Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


2021/0194931
10652283
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2021/0194931 (Parashar) in view of US 10,652,283 (Harvey).
With regard to claim 1, Parashar discloses a method for automatically classifying protected devices included in a protected network to a plurality of protection groups, each protection group providing customized protection, the method comprising: 
accessing network flow information, the network flow information including network statistics processed from observed data obtained by packet interception devices configured to intercept packets of network traffic (Parashar: Abstract.  Security groups can be recommended based on monitored flows, meaning the flow information is being accessed.  ; 
classifying a protected device to at least one protection group of the plurality of protection groups, the protected device having an address that corresponds to a destination address associated information and as a function of the network statistics that correspond to the portion of the network flow information (Parashar: Abstract, paragraph [0050] and Figure 7C.  Security groups may be applied to the different flows based on information of the flows, including security information of the flows.  It is noted that the above two steps could be performed as a manual activity with considerations made by a human, while the details addressed below would utilize machine learning to automate this activity.).
Parashar fails to disclose:
accessing at least one model, wherein the at least one model was trained using machine learning and a training data set of the network flow information, the at least one model being trained to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set; and 
that the information used is the at least one model and machine learning.
However, Harvey teaches:
accessing at least one model (Harvey: Column 3, lines 53-67), wherein the at least one model was trained using machine learning and a training data set of the network flow information, the at least one model being trained to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set (Harvey: Column 10, lines 18 to 65 and Column 7, lines 3-15.  Source and destinations may be matched to rules to apply a security group to traffic, where such classifiers may be part of a machine learning system.  The classifiers can be trained using data for known tier types, where as the source and 
that the information used is the at least one model and machine learning (Harvey: Column 3, lines 53-67.  Machine learning can be applied to classify ).
Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to utilize a model trained using machine learning and a training data set (known data) to the system of Parashar to improve the accuracy of the classifying of Parashar in an automatic fashion, thus ensuring that, over time, the system would be able to provide more optimal security group classifications.

With regard to claim 2, Parashar in view of Harvey teaches outputting results of the classification of the protected device to the at least one protection group together with identification and/or parameters of the at least one model used for the classification (Parashar: Figure 7C or Harvey: Column 7, lines 3-15.  Lacking detail of what constitutes “parameters of the at least one model used for the classification,” how such parameters are used, or any other detail, the results of the classifying and/or other information (e.g. other recommendations) of the devices would be within the scope of the classifying.  For clarity, Applicant should provide details of what constitutes parameters, remove the parameter language to require identification of the model, or provide details of how such parameters would be used.  Alternatively, Harvey can provide a confidence score as output with the match, which would be a parameter of the models used, as this would be part of the results.).

With regard to claim 3, Parashar in view of Harvey teaches wherein the protection group to which the protected device is classified includes several protection groups: determining a probability score for each protection group of the several protection groups, wherein the probability score is a function of at least one of a number of models of the least one model used for the classification, 

With regard to claim 4, Parashar in view of Harvey fails to teach expressly wherein the network flow information further includes test network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and one of the classifications was verified for each of the protection devices by assigning the protection group to the protection group, the method further comprising: testing the at least one model, including comparing the protection group to which the protected device was classified with the protection group to which the protected device was previously assigned; and associating a test score with the respective at least one model as a function of performance of the model as indicated by comparison, wherein the parameters of the at least one model include the test score associated with the respective models.
However, Official Notice (See MPEP 2144.03) is taken that it would have been well-known in the art at the time of filing to have the network flow information further includes test network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and one of the classifications was verified for each of the protection devices by assigning the protection group to the protection group, the method further comprising: testing the at least one model, including comparing the protection group to which the protected device was classified with the protection group to which the protected device was previously assigned; and associating a test score with the respective at least one model as a function of performance of the 
Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to test the models using data that has known results, and to provide the results and test failure/success information to allow for the proper evaluation of the machine learning algorithms, thus enabling a human operator to know if the machine learning algorithms are performing their functions properly to enable corrections to be made.

With regard to claim 5, Parashar in view of Harvey fails to teach ignoring network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and the classifications were verified.
However, Official Notice is taken that it would have been well-known in the art at the time of filing to ignore network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and the classifications were verified (more specifically, when performing classification of ongoing information (e.g. flows), it would have been well-known in the art to not reclassify the ongoing information (e.g. flows) each time additional data is received, and to instead apply the classification to the new information.).


With regard to claim 6, Parashar in view of Harvey teaches intercepting packets of the network traffic, aggregating network flows from the intercepted packets, and forming network flow information from the aggregated network flow, wherein a network flow is a series of bounded communications between a source address and a destination address associated with one of the protected devices (Parashar: Paragraphs [0063] and Figure 8.  Engines at least between a source user and destination VM perform the classification, and thus would be considered to “intercept” such flows.  Further, the flows are have with a source address and destination address, and would include multiple (aggregated) packets.).

With regard to claim 7, Parashar in view of Harvey teaches training the at least one model using machine learning and the training data set, including training the at least one model to classify the protected devices having addresses that correspond to the destination addresses associated with the training data set to the respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set (Harvey: Column 10, lines 18 to 65 and Column 7, lines 3-15.  Source and destinations may be matched to rules to apply a security group to traffic, where such classifiers may be part of a machine learning system.  The classifiers can be trained using data for known tier types, where as the source and destination addresses are used for matching, the tier types would apply this known data for training.).

With regard to claim 8, Parashar in view of Harvey fails to teach receiving user feedback regarding one of the at least one protection group to which one of the protected devices was classified; and assigning the protected device to the protection group based on the user feedback.
However, Official Notice is taken that it would have been well-known to one of ordinary skill in the art at the time of filing to receive user feedback regarding one of the at least one protection group to which one of the protected devices was classified; and assigning the protected device to the protection group based on the user feedback (more specifically, when using machine learning and other automatic functions, allowing a user to override results that were performed automatically was well-known in the art, where such user provided results would be user feedback (a correction), with the results being applied instead of the automatic results.).
Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to allow a user to override the classification to ensure that the machine learning system would not be able to make irreparable mistakes in its function, thus ensuring that the network would be able to operate properly even when mistakes are made by the machine learning system.

With regard to claim 9, Parashar in view of Harvey tfails to teach prompting a user for the user feedback.
However, Official Notice is taken that it would have been obvious to one of ordinary skill in the art at the time of filing to prompt a user for the user feedback (more specifically, prompting a user to verify automated actions was well-known in the art).
Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to prompt a user for feedback to ensure that the user is aware of and approves of automatic decisions, thus ensuring that any mistakes made by the machine learning algorithm would be able to be corrected.

With regard to claims 11-19, the instant claims are similar to claims 1-9, and are rejected for similar reasons.

Claim Rejections - 35 USC § 103
Claims 10 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Parashar in view of Harvey, and further in view of US 9,386,033 (Rossman). 
With regard to claim 10, Parashar in view of Harvey fails to teach teach determining augmented data for the protected device, the augmented data including at least one of a traceroute tree, hop numbers to the destination address, and ping latency, wherein the network flow information used for the classification of the protected device further includes the augmented data.
However, Rossman teaches determining augmented data for the protected device, the augmented data including at least one of a traceroute tree, hop numbers to the destination address, and ping latency, wherein the network flow information used for the classification of the protected device further includes the augmented data (Rossman: Column 4, lines 13-36.  Performance characterization data can be used to make security recommendations, where the data can include latency.  Official Notice is taken that the use of ping to measure latency was well-known in the art.).  Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to at least utilize ping latency for the classifying to ensure that the performance of the network, such as latency, is taken into account for any security group classifications, thus preventing such classifications from causing issues in high latency situations (e.g. by adding additional latency to render the path unusable).

With regard to claim 20, the instant claim is similar to claim 10, and is rejected for similar reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCOTT B CHRISTENSEN whose telephone number is (571)270-1144. The examiner can normally be reached Monday through Friday, 6AM to 2PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SCOTT B. CHRISTENSEN
Examiner
Art Unit 2444



/SCOTT B CHRISTENSEN/Primary Examiner, Art Unit 2444