Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the instant Application 16/442,819 filed on 6/17/2019. Claims 1-20 are pending. This Office Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 6/24/2019, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-20 are rejected under 35 U. S. C. 101 as being directed to non-statutory subject matter as being directed to an abstract idea without being integrated into a practical application or significantly more.

Regarding claim 1, the claim is directed to an abstract idea as reciting the limitations “access a web traffic log,” “generate an image,” “classify an image” and “determining.”  The aforementioned steps are “mental process” as broadly interpreted said steps could be performed in the human mind. Therefore, the claim recites an abstract idea.  
	Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that utilize determination result into a practical application.  It’s noted that the claims recite additional elements (i.e., processor/memory, computing system).  However, said additional elements are recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of detecting or determining operation etc.,) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.
	The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea.   As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. See US Applications 2013/0254535, 2015/0156194 and 2011/0154027.  As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component.  Therefore, the claim is directed to non-statutory subject matter. 
		
	Regarding claims 7 and 11, claims 7 and 11 recite similar limitations as claim 1 and are rejected under the same rationale.
	
	Regarding claims 2-6, 8-10 and 12-20; the dependent claims are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea without being integrated into a practical application or significantly more.
	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jones et al. (US 20170111381) in view of Lotia et al. (US 2020/0366689) and Cella et al. (US 2019/0137985).

	As per claim 1, Jones teaches a system, comprising: a processor; and storage having instructions which, when executed by the processor (Jones, Paragraph 0147 recites “Each of the processes, methods, and algorithms described in the preceding sections may be embodied in, and fully or partially automated by, code modules executed by one or more computer systems or computer processors comprising computer hardware. The code modules (or "engines") may be stored on any type of non-transitory computer-readable medium or computer storage device, such as hard drives, solid state memory, optical disc, and/or the like.”), 
	cause the processor to: access a web traffic log including requests sent from a client to a web server to access a web site hosted by the web server (Jones, Paragraph 0090 recites “The system can obtain information describing user behavior after accessing (e.g., logging into) the user account from user access records (e.g., records identifying connections to network accessible systems), from VPN logs, and from system records (e.g., records identifying an IP address connection received by the system, a user account accessed, and a subsequent user account or network accessible system accessed; additionally the records can identify processes initiated by a user account, network requests or traffic to other network accessible systems initiated by a user account; and so on). Using the information described above, the system can determine user accounts switched to by the user account, and actions the user account took (e.g., initiating processes associated with executable code, or initiating scripts).”); 
	generate an image based at least on the requests, the image including a set of spots and a set of lines depending on the requests (Jones, Paragraph 0143 recites “ To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).
	But fails to teach classify the image into a bot category or a human category using a machine learning model.
	However, in an analogous art Cella teaches classify the image into a bot category or a human category using a machine learning model (Cella, Paragraph 0030 recites “A further embodiment of any of the foregoing embodiments of the present disclosure may include situations wherein the neural network includes a convolutional neural network that determines the occurrence of the anomalous condition based on pattern recognition in the streams of detection values which represent image data.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Cella’s Methods and systems of diagnosing machine components using neural networks and having bandwidth allocation with Jones’ anomalous network monitoring, user behavior detection and database system because the use convolution network helps with the analysis of image data.
	And fails to teach determine whether the client is a bot or a human based at least on whether the image is classified into the bot category or the human category.
	However, in an analogous art Lotia teaches determine whether the client is a bot or a human based at least on whether the image is classified into the bot category or the human category (Lotia, Paragraph 0111 recites “In one example embodiment, a packet corresponding to a known or suspected malicious address is received by a deep packet inspection device 2040 residing, for example, in the ISP cloud (operation 1204). The packet is inspected to determine if it is or is not malicious (operation 1208). For example, as described above, indicators of compromise in the traffic may be searched for, such as a destination IP address, a source address, a source or destination port, a protocol, a type, size, or contents of the payload, identification of a pattern in the traffic, a match of the pattern with known threat signatures, and the like. If the packet is determined to be malicious (YES branch of decision block 1212), the deep packet inspection device 2040 blocks the packet (operation 1216) and the method 1200 proceeds with operation 1204; otherwise (NO branch of block 1212), the packet is rerouted, for example, to its original destination (operation 1220) and the method 1200 proceeds with operation 1204. In one example embodiment, the deep packet inspection device 2040 requests that the corresponding IP address be added to a blacklist, such as the blacklist maintained by an ISP, in conjunction with operation 1216.” And Paragraph 0099 recites “In one example embodiment, the botnet detection device 2028 identifies the malicious network traffic by, for example, obtaining threat information from a third-party threat intelligence service 2024 where the threat information, such as address information, directly or indirectly identifies the destination IP addresses and domains of suspected or known botnets. The threat information is used to identify which customers are sending malicious network traffic and are potentially infected by a bot.”.).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Lotia’s botnet detection and mitigation with Jones’ anomalous network monitoring, user behavior detection and database system because the use of a bot detection is beneficial to protecting a network. 
	
	As per claim 2, Jones in combination with Lotia and Cella teaches the system of claim 1, Lotia further teaches wherein the instructions further cause the processor to: block additional requests sent from the client to the web server in response to determining that the client is a bot (Lotia, Paragraph 0111 recites “In one example embodiment, a packet corresponding to a known or suspected malicious address is received by a deep packet inspection device 2040 residing, for example, in the ISP cloud (operation 1204). The packet is inspected to determine if it is or is not malicious (operation 1208). For example, as described above, indicators of compromise in the traffic may be searched for, such as a destination IP address, a source address, a source or destination port, a protocol, a type, size, or contents of the payload, identification of a pattern in the traffic, a match of the pattern with known threat signatures, and the like. If the packet is determined to be malicious (YES branch of decision block 1212), the deep packet inspection device 2040 blocks the packet (operation 1216) and the method 1200 proceeds with operation 1204; otherwise (NO branch of block 1212), the packet is rerouted, for example, to its original destination (operation 1220) and the method 1200 proceeds with operation 1204. In one example embodiment, the deep packet inspection device 2040 requests that the corresponding IP address be added to a blacklist, such as the blacklist maintained by an ISP, in conjunction with operation 1216.” And Paragraph 0099 recites “In one example embodiment, the botnet detection device 2028 identifies the malicious network traffic by, for example, obtaining threat information from a third-party threat intelligence service 2024 where the threat information, such as address information, directly or indirectly identifies the destination IP addresses and domains of suspected or known botnets. The threat information is used to identify which customers are sending malicious network traffic and are potentially infected by a bot.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Lotia’s botnet detection and mitigation with Jones’ anomalous network monitoring, user behavior detection and database system because the use of a bot detection is beneficial to protecting a network. 


	As per claim 3, Jones in combination with Lotia and Cella teaches the system of claim 1, Jones further teaches wherein the image is generated based at least on the requests by: generating a graph based at least on the requests; and generating the image based at least on the graph (Jones, Paragraph 0143 recites “To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).

	As per claim 4, Jones in combination with Lotia and Cella teaches the system of claim 3, Jones further teaches wherein: the graph comprises: a set of nodes representing the requests; and a set of edges between the set of nodes, the set of edges representing adjacent requests; the set of spots in the image represents the set of nodes in the graph; and the set of lines in the image connects the set of spots, the set of lines representing the set of edges in the graph (Jones, Paragraph 0143 recites “To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).

	As per claim 5, Jones in combination with Lotia and Cella teaches the system of claim 1, Lotia further teaches wherein the machine learning model is trained using a training set of images generated from a first training set of requests received by the web server from known bot clients and a second training set of requests received by the web server from known human clients (Lotia, Paragraph 0111 recites “In one example embodiment, a packet corresponding to a known or suspected malicious address is received by a deep packet inspection device 2040 residing, for example, in the ISP cloud (operation 1204). The packet is inspected to determine if it is or is not malicious (operation 1208). For example, as described above, indicators of compromise in the traffic may be searched for, such as a destination IP address, a source address, a source or destination port, a protocol, a type, size, or contents of the payload, identification of a pattern in the traffic, a match of the pattern with known threat signatures, and the like. If the packet is determined to be malicious (YES branch of decision block 1212), the deep packet inspection device 2040 blocks the packet (operation 1216) and the method 1200 proceeds with operation 1204; otherwise (NO branch of block 1212), the packet is rerouted, for example, to its original destination (operation 1220) and the method 1200 proceeds with operation 1204. In one example embodiment, the deep packet inspection device 2040 requests that the corresponding IP address be added to a blacklist, such as the blacklist maintained by an ISP, in conjunction with operation 1216.” And Paragraph 0099 recites “In one example embodiment, the botnet detection device 2028 identifies the malicious network traffic by, for example, obtaining threat information from a third-party threat intelligence service 2024 where the threat information, such as address information, directly or indirectly identifies the destination IP addresses and domains of suspected or known botnets. The threat information is used to identify which customers are sending malicious network traffic and are potentially infected by a bot.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Lotia’s botnet detection and mitigation with Jones’ anomalous network monitoring, user behavior detection and database system because the use of a bot detection is beneficial to protecting a network. 

	As per claim 6, Jones in combination with Lotia and Cella teaches the system of claim 1, Cella further teaches wherein the machine learning model includes a convolutional neural network (Cella, Paragraph 0349 recites “The platform 100 may also implement pattern recognition processes with machine learning operations and may be used in applications such as computer vision, speech and text processing, radar processing, handwriting recognition, CAD systems, and the like. The platform 100 may employ supervised classification and unsupervised classification. The supervised learning classification algorithms may be based to create classifiers for image or pattern recognition, based on training data obtained from different object classes.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Cella’s Methods and systems of diagnosing machine components using neural networks and having bandwidth allocation with Jones’ anomalous network monitoring, user behavior detection and database system because the use convolution network helps with the analysis of image data.

	Regarding claim 7, claim 7 is directed to a similar computer-readable storage medium associated with the system of claim 1 respectively. Claim 7 is similar in scope to claim 1, respectively, and are therefore rejected under similar rationale. 

	As per claim 8, Jones in combination with Lotia and Cella teaches the computer-readable storage medium of claim 7, Jones further teaches wherein the set of actions includes one or more browsing requests submitted by a browser of the entity to a website (Jones, Paragraph 0096 recites “the system obtains information describing network actions of the user account (e.g., as described above, the system can obtain logs and identify entries or events in the logs associated with network actions of the user account). The system orders each of the network actions according to a time associated with each network action (e.g., a time stamp included in a log).” Accessing a website would be considered an obvious network action for a user.)

	
		
	As per claim 9, Jones in combination with Lotia and Cella teaches  the computer-readable storage medium of claim 7, Cella further teaches wherein the machine learning model uses a convolutional neural network to classify an input image into one of a plurality of categories (Cella, Paragraph 0030 recites “A further embodiment of any of the foregoing embodiments of the present disclosure may include situations wherein the neural network includes a convolutional neural network that determines the occurrence of the anomalous condition based on pattern recognition in the streams of detection values which represent image data.”).
	
	As per claim 10, Jones in combination with Lotia and Cella teaches the computer-readable storage medium of claim 9, Cella further teaches wherein the instructions further cause the processor to: generate a training set of images based at least on a first set of actions performed by known bots and a second set of actions performed by known humans; and train the machine learning model, using the training set of images, to categorize an input image into a bot category or a human category (Cella, Paragraph 0349 recites “The supervised learning classification algorithms may be based to create classifiers for image or pattern recognition, based on training data obtained from different object classes.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Cella’s Methods and systems of diagnosing machine components using neural networks and having bandwidth allocation with Jones’ anomalous network monitoring, user behavior detection and database system because the use convolution network helps with the analysis of image data.
	As per claim 11, Jones teaches a method, comprising: receiving behavior information associated with an entity (Jones, Paragraph 0090 recites “The system can obtain information describing user behavior after accessing (e.g., logging into) the user account from user access records (e.g., records identifying connections to network accessible systems), from VPN logs, and from system records (e.g., records identifying an IP address connection received by the system, a user account accessed, and a subsequent user account or network accessible system accessed; additionally the records can identify processes initiated by a user account, network requests or traffic to other network accessible systems initiated by a user account; and so on). Using the information described above, the system can determine user accounts switched to by the user account, and actions the user account took (e.g., initiating processes associated with executable code, or initiating scripts).”); 
	generating an image based at least on the behavior information (Jones, Paragraph 0143 recites “ To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).
	But fails to teach classifying the image into a category among a plurality of categories.
	However, in an analogous art Cella teaches classifying the image into a category among a plurality of categories (Cella, Paragraph 0030 recites “A further embodiment of any of the foregoing embodiments of the present disclosure may include situations wherein the neural network includes a convolutional neural network that determines the occurrence of the anomalous condition based on pattern recognition in the streams of detection values which represent image data.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Cella’s Methods and systems of diagnosing machine components using neural networks and having bandwidth allocation with Jones’ anomalous network monitoring, user behavior detection and database system because the use convolution network helps with the analysis of image data.
	And fails to teach determining a group among a plurality of groups to which the entity belongs based at least on the category to which the image is classified.
	However, in an analogous art Lotia teaches determining a group among a plurality of groups to which the entity belongs based at least on the category to which the image is classified (Lotia, Paragraph 0111 recites “In one example embodiment, a packet corresponding to a known or suspected malicious address is received by a deep packet inspection device 2040 residing, for example, in the ISP cloud (operation 1204). The packet is inspected to determine if it is or is not malicious (operation 1208). For example, as described above, indicators of compromise in the traffic may be searched for, such as a destination IP address, a source address, a source or destination port, a protocol, a type, size, or contents of the payload, identification of a pattern in the traffic, a match of the pattern with known threat signatures, and the like. If the packet is determined to be malicious (YES branch of decision block 1212), the deep packet inspection device 2040 blocks the packet (operation 1216) and the method 1200 proceeds with operation 1204; otherwise (NO branch of block 1212), the packet is rerouted, for example, to its original destination (operation 1220) and the method 1200 proceeds with operation 1204. In one example embodiment, the deep packet inspection device 2040 requests that the corresponding IP address be added to a blacklist, such as the blacklist maintained by an ISP, in conjunction with operation 1216.” And Paragraph 0099 recites “In one example embodiment, the botnet detection device 2028 identifies the malicious network traffic by, for example, obtaining threat information from a third-party threat intelligence service 2024 where the threat information, such as address information, directly or indirectly identifies the destination IP addresses and domains of suspected or known botnets. The threat information is used to identify which customers are sending malicious network traffic and are potentially infected by a bot.” The claim recites “machine learning,” Lotia does not explicitly recite “machine learning,” however, the system of Lotia effectively performs the tasks of machine learning, by updating blacklists and whitelists which are not dependent on a human to add the addresses to their respective lists.).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Lotia’s botnet detection and mitigation with Jones’ anomalous network monitoring, user behavior detection and database system because the use of a bot detection is beneficial to protecting a network. 
	As per claim 12, Jones in combination with Lotia and Cella teaches the method of claim 11, Jones further teaches wherein receiving the behavior information comprises: receiving one or more browsing requests submitted by the entity to a website (Jones, Paragraph 0096 recites “the system obtains information describing network actions of the user account (e.g., as described above, the system can obtain logs and identify entries or events in the logs associated with network actions of the user account). The system orders each of the network actions according to a time associated with each network action (e.g., a time stamp included in a log).” Accessing a website would be considered an obvious network action for a user.)

	As per claim 13, Jones in combination with Lotia and Cella teaches the method of claim 12, Jones further teaches wherein generating the image comprises: generating a graph based at least on the behavior information; and generating the image based at least on the graph (Jones, Paragraph 0143 recites “To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).


	As per claim 14, Jones in combination with Lotia and Cella teaches the method of claim 13, Jones further teaches wherein generating the graph comprises: generating one or more nodes that represent the one or more browsing requests; and generating one or more edges that connect the one or more nodes, the one or more edges representing adjacent browsing requests (Jones, Paragraph 0143 recites “To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).

	As per claim 15, Jones in combination with Lotia and Cella teaches the method of claim 14, Jones further teaches wherein generating the image comprises: generating one or more spots that represent the one or more nodes in the graph; and generating one or more lines that represent the one or more edges in the graph (Jones, Paragraph 0143 recites “To help the reviewing user visualize user chaining of the selected user account 1202, the system can generate a connected graph 1204 that illustrates the transitions between user accounts. For instance, the first row 1206 of the connected graph 1204 illustrates unique VPN connections (e.g., 5 VPN connections) that accessed the selected user account 1202. The second row 1208 illustrates user accounts that were transitioned to from the selected user account 1202. Similarly, the third row 1210 illustrates user accounts transitioned to from the second row 1208 of user accounts, and the fourth 1212 row illustrates user accounts transitioned to from the third row 1210.”).

	As per claim 16, Jones in combination with Lotia and Cella teaches the method of claim 15, Jones further teaches wherein generating the one or more spots comprises: determining sizes of the one or more spots based at least on access frequencies associated with corresponding one or more nodes in the graph (Jones, Paragraph 0038 recites “In some implementations, the map 16 can be a heat-map identifying a frequency of the access, and each country in the map 16 can be selectable by a user. Upon selection of a country, the user interface 10 can be updated to include user accounts that have been accessed from the selected country. In some implementations, the map 16 can be a map of a particular region (e.g., country, city, geographic area, and so on).”).

	As per claim 17, Jones in combination with Lotia and Cella teaches the method of claim 11, Cella further teaches wherein classifying the image comprises: using a machine learning model that is trained using a training set of images with known categories (Cella, Paragraph 0349 recites “The platform 100 may also implement pattern recognition processes with machine learning operations and may be used in applications such as computer vision, speech and text processing, radar processing, handwriting recognition, CAD systems, and the like. The platform 100 may employ supervised classification and unsupervised classification. The supervised learning classification algorithms may be based to create classifiers for image or pattern recognition, based on training data obtained from different object classes.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Cella’s Methods and systems of diagnosing machine components using neural networks and having bandwidth allocation with Jones’ anomalous network monitoring, user behavior detection and database system because the use convolution network helps with the analysis of image data.

	As per claim 18, Jones in combination with Lotia and Cella teaches the method of claim 17, Cella further teaches wherein the machine learning model includes a convolutional neural network (Cella, Paragraph 0030 recites “A further embodiment of any of the foregoing embodiments of the present disclosure may include situations wherein the neural network includes a convolutional neural network that determines the occurrence of the anomalous condition based on pattern recognition in the streams of detection values which represent image data.”).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Cella’s Methods and systems of diagnosing machine components using neural networks and having bandwidth allocation with Jones’ anomalous network monitoring, user behavior detection and database system because the use convolution network helps with the analysis of image data.


	As per claim 19, Jones in combination with Lotia and Cella teaches the method of claim 11, Lotia further teaches wherein the plurality of categories includes a bot category and a human category, and the plurality of groups includes a bot group and a human group (Lotia, Paragraph 0111 recites “In one example embodiment, a packet corresponding to a known or suspected malicious address is received by a deep packet inspection device 2040 residing, for example, in the ISP cloud (operation 1204). The packet is inspected to determine if it is or is not malicious (operation 1208). For example, as described above, indicators of compromise in the traffic may be searched for, such as a destination IP address, a source address, a source or destination port, a protocol, a type, size, or contents of the payload, identification of a pattern in the traffic, a match of the pattern with known threat signatures, and the like. If the packet is determined to be malicious (YES branch of decision block 1212), the deep packet inspection device 2040 blocks the packet (operation 1216) and the method 1200 proceeds with operation 1204; otherwise (NO branch of block 1212), the packet is rerouted, for example, to its original destination (operation 1220) and the method 1200 proceeds with operation 1204. In one example embodiment, the deep packet inspection device 2040 requests that the corresponding IP address be added to a blacklist, such as the blacklist maintained by an ISP, in conjunction with operation 1216.” And Paragraph 0099 recites “In one example embodiment, the botnet detection device 2028 identifies the malicious network traffic by, for example, obtaining threat information from a third-party threat intelligence service 2024 where the threat information, such as address information, directly or indirectly identifies the destination IP addresses and domains of suspected or known botnets. The threat information is used to identify which customers are sending malicious network traffic and are potentially infected by a bot.”.).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Lotia’s botnet detection and mitigation with Jones’ anomalous network monitoring, user behavior detection and database system because the use of a bot detection is beneficial to protecting a network. 
	
	As per claim 20, Jones in combination with Lotia and Cella teaches the method of claim 11, Lotia further teaches generating an alert in response to determining that the entity belongs to the bot group (Lotia, Paragraph 0111 recites “In one example embodiment, a packet corresponding to a known or suspected malicious address is received by a deep packet inspection device 2040 residing, for example, in the ISP cloud (operation 1204). The packet is inspected to determine if it is or is not malicious (operation 1208). For example, as described above, indicators of compromise in the traffic may be searched for, such as a destination IP address, a source address, a source or destination port, a protocol, a type, size, or contents of the payload, identification of a pattern in the traffic, a match of the pattern with known threat signatures, and the like. If the packet is determined to be malicious (YES branch of decision block 1212), the deep packet inspection device 2040 blocks the packet (operation 1216) and the method 1200 proceeds with operation 1204; otherwise (NO branch of block 1212), the packet is rerouted, for example, to its original destination (operation 1220) and the method 1200 proceeds with operation 1204. In one example embodiment, the deep packet inspection device 2040 requests that the corresponding IP address be added to a blacklist, such as the blacklist maintained by an ISP, in conjunction with operation 1216.” And Paragraph 0099 recites “In one example embodiment, the botnet detection device 2028 identifies the malicious network traffic by, for example, obtaining threat information from a third-party threat intelligence service 2024 where the threat information, such as address information, directly or indirectly identifies the destination IP addresses and domains of suspected or known botnets. The threat information is used to identify which customers are sending malicious network traffic and are potentially infected by a bot.”.).
	It would have been obvious to a person of ordinary skill, at the earliest effective filing date to use Lotia’s botnet detection and mitigation with Jones’ anomalous network monitoring, user behavior detection and database system because the use of a bot detection is beneficial to protecting a network. 
	
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439