DETAILED ACTION
This communication responsive to the Application No. 16/428,422 filed on May 31,
2019. Claims 1-20 are pending and are directed towards method, program product and system for MACHINE LEARNING-BASED NETWORK DEVICE PROFILING.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 05/31/2019 was Acknowledge. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: 
In the specification para [0039] “the active machine learning engine 122” should be “the active machine learning engine 124”
The use of the term “ORACLE” and “MICROSOFT”, which is a trade name or a mark used in commerce, has been noted in this application (para [0027]). The term should be accompanied by the generic terminology; furthermore the term should be capitalized wherever it SM , or ® following the term.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
 Appropriate correction is required.

Claim Objections
Claims 1, 7-8, 12, 14, 17 and 20 objected to because of the following informalities:  
Claim 1 recites “wherein said security event or alert is associated with” should rather recites “wherein said security event or security alert is associated with”.  
Claim 1 recites “the first profile is associated with a confidence; and in response to the confidence being below a threshold:” should rather recites “the first profile is associated with a confidence value; and in response to the confidence value being below a threshold:” consistent with the specification and independent claim 12.
Claims 7, 12 and 20 recite “graphical user interface (GUI)” should rather recites “Graphical User Interface (GUI)” to capitalize the first letter of each word defining the acronym GUI.
Claim 8, recites “…associated with confidences less than the threshold” should rather recites “associated with confidences values less than the threshold”
Claim 14 recites “The storage medium of claim 11” should rather be “The storage medium of claim 12”
Claim 17 recites “query a configuration and management database (CMDB) to determine to determine a label for a network device of the network devices” should capitalize the first letter of the words defining the acronym (CMDB), and remove the repeated “to determine”.
Claims 2-11 and 13-14 inherit the deficiencies noted in claims 1 and 12. Appropriate correction is required. 
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claims 4-5, 9-10 and 15-20 rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.

Claims 4 and 5 recites the limitation "determining the classification associated with the confidence…"  There is insufficient antecedent basis for this limitation in the claim. For examination purposes, the examiner interpreted “the classification” in claim 4 to be “determining a classification”
Claim 9 recites the limitation "using the classification learned by the active machine learning classifier to adapt the supervised machine learning classifier" There is insufficient antecedent basis for this limitation in the claim.
Claim 10 recites the limitation "using the classification learned by the active machine learning classifier to adapt the supervised machine learning to recognize the classification" 
Claim 15 recites the limitation "apply active machine learning to filter the classifications of the subset to identify a subset of the set of classifications" There is insufficient antecedent basis for this limitation in the claim. For examination purposes, the examiner interpreted the limitation to recite “apply active machine learning to filter the classifications  to identify a subset of the set of classifications”.
Claim 16 recites the limitation " determine a class for the given network device…" There is insufficient antecedent basis for this limitation in the claim.
Claims 17-20 are rejected by dependency on claim 15. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-2, 7-8, 10-13, 15, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes et al. U.S. Patent Pub. No. 2009/0099988 A1 (hereinafter “Stokes”) in view of Kunnumma et al. U.S. Patent Pub. No. 2020/0320430 A1 (hereinafter “Kunnumma”).

As per claim 1, Stokes teaches a method comprising: 
applying, by a computer, supervised machine learning to provide a first profile for a network device associated with at least one of a security event or a security alert occurring in a computer system based on data representing features associated with the network device (uses the multi-class classifier 306 to predict the labels for the unlabeled items [features (entry) associated with a network device] by automatically classifying them. Stokes, para [0041]) (The multi-class classifier can be any one of a number of discriminative classifiers including logistic regression or a support vector machine (SVM) [supervised machine learning]. Stokes, para [0041]) (an entry, for example, can correspond to a network computer accessing the network (e.g., corporate network, Internet) or accessing one or more internal servers. Stokes, para [0003]), wherein said security event or alert is associated with a potential security threat to the computer system (a malicious behavior detection/prevention system is provided that uses active learning to classify entries into multiple classes. A single entry can correspond to either the occurrence of one or more events and/or the non-occurrence of one or more events. Stokes, para [0008]) (single user interface is presented for labeling both potential anomalies and ambiguous entries [potential security threat]. Stokes, para [0054]), and the first profile is associated with a confidence (calculating an uncertainty score [confidence value] that measures how certain the automatic classifier is in the predicted classification. Stokes, para [0046]); and 
applying active machine learning to the data to learn a second profile for the network device based on the data (The items then can be ranked (366) according to the log likelihood score and/or the uncertainty score. Based on the rank, items are selected to be presented to the security analyst. Selected items 368 are presented to a security analyst for labeling [,where the active machine learning corresponds to the learning performed by the security analyst/expert, consistent with (applicant’s disclosure, para [0039]) “for purposes of determining the labels, the active machine learning engine 124 queries informational data sources, such as experts (the security analysts 117, for example)”]. Stokes, para [0047]); and 
adapting the supervised machine learning to recognize the second profile (Manually labeled items from the human analyst are then used to train the classifiers 306 and the models 308. The classifier can also be trained based on the predicted labels. Stokes, para [0043]).
Stokes applies active machine learning when uncertainty score is high (low confidence) (an entry is ambiguously classified if an uncertainty score indicates a high level of uncertainty [low confidence] in the classification. Stokes, claim 3), but does not explicitly teach in response to the confidence being below a threshold. 
(The evaluation of the confidence of the system in identifying an unlabeled clause is performed, characterized by the determination of certainty score. An expert user [active learning] may label only the dataset where the certainty score drops below a predefined certainty threshold. Kunnumma, para [0052]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes to apply the active machine learning in response to the confidence being below a threshold. One would be motivated to do so, to apply active learning when confidence score reaches a predetermined threshold. (Kunnumma, para [0052]).
 
As per claim 2, Stokes and Kunnumma teach the method of claim 1, further comprising. Stoke does not explicitly teach determining the threshold based on a performance of the supervised machine learning in determining classifications for labeled data. 
However, Kunnumma teaches determining the threshold based on a performance of the supervised machine learning in determining classifications for labeled data (determining an accuracy value of the data classifier to achieve a predefined model accuracy threshold. Kunnumma, para [0009])(certainty threshold is dynamically adjusted to optimize machine learning and user metrics. Kunnumma, para [0063]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes to determining the threshold based on a performance of the supervised machine learning in determining  (Kunnumma, para [0063]).

As per claim 7, Stokes and Kunnumma teach the method of claim 1, wherein: applying the active machine learning comprises generating a query to a graphical user interface (GUI) to request a label for the network device (single user interface is presented for labeling both potential anomalies and ambiguous entries. For example, a user interface can comprise a grid control with at least entries selected for labeling. A human analyst can enter the class directly into the grid control. Stokes, para [0054] and Fig. 5A-5C).

As per claim 8, Stokes and Kunnumma teach the method of claim 1, wherein applying the active machine learning comprises: 
selecting the data from a larger set of data associated with classifications by the supervised machine being associated with confidences less (the entries [larger set of data] are automatically classified into one of multiple categories using a multi-class classifier. At 915, entries are collected that are ambiguously classified. At 920, entries are collected that do not fit a model of the automatically classified category of the entry. At 925, the collected entries are ranked according to at least one of an anomaly score or an uncertainty score (confidences value). At 930, at least some of the collected entries are selected based on the ranking. Stokes, para [0079]); and 
generating a query to determine a label in response to the selection of the data (the selected entries are presented to a human analyst [generating a query. See Fig. 5A-5C] and an indication of the category for each of at least some of the presented entries is received. Stokes, para [0079]).
Stokes select data associated with uncertainty (low confidences) to apply active machine learning (an entry is ambiguously classified if an uncertainty score indicates a high level of uncertainty [low confidence] in the classification. Stokes, claim 3), but does not explicitly teach select data associated with confidences less than a threshold. 
However, Kunnumma teaches select data associated with confidences less than a threshold (The evaluation of the confidence of the system in identifying an unlabeled clause is performed, characterized by the determination of certainty score. An expert user [active learning] may label only the dataset [selected the data from a larger set] where the certainty score drops below a predefined certainty threshold. Kunnumma, para [0052]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes to select data associated with confidences less than a threshold. One would be motivated to do so, to apply active learning only for the selected data with confidences less than a predetermined threshold. (Kunnumma, para [0052]).

As per claim 10, Stokes and Kunnumma teach the method of claim 1, wherein using the classification learned by the active machine learning classifier to adapt the supervised machine learning to recognize the classification comprises adding a class to a plurality of classes associated with the supervised machine learning (In addition to classifying an entry into one of the existing categories, the human analyst can also create a new category of entries. Once an entry is manually classified, the classifiers can be trained for better classification of entries in the future. Stokes, para [0027]) (If one or more of the items belong to a new class, the human analyst can create a new class for the item when labeling the item. After the analyst labels one or more items, the technique trains a multi-class classifier 306 using the labeled items. Stokes, para [0041]).

As per claim 11, Stokes and Kunnumma teach the method of claim 1, wherein the data comprises network data, end point data, application data or database data associated with the network device (entries can be received from file-based logs, databases, or supplied via an application programming interface with external systems or calculated from values retrieved from those data sources. Stokes, para [0026])( Remote resources 112 can include routers 118, remote servers 116, or firewalls 114. In this scenario, each access to, from, or via the remote resources is logged into logs 120 or alternatively indicated to the network intrusion system in real-time. The logs can be database-based or file-based. Stokes, para [0034]).

As per claim 12, Stokes teaches a non-transitory machine readable storage medium that stores instructions that, when executed by a machine (machine-readable storage medium, wherein, when the program code is loaded into and executed by a machine. Stoke, para [0096]), cause the machine to: 
apply machine learning to features associated with a network device of a computer network to classify the network device as belonging to a first profile (uses the multi-class classifier 306 to predict the labels for the unlabeled items [features (entry) associated with a network device] by automatically classifying them. Stokes, para [0041]) (The multi-class classifier can be any one of a number of discriminative classifiers including logistic regression or a support vector machine (SVM) [supervised machine learning]. Stokes, para [0041]) (an entry, for example, can correspond to a network computer accessing the network (e.g., corporate network, Internet) or accessing one or more internal servers. Stokes, para [0003]), wherein the network device is associated with at least one of a security event or a security alert displayed in an investigation graphical user interface (GUI) (single user interface is presented for labeling both potential anomalies and ambiguous entries. For example, a user interface can comprise a grid control with at least entries selected for labeling. A human analyst can enter the class directly into the grid control. Stokes, para [0054] and Fig. 5A-5C), and the security event or security alert is associated with a potential security threat to the computer network (a malicious behavior detection/prevention system is provided that uses active learning to classify entries into multiple classes. A single entry can correspond to either the occurrence of one or more events and/or the non-occurrence of one or more events. Stokes, para [0008]) (single user interface is presented for labeling both potential anomalies and ambiguous entries [potential security threat]. Stokes, para [0054]); 
determine a confidence value associated with the first profile (calculating an uncertainty score [confidence value] that measures how certain the automatic classifier is in the predicted classification. Stokes, para [0046]); 
in response to a comparison of the confidence value (an entry is ambiguously classified if an uncertainty score indicates a high level of uncertainty in the classification. Stokes, claim 3): 
use active machine learning to determine a second profile for the network device (The items then can be ranked (366) according to the log likelihood score and/or the uncertainty score. Based on the rank, items are selected to be presented to the security analyst. Selected items 368 are presented to a security analyst for labeling [,where the active machine learning corresponds to the learning performed by the security analyst/expert, consistent with (applicant’s disclosure, para [0039]) “for purposes of determining the labels, the active machine learning engine 124 queries informational data sources, such as experts (the security analysts 117, for example)”]. Stokes, para [0047]); 
adapt the machine learning to recognize the second profile (Manually labeled items from the human analyst are then used to train the classifiers 306 and the models 308. The classifier can also be trained based on the predicted labels. Stokes, para [0043]); and 
display information to supplement the security event displayed in the GUI based on the second profile (FIG. 5C illustrates an email with an anomaly report. Various anomalies are listed to a security analyst [1023-1025 are security event displayed in the GUI] the instructions (you can send labels in for these anomalies […] the label assign to the entry) [represents the supplemental information based on the second profile]). Stokes, para [0054] & Fig. 5C) [instant application broadly recited the supplemental information only in para [0056] without specifying the displayed supplemental information].
Stokes applies active machine learning when uncertainty score is high (low confidence) (an entry is ambiguously classified if an uncertainty score indicates a high level of uncertainty [low confidence] in the classification. Stokes, claim 3), but does not explicitly teach in response to a comparison of the confidence value to a threshold. 
However, Kunnumma teaches in response to a comparison of the confidence value to a threshold applying an active machine learning (The evaluation of the confidence of the system in identifying an unlabeled clause is performed, characterized by the determination of certainty score. An expert user [active learning] may label only the dataset where the certainty score drops below a predefined certainty threshold. Kunnumma, para [0052]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes to apply the active machine learning in response to a comparison of the confidence value to a threshold. One would be motivated to do so, to apply active learning when confidence score reaches a predetermined threshold to label the data that did not fit the initial machine classifier. (Kunnumma, para [0052]).

As per claim 13, Stokes and Kunnumma teach the storage medium of claim 12, wherein the instructions, when executed by the machine, further cause the machine to classify the network device as being associated with at least one of an operating system, a client, a server, an email software, or a database software (an entry, for example, can correspond to a network computer accessing the network (e.g., corporate network, Internet) or accessing one or more internal servers. Malicious behavior on the network can include malware or the introduction of unauthorized computers on the network. If an anomaly corresponds with misuse or fraud, corrective action can be taken manually by the analyst or other personnel. Such corrective action can include temporarily disabling the computer. Stokes, para [0003]).

As per claim 15, Stokes teaches a system comprising: 
at least one processor (a processor, Stokes, para [0096]); and 
(machine-readable storage medium, wherein, when the program code is loaded into and executed by a machine. Stoke, para [0096]), cause the at least one processor to: 
in response to at least one of security events or security alerts being associated with network devices, apply supervised machine learning to classify the network devices according to a plurality of classes based on features associated with the network devices represented by data (uses the multi-class classifier 306 to predict the labels for the unlabeled items [features (entry) associated with a network device] by automatically classifying them. Stokes, para [0041]) (The multi-class classifier can be any one of a number of discriminative classifiers including logistic regression or a support vector machine (SVM) [supervised machine learning]. Stokes, para [0041]) (an entry, for example, can correspond to a network computer accessing the network (e.g., corporate network, Internet) or accessing one or more internal servers. Stokes, para [0003]), wherein said at least one of security events or security alerts are associated with potential security threats to a computer system containing the network devices (a malicious behavior detection/prevention system is provided that uses active learning to classify entries into multiple classes. A single entry can correspond to either the occurrence of one or more events and/or the non-occurrence of one or more events. Stokes, para [0008]) (single user interface is presented for labeling both potential anomalies and ambiguous entries [potential security threat]. Stokes, para [0054]); 
identify a set of the classifications based on confidences associated with the classifications (The items then can be ranked (366) according to the log likelihood score and/or the uncertainty score [confidences associated with the classification]. Based on the rank, items are selected. Stokes, para [0047]) 
(The items then can be ranked (366) according to the log likelihood score and/or the uncertainty score. Based on the rank, items are selected to be presented to the security analyst. Selected items 368 are presented to a security analyst for labeling [,where the active machine learning corresponds to the learning performed by the security analyst/expert, consistent with (applicant’s disclosure, para [0039]) “for purposes of determining the labels, the active machine learning engine 124 queries informational data sources, such as experts (the security analysts 117, for example)”]. Stokes, para [0047]); and 
adapt the supervised machine learning based on the determined labels for the security events and the associated features (Manually labeled items from the human analyst are then used to train the classifiers 306 and the models 308. The classifier can also be trained based on the predicted labels. Stokes, para [0043])
Stokes does not explicitly teach apply active machine learning to filter the classifications of the subset to identify a subset of the set of classifications; 
However, Kunnumma teaches apply active machine learning to filter the classifications of the subset to identify a subset of the set of classifications (the compute stage (304) comprises filtering (306) the candidates based on the certainty threshold value. All the candidates that have a certainty score below the certainty threshold [subset] may be passed to the next stage. Number of active candidates presented is directly proportional to the certainty threshold value. As the certainty threshold value increases, the number of active candidates that are selected for filtering also increases. Kunnumma, para [0064]). 
 (Kunnumma, para [0064]).

As per claim 18, Stokes and Kunnumma teach the system of claim 15, wherein the classifications comprise classifications associated with an operating system, a client, a server, email software, or database software (an entry, for example, can correspond to a network computer accessing the network (e.g., corporate network, Internet) or accessing one or more internal servers. Malicious behavior on the network can include malware or the introduction of unauthorized computers on the network. If an anomaly corresponds with misuse or fraud, corrective action can be taken manually by the analyst or other personnel. Such corrective action can include temporarily disabling the computer. Stokes, para [0003]).

As per claim 20, Stokes and Kunnumma teach the system of claim 15, wherein the instructions, when executed by the at least one processor, further cause the at least one processor to display information about the network devices in a graphical user interface (GUI) based on the supervised machine learning (single user interface is presented for labeling both potential anomalies and ambiguous entries. For example, a user interface can comprise a grid control with at least entries selected for labeling. A human analyst can enter the class directly into the grid control. Stokes, para [0054] and Fig. 5A-5C) (FIG. 5C illustrates an email with an anomaly report. Various anomalies are listed to a security analyst [1023-1025 are security event associated with network devices] the instructions (you can send labels in for these anomalies […] the label assign to the entry) [represents the supplemental information based on the second profile]). Stokes, para [0054] & Fig. 5C)

Claims 3-5, 9, 14, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes et al. U.S. Patent Pub. No. 2009/0099988 A1 (hereinafter “Stokes”) in view of Kunnumma et al. U.S. Patent Pub. No. 2020/0320430 A1 (hereinafter “Kunnumma”) and further in view of Filliben et al. U.S. Patent Pub. No. 2019/0377819 A1 (hereinafter “Filliben”)

As per claim 3, Stokes and Kunnumma teach the method of claim 1. Stokes does not explicitly teach wherein applying the supervised machine learning comprises applying ensemble machine learning using a plurality of supervised machine learning classifiers.
However, Filliben teaches wherein applying the supervised machine learning comprises applying ensemble machine learning using a plurality of supervised machine learning classifiers (the system may use a machine learning ensemble to determine an output based on inputs. Filliben, para [0072]) (the ensemble may use parallel ensemble techniques. The ensemble may use bootstrap aggregating (sometimes referred to as bagging) to determine an output. With bootstrap aggregating, the ensemble may contain a number of machine learning models where each model may vote with equal weight on the output (e.g., when the output is a classification). Filliben, para [0074]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes so that applying  (Filliben, para [0009]).

As per claim 4, Filliben in view of Stokes and Kunnumma teaches the method of claim 3. Stoke does not explicitly teach wherein applying ensemble machine learning comprises: using the plurality of supervised machine learning classifiers to determine respective classifications for the network device based on the data; and determining the classification associated with the confidence based on the determined respective classifications.
However, Filliben teaches wherein applying ensemble machine learning comprises: using the plurality of supervised machine learning classifiers to determine respective classifications for the network device based on the data (The ensemble may determine an output using one or more machine learning models—e.g., decision trees, support vector machines, neural network, Boltzmann machine, restricted Boltzmann machine, autoencoder, clustering algorithms (knn, shared nearest neighbors, DBSCAN, K means, and others). Filliben, para [0072]); and 
determining the classification associated with the confidence based on the determined respective classifications (the system may use a machine learning ensemble to determine an output based on inputs. In one example, the output may include anomaly scores, heat scores, and classification output […] the system may use the machine learning ensemble to produce output comprising a fraud risk score. Filliben, para [0072] & Fig. 6 element 604).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes so that applying  (Filliben, para [0009]).

As per claim 5, Filliben in view of Stokes and Kunnumma teaches the method of claim 4. Stokes does not explicitly teach wherein determining the classification associated with the confidence comprises selecting the most common classification among the respective classifications. 
However, Filliben teaches wherein determining the classification associated with the confidence comprises selecting the most common classification among the respective classifications (The ensemble may use bootstrap aggregating (sometimes referred to as bagging) to determine an output. With bootstrap aggregating, the ensemble may contain a number of machine learning models where each model may vote with equal weight on the output (e.g., when the output is a classification). The output of each model in the ensemble may be averaged together (e.g., when the output is a continuous variable). In other examples, an ensemble may incorporate Bayesian model combinations. In yet other examples, an ensemble may include a bucket of machine learning models and use a model selection algorithm to select the best model for a particular entity type. Filliben, para [0074]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes so that determining the classification associated with the confidence comprises selecting the most 

As per claim 9, Stokes and Kunnumma teach the method of claim 1. Stoke does not explicitly teach wherein: applying the supervised machine learning model comprises applying a neural network classifier; and using the classification learned by the active machine learning classifier to adapt the supervised machine learning classifier comprises at least one of adding a neuron to the neural network classifier, adjusting a neuron weight of the neural network classifier or adding a neuron connection to the neural network classifier.
However, Filliben teaches applying the supervised machine learning model comprises applying a neural network classifier (The artificial neural network 100 may be configured to effectuate decision-making. Filliben, para [0063]); and 
using the classification learned by the active machine learning classifier to adapt the supervised machine learning classifier comprises at least one of adding a neuron to the neural network classifier, adjusting a neuron weight of the neural network classifier or adding a neuron connection to the neural network classifier (The artificial neural network 100 may be dynamically modified to learn and provide better input. Based on, for example, previous input and output and feedback from the feedback system 150, the artificial neural network 100 may modify itself. For example, processing in nodes may change and/or connections may be weighted differently. Filliben, para [0065]) (Feedback may be provided in a variety of ways, including via active learning, […] In active learning, a machine learning algorithm is allowed to query answers from an administrator. Filliben, para [0051]).
at least one of adding a neuron to the neural network classifier, adjusting a neuron weight of the neural network classifier or adding a neuron connection to the neural network classifier. One would be motivated to do so, to enhance the system by applying a machine learning algorithm that can dynamically improve the classification process and the decision making. (Filliben, para [0049]).

As per claim 14, Stokes and Kunnumma teach the storage medium of claim [[11]]12. Stokes does not explicitly teach wherein the instructions, when executed by the machine, further cause the machine to: apply a plurality of machine learning models to the determine a plurality of classifications for the network device based on data associated with the network device; and merge the plurality of classifications to determine the first profile.
However, Filliben teaches apply a plurality of machine learning models to the determine a plurality of classifications for the network device based on data associated with the network device (The ensemble may determine an output using one or more machine learning models—e.g., decision trees, support vector machines, neural network, Boltzmann machine, restricted Boltzmann machine, autoencoder, clustering algorithms (knn, shared nearest neighbors, DBSCAN, K means, and others). Filliben, para [0072]); and 
merge the plurality of classifications to determine the first profile (the ensemble may use parallel ensemble techniques. The ensemble may use bootstrap aggregating (sometimes referred to as bagging) to determine an output. With bootstrap aggregating, the ensemble may contain a number of machine learning models where each model may vote with equal weight on the output (e.g., when the output is a classification). The output of each model in the ensemble may be averaged together (e.g., when the output is a continuous variable). Filliben, para [0072] & Fig. 6 element 604).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes to apply a plurality of machine learning models to the determine a plurality of classifications for the network device based on data associated with the network device; merge the plurality of classifications to determine the first profile. One would be motivated to do so, to enhance the classification accuracy of the system using multiple machine learning classifiers. (Filliben, para [0009]).

As per claim 16, Stokes and Kunnumma teach the system of claim 15. Stokes does not explicitly teach wherein the supervised machine learning is associated with a plurality of models and the instructions, when executed by the at least one processor, further cause the at least one processor to: for each model of the plurality of models, determine a class for the given network device and determine a vote corresponding to the determined class; and classify the given network device based on the determined classes and the corresponding votes.
However, Filliben teaches wherein the supervised machine learning is associated with a plurality of models (The ensemble may determine an output using one or more machine learning models—e.g., decision trees, support vector machines, neural network, Boltzmann machine, restricted Boltzmann machine, autoencoder, clustering algorithms (knn, shared nearest neighbors, DBSCAN, K means, and others). Filliben, para [0072]), and for each model of the plurality of models, determine a class for the given network device and determine a vote corresponding to the determined class (the ensemble may use parallel ensemble techniques. The ensemble may use bootstrap aggregating (sometimes referred to as bagging) to determine an output. With bootstrap aggregating, the ensemble may contain a number of machine learning models where each model may vote with equal weight on the output (e.g., when the output is a classification). Filliben, para [0072] & Fig. 6 element 604); and 
classify the given network device based on the determined classes and the corresponding votes (With bootstrap aggregating, the ensemble may contain a number of machine learning models where each model may vote with equal weight on the output (e.g., when the output is a classification). Filliben, para [0072] & Fig. 6 element 604).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes so that the supervised machine learning is associated with a plurality of models and for each model of the plurality of models, determine a class for the given network device and determine a vote corresponding to the determined class; and classify the given network device based on the determined classes and the corresponding votes. One would be motivated to do so, to enhance the classification accuracy of the system using multiple machine learning classifiers by choosing the most voted class. 

As per claim 19, Stokes and Kunnumma teach the system of claim 15. Stokes does not explicitly teach wherein the supervised machine learning comprises ensemble machine learning.
 (the system may use a machine learning ensemble to determine an output based on inputs. Filliben, para [0072]) (the ensemble may use parallel ensemble techniques. The ensemble may use bootstrap aggregating (sometimes referred to as bagging) to determine an output. With bootstrap aggregating, the ensemble may contain a number of machine learning models where each model may vote with equal weight on the output (e.g., when the output is a classification). Filliben, para [0074]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes so that the supervised machine learning comprises ensemble machine learning. One would be motivated to do so, to enhance the classification accuracy of the system using multiple machine learning classifiers. (Filliben, para [0009]).

Claims 6 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes et al. U.S. Patent Pub. No. 2009/0099988 A1 (hereinafter “Stokes”) in view of Kunnumma et al. U.S. Patent Pub. No. 2020/0320430 A1 (hereinafter “Kunnumma”) and further in view of Stenneth U.S. Patent Pub. No. 2018/0150764 A1.

As per claim 6, Stokes and Kunnumma teach the method of claim 1, wherein:
the network device is associated with an Internet Protocol (IP) address (Remote computers associated with IP addresses (192.168.1.124 & 192.168.1.133). Stokes, Figs 5A & 5B); 

However, Stenneth teaches applying the active machine learning comprises querying a database for a label associated with the network device (to initiate labeling of road links, the mapping platform 107 determines the plurality of classification features for the unlabeled road link. For example, the plurality of classification features are the same features used to train the machine learning model as described with respect to step 401. Then, the mapping platform 107 can use processes such as those described below with respect to FIG. 5 to determine these classification features for each unlabeled road link. In many cases, how the values of the classification features are obtained (e.g., by querying a database). Stenneth, para [0092]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes applying the active machine learning comprises querying a database for a label associated with the network device. One would be motivated to do so, to enhance the classification accuracy of the system by providing correct labels from a database for the unclassified data.

As per claim 17, Stokes and Kunnumma teach the system of claim 15. Stokes does not explicitly teach wherein the instructions, when executed by the at least one processor, further cause the at least one processor to: query a configuration and management database (CMDB) to determine to determine a label for a network device of the network devices. 
However, Stenneth teaches query a configuration and management database (CMDB) to determine to determine a label for a network device of the network devices (to initiate labeling of road links, the mapping platform 107 determines the plurality of classification features for the unlabeled road link. For example, the plurality of classification features are the same features used to train the machine learning model as described with respect to step 401. Then, the mapping platform 107 can use processes such as those described below with respect to FIG. 5 to determine these classification features for each unlabeled road link. In many cases, how the values of the classification features are obtained (e.g., by querying a database [which could be any type of database such as CMDB]). Stenneth, para [0092]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to modify the teaching of Stokes to query a configuration and management database (CMDB) to determine to determine a label for a network device of the network devices. One would be motivated to do so, to enhance the classification accuracy of the system by providing correct labels from a database for the unclassified data.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
A. Zhao et al. US 2020/0250527 A1 directed to systems and methods for active learning to provide labels for unlabeled data points.
B. Zhang et. al. CN 106790256 A published on 05/31/2017 directed to an active machine learning system using a plurality of machine learning algorithms.
C. Chidlovskii US 7,756,800 B2 directed for classifying data items such as a document based in part on input from a human annotator/expert. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



Respectfully Submitted

/KHALID M ALMAGHAYREH/Examiner, Art Unit 2492