Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION



Abstract Objection

Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided. See MPEP § 608.01(b) for guidelines for the preparation of patent abstracts.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  



Claims 1 – 21 are rejected under 35 U.S.C. 103 as being unpatentable over Nandha Premnath (US Pub. No. 2018/0205749 A1) in view of AAPA (Applicant Admitted Prior Art as disclosed in the as-filed disclosure).

Per claim 1, Nandha Premnath suggests a method for HTTP-based Access Point fingerprint and classification using machine learning, the method comprising:  training an Access Point HTTP-based machine-learning model (reads on the machine-learning model trained on a vast number of samples of access point behavior to determine the observations that indicate a benign or rogue access point, see Nandha Premnath para 0021), using machine-learning training techniques  (reads on the machine-learning model trained on a vast number of samples of access point behavior to determine the observations that indicate a benign or rogue access point, see Nandha Premnath para 0021) and a historical dataset of labelled Access Point HTTP response features collected by a feature extractor module  (reads on the machine-learning model trained on a vast number of samples of access point behavior to determine the observations that indicate a benign or rogue access point, see Nandha Premnath para 0021); generating the Access Point HTTP-based machine-learning model to perform HTTP-based classification of Access Points  (reads on the machine-learning model trained to indicate a benign or rogue access point based on a received beacon frame, see Nandha Premnath para 0021 and 0032); collecting, by a collector module, Access Point HTTP response packets from multiple Access Points having known classification labels (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of training the machine-learning model on a vast number of samples of access point beacon frames, see Nandha Premnath para 0021 and 0032. The Examiner asserts it would have been obvious to one of ordinary skill in the art to collect those vast number of rogue/benign access point beacon frames from some sort of collector module in order for them to be used by the machine-learning module in order to meet the needs of the algorithm); extracting, by the feature extraction module, features from the collected Access Point HTTP response packets (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of determining one or more feature vectors from the vast number of samples of access point beacon frames, see Nandha Premnath para 0023, 0032 and 0039. The Examiner asserts it would have been obvious to one of ordinary skill in the art to collect those vast number of rogue/benign access point beacon frames from some sort of collector module in order for them to be used by the machine-learning module in order to meet the needs of the algorithm); labelling the extracted Access Point HTTP response packet features, using labels from a set of classes defined according to a classification objective of the Access Point HTTP-based machine-learning model (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of identifying the features from a vast number of samples of access point beacon frames as those associated with benign/rogue access points, see Nandha Premnath para 0021, 0023, 0032 and 0039. The Examiner asserts it would have been obvious to one of ordinary skill in the art to collect and label those vast number of rogue/benign access point beacon frame features from some sort of collector module and with the use of some sort of labeler in order for them to be used by the machine-learning module in order to meet the needs of the algorithm); selecting a set of features from the labelled Access Point HTTP response packet features, using feature selection techniques, that are the best suitable features to be used in the Access Point HTTP-based machine-learning model (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of using the variety of expected features/characteristics of an access point in the machine-learning model based on a vast number of samples of access point beacon frames, see Nandha Premnath para 0021, 0032 and 0039. The Examiner asserts it would have been obvious to one of ordinary skill in the art to select the set of benign/rogue features using some sort of technique in order for the features/characteristics to be used by the machine-learning module in order to meet the needs of the algorithm); and classifying, using the Access Point HTTP-based machine- learning model, the selected set of features from the labelled Access Point HTTP response packet features to perform HTTP-based classification of Access Points (The Examiner construes this to be an obvious limitation of the prior art’s disclosure of identifying the features from a vast number of samples of access point beacon frames as those associated with benign/rogue access points, see Nandha Premnath para 0021, 0023, 0032 and 0039. The Examiner asserts it would have been obvious to one of ordinary skill in the art to collect, label and classify those vast number of rogue/benign access point beacon frame features in order for them to be used by the machine-learning module in order to meet the needs of the algorithm). The prior art of record is silent on explicitly stating Http-based access point.


[0021] In various embodiments, the network-independent machine-learning model may be trained on a vast number of samples of access point behavior to determine the observations that indicate a benign observation (for example, that may be consistent with a legitimate access point) and the observations that indicate a malicious observation (i.e., consistent with a rogue access point). A computing device may be configured with the network-independent machine-learning model (e.g., by download or installation).

[0022] In various embodiments, before the computing device establishes a communication link with the purported access point (e.g., by associating with the access point), the computing device may determine one or more parameters of the purported access point. The parameters of the purported access point may include one or more characteristics and/or one or more behaviors of the type of the purported access point.
[0029] In various embodiments, the access point 104 may be a purported access point detected by the mobile communication device 102. For example, the mobile communication device 102 may detect a signal transmitted by the access point 104, and the mobile communication device 102 may determine whether the access point 104 is a benign access point or a rogue access point.

[0030] FIG. 2 illustrates example logical components and information flows in an access point characterization system 200 according to various embodiments. With reference to FIGS. 1-2, the access point characterization system 200 may be implemented in one or more processors of a computing device, such as the mobile communication device 102 (e.g., a “processor” or “device processor”). The access point characterization system 200 may include an observer module 202, a behavior extractor module 204, an analyzer module 206, and a table manager 212 executing in the one or more processors of the computing device (e.g., 102).

[0031] The behavior observer module 202 may determine parameters of a purported access point (e.g., 104) based on a variety of information 220 from the purported access point. In some embodiments, the information 220 may include a signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), and/or other information. In some embodiments, the information 220 may include information about the communication network to which the purported access point connects. For example, the information about the communication network may include a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information.

[0032] In some embodiments, the observer module 202 may receive the information 220 passively, for example, by receiving information transmitted by the purported access point, such as beacon frames. In some embodiments, the computing device may actively send a query to the purported access point. Such a query may be initiated by the observer module 202, or another module within the one or more processors of the computing device. The observer module 202 may then receive a response to the query from which the information 220 about the purported access point may be obtained. For example, the observer module 202 may determine a round-trip time (RTT) of the query to and corresponding response from the purported access point.

[0033] In some embodiments, the observer module 202 may determine one or more parameters of the purported access point based on the information 220. The observer module 200 may pass the determined parameters to the behavior extractor module 204. The observer module 202 may also store the determined parameters in a transient table 208 or pass the determined parameters in the table manager 212, which may store the parameters of the purported access point in the persistent profile table 210. In some embodiments, the table manager 212 or the transient table 208 may perform one or more operations on the parameters of the purported access point to further refine the information. Such operations may include, for example, averaging, bit masking, verifying set membership operations, determining a Hamming distance, and/or other operations. In some embodiments, the transient table 208 may provide the determined parameters and/or the refined parameters to the table manager 212.

[0034] The behavior extractor module 204 may use the determined parameters to determine one or more features 222 of the purported access point. In some embodiments, the determined features 222 may include one or more feature vectors that describe the observed characteristics of the purported access point.

[0035] In some embodiments, the behavior extractor module 204 may also receive information from the transient table 208. For example, the behavior extractor module 204 may receive information from the transient table 208 about the type of the purported access point, a communication network of the purported access point, a manufacturer of the purported access point, or other similar information.

[0036] A feature vector may be a data structure or an information structure that includes or encapsulates one or more observed characteristics and/or behaviors of a purported access point. In some embodiments, a feature vector may include an abstract number or symbol that represents all or a portion of an observed access point behavior or characteristic (i.e., a feature). In some embodiments, each feature may be associated with a data type that identifies a range of possible values, operations that may be performed on those values, the meanings of the values, and/or other similar information. In some embodiments, the data type may be used by the access point characterization system 200 to determine how the corresponding feature (or feature value) should be measured, analyzed, weighted, or used. In some embodiments, the behavior extractor module 204 may be configured to generate a feature vector of size “n” that maps the observed information of the purported access point into an n-dimensional space or vector. Each number or symbol in the feature vector (i.e., each of the “n” values stored by the vector) may represent the value of a feature.

[0037] The behavior extractor module 204 may receive information from the persistent profile table 210. In some embodiments, the persistent profile table 210 may be populated with expected characteristics of a network and/or access points. In some embodiments, the processor of the computing device may populate the persistent profile table 210 with information based on observations of one or more legitimate access points. In some embodiments, the processor of the computing device may populate the persistent profile table 210 with information that is downloaded from, or provided by, the network element of the communication system, such as a server or another similar device.

[0038] Using the determined features 222, the information from the transient table 208, and/or the information from the persistent profile table 210, the behavior extractor module 204 may determine or calculate one or more delta features 224. Again, the calculated delta features 224 may represent differences between the determined features 222 of the purported access point and expected access point/network characteristics obtained from the persistent profile table 210. The behavior extractor module 204 may provide the calculated delta features 224 to the analyzer module 206. In some embodiments, the number of the determined features 222 in the vector of features (n) and the number of delta features 224 in the vector of delta features (m) may be different.
[0039] FIG. 3 illustrates an example persistent profile table 300 according to various embodiments. With reference to FIGS. 1-3, the persistent profile table 300 (which may correspond to the persistent profile table 210) may include a variety of expected characteristics of a network and/or access point. For example, the persistent profile table 300 may include an SSID 302, a Cluster ID 304, a round-trip time 306, clock skew 308, a variety of additional information 310, and a vendor specific information element (IE) size 312.

[0040] In some embodiments, the Cluster ID 304 may represent a specific observed deployment of an access point associated with a particular communication network. For example, the persistent profile table 300 includes multiple entries for specific deployments 320 and 322 (which may include variations in specific hardware and/or software used in the deployed access point) associated with a communication network associated with an office network, and which have been assigned the Cluster ID “0” and “1,” respectively. As another example, the persistent profile table 300 includes three entries 326, 328, and 330, for three observed deployment of a communication network associated with a coffee shop chain, which have been assigned the Cluster ID “0,” “1,” and “2,” respectively. The persistent profile table 300 may also include other entries 324 for other network and/or Cluster IDs, without limitation. Each of the characteristics 302-312 may represent expected characteristics of a network and/or access point.

[0041] The analyzer module 206 may use a machine-learning model to analyze the calculated delta features 224. In some embodiments, the analyzer module 206 may rapidly analyze the calculated delta features 224 to determine whether the purported access point is a legitimate access point or a rogue access point. Based on the analysis of the calculated delta features 224, the analyzer module 206 may output an access point classification 230. In some embodiments, the analysis performed by the analyzer module 206 may include applying the calculated delta features 224 to a machine-learning model. In such embodiments, based on the analysis of the calculated delta features 224 using the machine-learning model, the analyzer module 206 may output the access point classification 230. In various embodiments, the access point classification 230 may include a determination of whether the purported access point is a rogue access point or a legitimate access point.

[0042] The analyzer module 206 may also provide the access point classification 230 and the determined features 222 to the table manager 212. The table manager 212 may update the persistent profile table 210 using the determined parameters and/or the refined parameters from the transient table 208, the determined features 222, and the calculated delta features 224. In some embodiments, the table manager 212 may update the persistent profile table 210 in response to a message 226, such as a message that may be sent by the processor of the computing device in response to receiving at the processor a command to associate the computing device with the purported access point.

[0043] The analyzer module 206 may analyze the calculated delta features 224 by applying the calculated delta features 224 to a machine-learning model to evaluate the behavior of the access point. In some embodiments, the analyzer module 206 may also combine or aggregate the behavior scores of all observed behavior and/or characteristics of the purported access point, for example, into an average behavior score, a weighted average behavior score, or another aggregation. In some embodiments, the analyzer module 206 may select one or more weights based on a feature of observed behavior and/or characteristic.

[0044] In some embodiments, the machine-learning model may include information such as a weight of each input feature that the analyzer module 206 may use to evaluate a specific feature or aspect of the observed features of the purported access point. Each classifier model may also include decision criteria for monitoring a number of features of the purported access point.

[0045] In some embodiments, the characteristics of networks and/or access points stored in the persistent profile table 210 may include one or more values that represent characteristics and/or behaviors of a legitimate access point corresponding to a particular access point type and/or communication network type. In some embodiments, the processor of the computing device may update the characteristics of networks and/or access points stored in the persistent profile table 210. Such updates may converge the one or more values of each characteristic based on the observed characteristics and/or behaviors of the purported access point. Thus, the processor may change the values stored in the persistent profile table 210 based on actual observations of access points by the computing device. The values stored in the persistent profile table 210 are used by the behavior extractor module 204 to calculate a set of behaviors (e.g., the delta features 224) of a purported access point. Thus, by updating the values stored in the persistent profile table 210 based on on-device observations, the device processor may dynamically extend the coverage of the machine-learning model without changing the machine-learning model itself, and without retraining the machine-learning model. The access point characterization system 200 is therefore scalable and network-independent, and may be used to analyze the behavior of any purported access point. Thus, the access point characterization system 200 may be used to determine whether any purported access point is a legitimate or rogue access point.

[0046] In various embodiments, by calculating the delta features 224, the access point characterization system 200 may modify the observed behaviors and/or characteristics of the purported access point (e.g., the determined features 222) to capture the differences between observed values and expectations for an identified type of communication network and/or access point.

[0047] For example, in operation, the computing device may observe a previously undetected purported access point. The computing device may receive a variety of information (e.g., the information 220) from the purported access point, such as a signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), and/or other information. The information 220 may also include information about the communication network to which the purported access point connects. For example, the information about the communication network may include a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information. In some embodiments, based on the identified network of the purported access point (e.g., the SSID 302), the behavior extractor module 204 may identify expected characteristics of the purported access point. The expected characteristics of the purported access point may include a range of expected values, or an expected range of variation of the expected characteristics.

[0048] The behavior extractor module 204 may determine delta features (e.g., the delta features 224) that represent various differences between the observed information from the purported access point and the expected characteristics of the purported access point. In some embodiments, the behavior extractor module 204 may generate the delta vectors by performing operations such as one or more of subtraction of the observed characteristic or behavior from the expected characteristic or behavior, a bit mask operation, a verification of set membership operation, determination of a Hamming distance between the expected feature and the observed feature, or another operation. Thus, by calculating the delta features, the behavior extractor module 204 may remove or reduce variations in the observed characteristics and/or behavior of the purported access point from the expected characteristics and/or behaviors of the purported access point.

[0049] The behavior extractor module 204 may pass the delta features 224 to the analyzer module 206. The analyzer module 206 may apply the delta features 224 to the machine-learning model in order to determine whether the purported access point is a legitimate access point or a rogue access point. For example, deployment 320 in the office network may have an expected round-trip time of 16.0 μs. The observer module 202 may also receive a round-trip time from a newly-observed (purported) access point of 16.1 μs. As one example, the behavior extractor module 204 may subtract the expected round-trip time 16.0 μs from the observed round-trip time 16.1 μs to determine a delta feature of 0.1 μs. The analyzer module 206 may apply the delta features 0.1 μs to the machine-learning model, and may determine that the delta feature is sufficiently close to a previously observed value that the purported access point is a legitimate access point.

[0056] FIG. 4 illustrates a method 400 for detecting a rogue access point according to some embodiments. With reference to FIGS. 1-4, the method 400 may be implemented by one or more processors of a computing device (e.g., the mobile communication device 102).

[0057] In block 402, the processor may detect a purported access point. For example, the processor may detect that an access point advertisement message has been received by a radio frequency resource of the computing device.

[0058] In block 404, the processor may detect one or more parameters of the purported access point. The parameters of the purported access point may include one or more characteristics and/or one or more behaviors of the purported access point. For example, parameters of the purported access point may include a signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), and/or other information. Parameters of the purported access point may include information about the communication network to which the purported access point connects. The information about the communication network may include, for example, a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information.

[0059] In block 406, the processor may store the one or more determined parameters in a transient table (e.g., the transient table 208) stored in memory of the computing device.

[0060] In block 408, the processor may determine features of the purported access point (e.g., the features 222).

[0061] In block 410, the processor may obtain an access point profile. In some embodiments, the processor may obtain the access point profile from the persistent profile table 210.

[0062] In block 412, the processor may calculate delta features (e.g., the delta features 224) based on the determined features of the purported access point and the access point profile. In some embodiments, the delta features may represent differences between the behaviors and/or characteristics of the determined features of the purported access point and behaviors and/or characteristics in the access point profile.

[0063] In block 414, the processor may apply the delta features to a machine-learning model. In some embodiments, the analyzer module 206 may apply the delta features to the machine-learning model.

[0064] In block 416, the processor may generate an access point classification of the purported access point based upon the output of the machine-learning model. For example, the analyzer module 206 may generate an access point classification 230.

[0065] In determination block 418, the processor may determine whether the purported access point is a legitimate access point or a rogue access point based upon the access point classification.

[0066] In response to determining that the purported access point is a rogue access point (i.e., determination block 418=“Rogue”), the processor may prevent the computing device from associating with the rogue access point in block 420.

[0067] In response to determining that the purported access point is a legitimate access point (i.e., determination block 418=“Legitimate”), the processor may permit the computing device to associate (e.g., connect) with the legitimate access point in block 422.

[0068] Following the operations of block 420 or block 422, the processor may update the profile table (e.g., the persistent profile table 210) in block 424.

[0069] Should the computing device detect another purported access point, the processor may repeat the operations of the method 400.


    PNG
    media_image1.png
    890
    954
    media_image1.png
    Greyscale



    PNG
    media_image2.png
    1239
    914
    media_image2.png
    Greyscale



AAPA suggests 
HTTP-based Access Point fingerprint (see AAPA para 0016 and 0025).



[00016] Currently, mostly of network communication performed by portable devices relies on the HTTP protocol. Therefore, one characteristic of most Access Points is the presence of an HTTP server. In a benign Access Point, an HTTP server are mainly used for providing a Web API that allows users to configure the AP or for delivering a captive portal webpage, which is displayed to the user in public Access Points before Internet access is granted. In a malicious Access Point, an HTTP server may perform any of the aforementioned application-layer attacks. Because stablishing a connection directly with an AP is not protected by any Intrusion Detection System or Firewall that may exists in the network, device users are unable to identify this type of attacks by default. Moreover, cloud-assisted solutions are not possible due to the lack of Internet connectivity when some of these attacks are executed. Consequently, attacks, such as credential stealing, have become a common practice nowadays.

[00025] "Wappalyzer", known solution for the technical problem envisaged by the present invention, performs HTTP server classification, employing various fingerprinting methods’ to identify web technologies. HTTP information gathering is similar to Tenable HMAP, but techniques employed, and objectives are different.



Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the access point classification teachings of the prior art of record by integrating the Http-based access point fingerprint teachings of AAPA to realize the instant limitation. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, since each individual element and its function are shown in the prior art, albeit shown in separate references, the difference between the claimed subject matter and the prior art rests not on any individual element or function but in the very combination itself- that is in the substitution of the Http-based Access Point fingerprint teachings of AAPA for the access point teachings of the primary reference. Thus, the simple substitution of one known element for another producing a predictable result renders the claim obvious. The motivation to combine the references applies to all claims under this heading.

Per claim 2, the prior art of record further suggests wherein the collecting the Access Point HTTP response packets comprises: passively sniffing a network to obtain the Access Point HTTP response packets (reads on before the computing device establishes a communication link with the purported access point the computing device may determine one or more parameters of the purported access point by receiving beacon frames from the purported access point, see Nandha Premnath para 0021 and 0029 – 0033); and sending the obtained Access Point HTTP response packets to the feature extractor module (reads on the behavior extractor module may use the determined parameters from the beacon frame to determine one or more features of the purported access point, see Nandha Premnath para 0029 – 0034).
Per claim 3, the prior art of record further suggests wherein the collecting the Access Point HTTP response packets comprises: actively sending an HTTP request to an Access Point (reads on the computing device may actively send a query to the purported access point, see Nandha Premnath para 0032); receiving the Access Point HTTP response packets from the Access Point (reads on receiving a response to the query from which the information about the purported access point may be obtained, see Nandha Premnath para 0032); and sending the received Access Point HTTP response packets to the feature extractor module (reads on the behavior extractor module may use the determined parameters from the beacon frame to determine one or more features of the purported access point, see Nandha Premnath para 0029 – 0034).
Per claim 4, the prior art of record further suggests wherein the collecting the Access Point HTTP response packets comprises: actively sending an HTTP request to an Access Point having a known HTTP response behavior (reads on the computing device may actively send a query to the purported access point, see Nandha Premnath para 0032); receiving the Access Point HTTP response packets from the Access Point (reads on receiving a response to the query from which the information about the purported access point may be obtained, see Nandha Premnath para 0032); comparing the known HTTP response behavior with the received Access Point HTTP response packets (reads on determining the differences between the determined features of the purported access point and expected access point characteristics, see Nandha Premnath para 0038 – 0039); and  based on the comparing, sending the received Access Point HTTP response packets that present different behavior from the known HTTP response behavior to the feature extractor module (reads on the behavior extractor module may use the determined parameters from the beacon frame to determine one or more features of the purported access point, see Nandha Premnath para 0029 – 0034). 
Per claim 5, the prior art of record further suggests wherein the extracting the features from the collected Access Point HTTP response packets comprises: extracting the features from a header of the Access Point HTTP response packets (reads on determining one or more characteristics from the beacon frame of the access point such as the exemplary BSID, information elements (IEs), and/or other information, see Nandha Premnath para 0022, 0029, 0031 and 0032); extracting the features from a body of the Access Point HTTP response packets (reads on determining one or more characteristics from the beacon frame of the access point such as the exemplary beacon interval, and/or other information, see Nandha Premnath para 0022, 0029, 0031 and 0032); and extracting the features from text data contained in a body of Access Point HTTP response packets (reads on determining one or more characteristics from the beacon frame of the access point such as the exemplary beacon interval, and/or other information, see Nandha Premnath para 0022, 0029, 0031 and 0032). 
Per claim 6, the prior art of record further suggests wherein the extracting the features from the collected Access Point HTTP responses further comprises: separating the extracted features into sets to be used in the Access Point HTTP-based machine-learning model to receive a specific set of features from the Access Point HTTP response packets (reads on determining one or more characteristics from the beacon frame of the access point such as the exemplary sets of signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information, see Nandha Premnath para 0022, 0029, 0031 and 0032).
Claim 7 is analyzed with respect to claim 1. The prior art of record further suggests classifying, using a plurality of machine-learning models (reads on performing HTTP server classification employing various fingerprinting methods, see AAPA para 00025); and combining results of the plurality of machine-learning models, using a model ensemble technique to obtain a final classification result to be used in external solutions  The Examiner construes this to be an obvious limitation of the prior art’s disclosure of employing various fingerprinting methods to perform HTTP server classification, see AAPA para 00025).
Per claim 8, the prior art of record further suggests wherein the model ensemble technique includes at least one of majority votes and a weight function (The Examiner construes this to be an obvious limitation of the prior art of record because Applicant’s disclosure does not explain what this entails. As a result, The Examiner asserts one of ordinary skill in the art would know how to implement this feature without any assistance from Applicant’s disclosure).
Per claim 9, the prior art of record further suggests wherein the classification is represented as a binary file, object file, parameter values in case of parametric models, weights, text description, or any type or combination of data files that entirely represent a machine-learning model (reads on the classification is rogue or benign, see Nandha Premnath para 0041). 
Per claim 10, the prior art of record further suggests further comprising recognizing an HTTP server type of the Access Point by applying one or multiple machine-learning models with recognition purposes (reads on recognizing the characteristics of the access point by applying more than one machine learning model based on recognizing exemplary features of signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information, see Nandha Premnath para 0020, 0022, 0029, 0031, 0032 and 0077).
Per claim 11, the prior art of record further suggests wherein the recognition purposes include at least one of: identifying whether the Access Point is a known HTTP server or service; identifying whether the Access Point belongs to a known class of HTTP server or services; identifying whether the Access Point is a known Access Points type; and  identifying whether the Access Point belongs to a class of known Access Points types (reads on determine if the purported access point is legitimate or rogue, see Nandha Premnath Figure 4 block 418).
Per claim 12, the prior art of record further suggests further comprising identifying characteristics of the Access Point by applying one or multiple machine-learning models with purposes to identify the characteristics based on the HTTP response packets (reads on applying one or more machine learning models in the detection of a rogue access point, see Nandha Premnath para 0020 and 0077).
Per claim 13, the prior art of record further suggests wherein the identifying the characteristics includes  identifying network properties of the Access Point(reads on recognizing the characteristics of the access point by applying more than one machine learning model based on recognizing exemplary features of signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information, see Nandha Premnath para 0020, 0022, 0029, 0031, 0032 and 0077). 
Per claim 14, the prior art of record further suggests wherein the Access Point is classified between malicious and benign classes, by applying one or multiple machine-learning models with purpose of detecting malicious Access Points (reads on applying one or more machine learning models in the detection of a rogue access point, see Nandha Premnath para 0020 and 0077). 
Per claim 15, the prior art of record further suggests wherein the Access Point is labelled as benign or malicious according to suspicious activities, including any type of bad behavior an Access Point may have that is considered for non-legitimate purposes (reads on one or more behaviors that indicate a malicious observation, see Nandha Premnath para 0020 – 0023).
Per claim 16, the prior art of record further suggests wherein the extracting the features includes using information from displayed text translated into a machine-learning model feature vector (The Examiner asserts the claim language does not specify where the text is displayed, as a result, The Examiner asserts the text could be displayed in any conventional manner as would be within the conventional skills of one of ordinary skill in the art when determining the text of the exemplary features of signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information in order to facilitate implementation of the technology, see Nandha Premnath para 0020, 0022, 0029, 0031, 0032 and 0077).
Per claim 17, the prior art of record further suggests wherein displayed based on HTTP content of a last HTTP response from the Access Point (reads on based on the beacon frame, see Nandha Premnath para 0021, 0023, 0032 and 0039).
Per claim 18, the prior art of record further suggests further comprising defining a word category as a label using a set of words that shares a meaning (reads on defining a category as benign/legitimate or rogue, see Nandha Premnath para 0016). 
Per claim 19, the prior art of record further suggests wherein the word category includes any combination of word, word category, or word groups (reads on defining a category as benign/legitimate or rogue, see Nandha Premnath para 0016). 
Per claim 20, the prior art of record further suggests wherein the features extracted from the collected Access Point HTTP response packets include at least one of: any other feature that represents a property, or part of, the HTTP content, in which the property can be translated into a numeric value (reads on any of the exemplary features of signal frequency, SSID, BSID, a round-trip time, local clock, remote clock, sequence number of frames, association status, beacon interval, signal strength, information elements (IEs), a current network load, network configuration information, whether the network is secure or open, additional network vendor-specific parameters, and/or other information, see Nandha Premnath para 0020, 0022, 0029, 0031, 0032 and 0077).
Per claim 21, the prior art of record further suggests wherein the features extracted from the collected Access Point HTTP response packets include at least one of:   a presence of specific strings in a header field value (reads on determining one or more characteristics from the beacon frame of the access point such as the exemplary BSID, information elements (IEs), and/or other information, see Nandha Premnath para 0022, 0029, 0031 and 0032. The Examiner construes a specific BSID to be a specific string).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is ((571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Ortiz Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).


                                                                                                                                                                                            
/BRIAN F SHAW/Primary Examiner, Art Unit 2496