DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending in this Office Action.

Response to Arguments
Applicant’s arguments filed in the amendment filed 12/06/2021, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below.

Drawings
The formal drawings received on 06/19/2020 have been entered.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same,  and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention. MPEP 2161.01(I) and 2163.05(I)(3)(ii) give guidance. Generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad Pharms, Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1350 (Fed. Cir. 2010)(en banc); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, ___ (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, ___ (Fed. Cir. 1993) (rejecting the argument that “only similar language in the specification or original claims is necessary to satisfy the written description requirement”).
Even original claims may fail to satisfy the written description requirement when the invention is claimed and described in functional language but the specification does not sufficiently identify how the invention achieves the claimed function. Ariad, 598 F.3d at 1349 (“[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.”) (citing Regents of the University of California v. Eli Lilly, 119 F.3d 1559, 1568). In Ariad, the court recognized the problem of 
“The problem is especially acute with genus claims that use functional language to define the boundaries of a claimed genus. In such a case, the functional claim may simply claim a desired result, and may do so without describing species that achieve that result. But the specification must demonstrate that the applicant has made a generic invention that achieves the claimed result and do so by showing that the applicant has invented species sufficient to support a claim to the functionally-defined genus.” Ariad, 598 F.3d at 1349.
The standard for description of computer-implemented functions is a description within the specification itself of the algorithm steps that are necessary to perform the claimed function. In re Hayes Microcomputer Prods., Inc. Patent Litigation, 982 F.2d 1527, 1533-34, 25 USPQ2d 1241, ___ (Fed. Cir. 1992). See also Aristocrat Technologies v. IGT, 521 F.3d 1328 (Fed. Cir. 2008). Specifically, if one skilled in the art would know how to program the disclosed computer to perform the necessary steps described in the specification to achieve the claimed function and the inventor was in possession of that knowledge, the written description requirement would be satisfied. Hayes, 982 F.2d at 1534.
Further, when a specification provides a single means of performing a function it does not entitle the inventor to all means of achieving the function. Lizardtech Inc. v. Earth Res. Mapping Inc., 424 F.3d 1336, 1346 (Fed. Cir. 2005). The written description requirement for a claimed genus may be satisfied through sufficient description of a representative number of species by actual reduction to practice (see MPEP Eli Lilly, 119 F.3d at 1568.
Thus it is clear what is required of computer-implemented functional claims: As Ariad stated, mere claim to the functionality, without more, is insufficient to meet the written description requirement. Hayes and Aristocrat teach that the applicant must provide at least a single means of achieving the function within the specification itself. That means the algorithm steps which achieve the function must be described in sufficient detail that one of ordinary skill in the art would reasonably conclude that the applicant had possession of the claimed subject matter. The applicant must provide at least a single set of algorithm steps which perform the function, but even then that only entitles the applicant to claim those steps, as a claim to the broader function without proof of the enlarged scope is insufficient under Lizardtech. Therefore, a claim to the functional result must include at least a single means, and then other means or some expanding principle sufficient to prove possession of the full scope.
In the instant case:
Examiner contends that Applicant does not even disclose a representative number of species (i.e., algorithms or steps/procedures) in the specification for the claimed genus for achieving the functionality “(B) generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and st
Claims 1 and 11 recite “wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network,” which is not present in the applicant’s specification.
Claims 1 and 11 recite “updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon,” which is not present in the applicant’s specification.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Independent Claim(s):
Step 1: Statutory Category. Claim(s) 1-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter.
Step 2A: Prong One. Judicial Exception. Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of collecting and storing observed communications data representing the plurality of observed 
The independent claim(s) recites, in part, (A) for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications; (B) generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; (C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications; and (D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon. These steps describe the concept of collecting and storing observed communications data representing the plurality of observed 
Step 2A: Prong Two. Practical Application. Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). Adding insignificant extra-solution activity to the judicial exception - see MPEP 2106.05(g). Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h).
Step 2B: Additional Elements Significantly More Then the Judicial Exception. The independent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a “non-transitory computer-readable medium” and a “computer processor” for collecting and storing observed communications data representing the plurality of observed communications; 

Dependent Claim(s):
Step 1: Statutory Category. Claim(s) 2-10 and 12-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one 
Step 2A: Judicial Exception. Claim(s) 2-10 and 12-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and calculating an accuracy of the network communication model based on the allowed data and the positive data with insignificant extrasolution activites, as explained in detail below. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide 
The dependent claim(s) recites, in part, Claim 2 - wherein the plurality of observed communications does not include any of the plurality of hypothetical communications; Claim 3 - wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication; Claim 4 - wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model; Claim 5 - wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data: (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value; Claim 6 - wherein (F) (3) comprises calculating F as (2.times.P.times.R)/(P+R); Claim 7 - wherein (F) (1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model; Claim 8 - wherein (F) (2) comprises dividing: 
Step 2B: Additional Elements Significantly More Then the Judicial Exception. The dependent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a “non-transitory computer-readable medium” and a “computer processor” for: Claim 2 - wherein the plurality of observed communications does not include any of the plurality of hypothetical communications; Claim 3 - wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication; Claim 4 - wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 4-12, and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gudov et al. (Patent No.: US 8,151,341, hereinafter, “Gudov”) in view of Inamdar et al. (Pub. No.: US 2020/0112487, hereinafter, “Inamdar”), and further in view of Kuperman et al. (Pub. No.: US 2017/0244737, hereinafter, “Kuperman”) and Rostami-Hesarsorkh et al. (Patent No.: US 2015/0101013, hereinafter, “Rostami-Hesarsorkh”).
Claims 1, 11. Gudov teaches:
A method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising: – on lines 60-62 in column 1 (Disclosed are systems, methods and computer program products for reduction of false positives during detection of network attacks on a protected computer.)
(A) for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications; – on lines 13-16 in column 6 (At step 510, in parallel with filtering, the system mirrors network traffic to traffic sensors 330 that gather statistical information and track network anomalies from the redirected traffic.)
(B) generating a network communication model based on the observed communications data; – on lines 16-19 in column 6 (At step 520, the collected statistical information is used to create/update one or more filtering rules (or profiles) used by the filtering centers 210.)

Gudov does not explicitly teach:
(C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications.
However, Inamdar teaches:
(C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications; – in paragraph [0108] (The traffic generator 612 can receive the model or models and the traffic distribution information to generate simulated traffic corresponding to actual network traffic captured by the traffic analysis engine 600.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov with Inamdar to include (C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, as taught by Inamdar, in paragraph [0015], to determine one or more traffic patterns included in the network traffic.

Combination of Gudov and Inamdar does not explicitly teach:
(D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon.
However, Kuperman teaches:
(D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; – in paragraph [0079] (False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious.)
(E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and – in paragraph [0079] (False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious.)
(F) calculating an accuracy of the network communication model based on the allowed data and the positive data; – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and 
(G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon. – in paragraph [0090] (Turning back to FIG. 3, the model generator 309 incorporates the user classified requests in the attributes database 307 as new unprocessed known malicious/non-malicious request training data for updating a model in the model database 311. For example, once enough unprocessed requests are stored in the attributes database 307, the model generator 209 may update a model in the model database 311 according the various methods 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov and Inamdar with Kuperman to include (D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Combination of Gudov, Inamdar, and Kuperman does not explicitly teach:
the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network.
However, Rostami-Hesarsorkh teaches:
the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; – in paragraph [0031] (Encrypted peer-to-peer detection includes monitoring network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and generating a network traffic response to the client that emulates peer-to-peer network traffic. In some embodiments, encrypted peer-to-peer detection further includes blocking the request sent from the client that is for the peer-to-peer application executing on the client. In some embodiments, the generated network traffic response is sent from a security appliance that includes a firewall function, and the client is located within a network perimeter protected by the security appliance. In some embodiments, the peer-to-peer application violates a firewall policy stored on the security appliance, and the generated network traffic is sent using an IP address associated with the security appliance and a port number selected by the security appliance for communicating with the client to poison traffic associated with the peer-to-peer application executing on the client.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Kuperman with Rostami-Hesarsorkh to include the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network 

Claims 2, 12. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s). 

Inamdar further teaches:
wherein the plurality of observed communications does not include any of the plurality of hypothetical communications. – in paragraph [0108] (The traffic generator 612 can receive the model or models and the traffic distribution information to generate simulated traffic corresponding to actual network traffic captured by the traffic analysis engine 600.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Kuperman, and Rostami-Hesarsorkh with Inamdar to include wherein the plurality of observed communications does not include any of the plurality of hypothetical communications, as taught by Inamdar, in paragraph [0015], to determine one or more traffic patterns included in the network traffic.

Claims 4, 14. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 5, 15. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data; (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F) comprises: (F)(1) calculating a precision value P 

Claims 6, 16. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 5 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F)(3) comprises calculating F as (2XPXR)/(P+R). – in paragraph [0079] (Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F)(3) comprises calculating F as (2XPXR)/(P+R), as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 7, 17. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 6 – refer to the indicated claim for reference(s).  

Kuperman further teaches:
wherein (F)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 8, 18. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 7 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)


Claims 9, 19. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network, as taught by Kuperman, in paragraph [0020], to protecting web 

Claims 10, 20. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).  

Kuperman further teaches:
wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model. – in paragraph [0054] (Profile/Anomaly detection WAFs differ from this approach in that they are unsupervised and the number of labeled positive examples is zero. Positive examples (e.g., malicious requests) may be utilized to verify a profile/anomaly detection WAF but are not considered in generating profiles themselves. In contrast, the model generator 209 ingests both positively labeled (e.g., known malicious requests) and negatively labeled (e.g., known non-malicious requests) training examples. In addition, the requests collected by the attribute collector 207 may be specific to the web application 120 to which the requests are directed. Hence, the model generator 209 may train a model 205 for any number of web applications.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein identifying the positive data comprises receiving input .

Claim(s) 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gudov et al. (Patent No.: US 8,151,341, hereinafter, “Gudov”) in view of Inamdar et al. (Pub. No.: US 2020/0112487, hereinafter, “Inamdar”), and further in view of Kuperman et al. (Pub. No.: US 2017/0244737, hereinafter, “Kuperman”), Rostami-Hesarsorkh et al. (Patent No.: US 8,892,665, hereinafter, “Rostami-Hesarsorkh”), and Bansal et al. (Pub. No.: US 2018/0176184, hereinafter, “Bansal”).
Claims 3, 13. Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Combination of Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh does not explicitly teach:
wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication.
However, Bansal teaches:
wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication. – in paragraph [0042] (Firewall flow records include tuples for identifying the packet or packet(s) associated with the firewall flow record. In one embodiment, the firewall flow records include the following five data tuples: source IP address, destination IP address, source port, destination port, and the protocol used.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Kuperman, Inamdar, and Rostami-Hesarsorkh with Bansal to include wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734.  The examiner can normally be reached on Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449