculates local traffic metrics that characterize applications running on a respective one of the protective systems using statistical algorithms based on character distribution functions and send said metrics to the security platform (Yadav: local analysis, [0048]).

As per claim 15, the combination teaches wherein the security platform includes a three-layered machine learning engine to create the customized security profiles composed of security rules for deployment to the one or more nodes by (a) determining functions of monitored applications at the protected systems through pattern recognition by identifying features in the data provided by the nodes, and (b) creating a behavior profile for each of the application functions so determined, said behavior profile 

As per claim 16, the combination teaches wherein the security platform detects anomalies in the data provided by the nodes through comparisons with the behavior profile (Kootayi: deviation, [0021][0027][0109]).

As per claim 17, the Kootayi teaches a method for detection and identification of application-level threats in a computer network, comprising:
at the network-based security platform using a machine learning engine, iteratively producing behavior profiles for monitored applications running on protected systems by:
receiving data collected by nodes instantiated at the protected systems (Agents, [0063][0066][0075]),
reconstructing each protected system’s application business logic, and identifying associated endpoints, data boundaries, and customary user behaviors of applications running on said protected systems based on said data communicated by the one or mode nodes to create customized profiles for said protected systems (Creating models using Machine learning, [0063][0088][0092][0094]),

making said behavior profiles available to said nodes instantiated at the protected systems (using updated models, [0095]); and
detecting anomalies in the data provided by the nodes through comparisons with the behavior profiles (Checking for deviation, [0021][0027][0109]).

Kootayi does not teach said data obtained by the nodes using deep packet inspection of inbound network traffic to the protected systems.

In an analogous art, Yadav teaches said data obtained by the nodes using deep packet inspection of inbound network traffic to the protected systems (granular inspection, [0032][0035]).

Therefore, it would have been obvious to one of ordinary skill in the art, prior to the effective filing date of the claimed invention to modify Kootayi’s network analysis system by having a more detailed deep dive into the traffic information as described in Yadav’s for the advantage of creating better models that more accurately capture the functionality of a node in the network.



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450.  The examiner can normally be reached on Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  






/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494