Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 08/20/2021.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
3. 	This is in response to the amendments filed on 08/20/2021. Claims 1, 8, and 15 have been amended. Claims 1, 3-8, 10-15, 18-20, and 22-25 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see pages 10-11, filed 08/20/2021, with respect to the rejections of claims 1, 3-8, 10-15, 18-20, and 22-25 under 35 U.S.C. 103 have been fully considered and are persuasive.  The rejection has been withdrawn.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Attorney Natalya Dvorson on 09/07/2021.


1. (Currently Amended) 	A method comprising: 
obtaining first telemetry data for a plurality of domains within a network, the first telemetry data for the plurality of domains including both encrypted traffic analytics information associated with network traffic in the network and traffic flow information associated with the network traffic; 
for each domain of the plurality of domains:
generating a model by obtaining a plurality of traffic flow information features the traffic flow information of the first telemetry data associated with a specific domain of the plurality of domains, and at least one encrypted traffic analytics feature the encrypted traffic analytics information of the first telemetry data associated with the specific domain, the model comprising a mapping from the plurality of traffic flow information features to the at least one encrypted traffic analytics feature for the specific domain; 
generating a database by combining models generated for the plurality of domains; 
obtaining second telemetry data for a target domain that includes traffic flow information without encrypted traffic analytics information; 
selecting one model from the models in the database, for the target domain, based on similarities between the traffic flow information of the second telemetry data for the target domain and the plurality of traffic flow information features of the one model; 
determining at least one encrypted traffic analytics feature for the target domain based on a plurality of traffic flow information features of the target domain using the one model; and 


8. (Currently Amended) 	A non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations comprising: 
obtaining first telemetry data for a plurality of domains within a network, the first telemetry data for the plurality of domains including both encrypted traffic analytics information associated with network traffic in the network and traffic flow information associated with the network traffic; 
for each domain of the plurality of domains:
generating a model by obtaining a plurality of traffic flow information features the traffic flow information of the first telemetry data associated with a specific of the plurality of domains, and at least one encrypted traffic analytics feature the encrypted traffic analytics information of the first telemetry data associated with the specific domain, the model comprising a mapping from the plurality of traffic flow information features to the at least one encrypted traffic analytics feature for the specific domain; 
generating a database by combining models generated for the plurality of domains; 
obtaining second telemetry data for a target domain that includes traffic flow information without encrypted traffic analytics information; 
the second telemetry data for the target domain and the plurality of traffic flow information features of the one model; 
determining at least one encrypted traffic analytics feature of for the target domain based on a plurality of traffic flow information features of the target domain using the one model; and 
determining whether a service is benign or malware by identifying the service hosted on the target domain based on the at least one encrypted traffic analytics feature.  

15. (Currently Amended) 	An apparatus comprising: 
a communication interface configured to enable network communications with a plurality of devices in a network; and 
a processor coupled with the communication interface, and configured to: 
obtain first telemetry data for a plurality of domains within the network, the first telemetry data for the plurality of domains including both encrypted traffic analytics information associated with network traffic in the network and traffic flow information associated with the network traffic; 
for each domain of the plurality of domains; 
generate a model by obtaining a plurality of traffic flow information features the traffic flow information of the first telemetry data associated with a specific domain of the plurality of domains, and at least one encrypted traffic analytics feature the encrypted traffic analytics information of the first telemetry data associated with the specific domain, the model comprising a mapping from the plurality of traffic flow information specific domain; 
generate a database by combining models generated for 
obtain second telemetry data for a target domain that includes traffic flow information without encrypted traffic analytics information; 
select one model from the models in the database, for the target domain, based on similarities between the traffic flow information of the second telemetry data for the target domain and the plurality of traffic flow information features of the one model; 
determine at least one encrypted traffic analytics feature of the target domain based on a plurality of traffic flow information features of the target domain using the one model; and 
determine whether a service is benign or malware by identifying the service hosted on the target domain based on the at least one encrypted traffic analytics feature.  

Allowable Subject Matter
Claims 1, 3-8, 10-15, 18-20, and 22-25 are allowed as amended.

Reason for Allowance
The following is an examiner’s statement of reasons for allowance: 
The closest prior art being Reddy et al. (US 2017/0374016 A1; hereinafter "Reddy"), Baldi et al. (US 2018/0062950 A1; hereinafter, “Baldi”), Kohout et al. (US 2018/0103056 A1; hereinafter "Kohout"), Katzir et al. (US 2018/0109542 A1; hereinafter, “Katzir”), and Ollmann (US 2010/0107257 A1; hereinafter, “Ollmann”).

Katzi discloses a method to ascertain the correspondence between the encrypted blocks and the unencrypted blocks by comparing respective durations of the encrypted blocks to respective durations of the unencrypted blocks. Ollmann discloses computer systems and software for detecting presence of malicious software, such as, a malicious service agent running on a computer system.
What is missing from the prior art is a method comprising: for each domain of the plurality of domains: generating the model by obtaining a plurality of traffic flow information features based on the traffic flow information of the first telemetry data associated with a specific domain of the plurality of domains, and at least one encrypted traffic analytics feature based on the encrypted traffic analytics information of the first telemetry data associated with the specific domain, the model comprising a mapping from the plurality of traffic flow information features to the at least one encrypted traffic analytics feature for the specific domain, recited in claim 1 
Claim 8 recites a non-transitory computer readable storage media which corresponds to the method of claim 1, and contains at least the limitations stated above. Therefore, claim 8 is also deemed allowable over the prior art of record as the same reason applied in claim 1 above. The dependent claims 10-14, and 23 which further limit claim 8 are also deemed allowable by virtue of their dependency. Claim 15 recites an apparatus which corresponds to the method of claim 1, and contains at least the limitations stated above. Therefore, claim 15 is also deemed allowable over the prior art of record as the same reason applied in claim 1 above. The dependent claims 18-20, and 24-25 which further limit claim 15 are also deemed allowable by virtue of their dependency. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/W.Y./Examiner, Art Unit 2491                                                                                                                                                                                                        




/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491