DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending in this Office Action.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/18/2019 filed is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The formal drawings received on 01/18/2019 have been entered.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same,  and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention. MPEP 2161.01(I) and 2163.05(I)(3)(ii) give guidance. Generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad Pharms, Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1350 (Fed. Cir. 2010)(en banc); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, ___ (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, ___ (Fed. Cir. 1993) (rejecting the argument that “only similar language in the specification or original claims is necessary to satisfy the written description requirement”).
Even original claims may fail to satisfy the written description requirement when the invention is claimed and described in functional language but the specification does not sufficiently identify how the invention achieves the claimed function. Ariad, 598 F.3d at 1349 (“[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.”) (citing Regents of the University of California v. Eli Lilly, 119 F.3d 1559, 1568). In Ariad, the court recognized the problem of 
“The problem is especially acute with genus claims that use functional language to define the boundaries of a claimed genus. In such a case, the functional claim may simply claim a desired result, and may do so without describing species that achieve that result. But the specification must demonstrate that the applicant has made a generic invention that achieves the claimed result and do so by showing that the applicant has invented species sufficient to support a claim to the functionally-defined genus.” Ariad, 598 F.3d at 1349.
The standard for description of computer-implemented functions is a description within the specification itself of the algorithm steps that are necessary to perform the claimed function. In re Hayes Microcomputer Prods., Inc. Patent Litigation, 982 F.2d 1527, 1533-34, 25 USPQ2d 1241, ___ (Fed. Cir. 1992). See also Aristocrat Technologies v. IGT, 521 F.3d 1328 (Fed. Cir. 2008). Specifically, if one skilled in the art would know how to program the disclosed computer to perform the necessary steps described in the specification to achieve the claimed function and the inventor was in possession of that knowledge, the written description requirement would be satisfied. Hayes, 982 F.2d at 1534.
Further, when a specification provides a single means of performing a function it does not entitle the inventor to all means of achieving the function. Lizardtech Inc. v. Earth Res. Mapping Inc., 424 F.3d 1336, 1346 (Fed. Cir. 2005). The written description requirement for a claimed genus may be satisfied through sufficient description of a representative number of species by actual reduction to practice (see MPEP Eli Lilly, 119 F.3d at 1568.
Thus it is clear what is required of computer-implemented functional claims: As Ariad stated, mere claim to the functionality, without more, is insufficient to meet the written description requirement. Hayes and Aristocrat teach that the applicant must provide at least a single means of achieving the function within the specification itself. That means the algorithm steps which achieve the function must be described in sufficient detail that one of ordinary skill in the art would reasonably conclude that the applicant had possession of the claimed subject matter. The applicant must provide at least a single set of algorithm steps which perform the function, but even then that only entitles the applicant to claim those steps, as a claim to the broader function without proof of the enlarged scope is insufficient under Lizardtech. Therefore, a claim to the functional result must include at least a single means, and then other means or some expanding principle sufficient to prove possession of the full scope.
In the instant case:
Examiner contends that Applicant does not even disclose a representative number of species (i.e., algorithms or steps/procedures) in the specification for the claimed genus for achieving the functionality “capture telemetry data regarding encrypted network traffic associated with a first endpoint device in a network; receive, from the first endpoint device, an indication that a security agent executed on the first endpoint device has detected st rejection is proper.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Anderson et al. (Pub. No.: US 2017/0201810, hereinafter, “Anderson”) in view of Nellen, John (Pub. No.: US 2019/0141015, hereinafter, “Nellen”).
Claims 8, 1, 15. Anderson teaches:
An apparatus, comprising: a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed configured to: – in paragraph [0075] (The computing device 700 includes one or more processing units (CPU's) 702 (e.g., processors), one or more output interfaces 703 (e.g., a network interface), a memory 706, a programming interface 708, and one or more communication buses 704 for interconnecting these and various other components.)
capture telemetry data regarding encrypted network traffic associated with a first endpoint device in a network; – in paragraphs [0031], [0032], [0043] (Packets in the flow are encrypted. The telemetry backend system 120 can be configured to receive telemetry data regarding a flow, the telemetry data including a byte value distribution metric, and to classify the flow based (at least in part) on the byte value distribution metric. FIG. 2 shows a data exchange between a client 201 and a server 202 (e.g., two devices 101a-101e) including a handshake procedure 210-240 to establish an encrypted connection using a cryptographic protocol and exchange of application data 250 encrypted according to the cryptographic protocol.)
construct one or more patterns of encrypted traffic using the captured telemetry data from a time period associated with the received indication; and – in paragraphs [0031], [0032], [0043], [0060] (Packets in the flow are encrypted. The telemetry backend system 120 can be configured to receive telemetry data regarding a flow, the telemetry data including a byte value distribution metric, and to classify the flow based (at least in part) on the byte value distribution metric. FIG. 2 shows a data exchange between a client 201 and a server 202 (e.g., two devices 101a-101e) including a handshake procedure 210-240 to establish an encrypted connection using a cryptographic protocol and exchange of application data 250 encrypted according to the cryptographic protocol. The telemetry backend system classifies the flow as a benign flow or a malicious flow.)
use the one or more patterns of encrypted traffic to detect malware on a second endpoint device by comparing the one or more patterns of encrypted traffic to telemetry data regarding encrypted network traffic associated with the second endpoint device. – in paragraphs [0028], [0032], [0062] (Packets in the flow are encrypted. The method 400 can further include actions taken in response to and/or based on the classification. In some implementations, the telemetry backend system generates an alert based on the classification or kills the flow based on the classification. For example, the telemetry backend system can kill the flow based on a classification of the flow as a malicious flow. As another example, the telemetry backend system can quarantine a device in response to one or more flows classified as malicious coming from that device. Give insight into specific aspects of encrypted traffic, such as cryptographic protocol identification, data exfiltration identification, and malware identification.)

	Anderson does not explicitly teach:
one or more network interfaces to communicate with a zero trust network; receive, from the first endpoint device, an indication that a security agent executed on the first endpoint device has detected malware on the first endpoint device.
However, Nellen teaches:
one or more network interfaces to communicate with a zero trust network; – in paragraph [0060] (A Zero Trust environment can be implemented within the internal network such that any network requests generated by a first device—including an internal network request directed to a second device on the same internal network as the first device—may be first routed to and analyzed by the cloud-based multi-function firewall system.) 
receive, from the first endpoint device, an indication that a security agent executed on the first endpoint device has detected malware on the first endpoint device; – in paragraph [0011] (By doing so, the cloud-based multi-function firewall system can analyze and block certain network communications (e.g., network traffic detected as being potential or actual malicious threats, banned network traffic indicated malware on the internal network.) 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Anderson with Nellen to include one or more network interfaces to communicate with a zero trust network; receive, from the first endpoint device, an indication that a security agent executed on the first endpoint device has detected malware on the first endpoint device, as taught by Nellen, in paragraph [0003], to monitor and block incoming and outgoing network traffic between an internal network and an untrusted outside network, e.g., the Internet, to limit access, inspect traffic, and prevent user devices connected to the internal network from certain threats including malware.

Claims 9, 2, 16. Combination of Anderson and Nellen teaches The apparatus as in claim 8 – refer to the indicated claim for reference(s).
Anderson teaches:
wherein the process when executed is further configured to: initiate a mitigation action after detecting malware on the second endpoint device, wherein the mitigation action comprises sending a malware detection alert to a user interface or blocking network traffic associated with the second endpoint device. – in paragraph [0062] (The method 400 can further include actions taken in response to and/or based on the classification. In some implementations, the telemetry backend system generates an alert based on the classification or kills the flow based on the classification. For example, the telemetry backend system can kill the flow based on a telemetry backend system can quarantine a device in response to one or more flows classified as malicious coming from that device.)

Claims 10, 3, 17. Combination of Anderson and Nellen teaches The apparatus as in claim 8 – refer to the indicated claim for reference(s).
Anderson teaches:
wherein the second endpoint device does not execute a security agent configured to detect malware. – in paragraph [0062] (The method 400 can further include actions taken in response to and/or based on the classification. In some implementations, the telemetry backend system generates an alert based on the classification or kills the flow based on the classification. For example, the telemetry backend system can kill the flow based on a classification of the flow as a malicious flow. As another example, the telemetry backend system can quarantine a device in response to one or more flows classified as malicious coming from that device.)

Claims 11, 4, 18. Combination of Anderson and Nellen teaches The apparatus as in claim 8 – refer to the indicated claim for reference(s).
Anderson teaches:
wherein the telemetry data comprises one or more of: a Transport Layer Security (TLS) extension, a cipher suite, a TLS version, or sequence of packet lengths and time (SPLT) information for the encrypted network traffic. – in paragraphs [0031], [0032], [0043] (Packets in the flow are encrypted. The telemetry receive telemetry data regarding a flow, the telemetry data including a byte value distribution metric, and to classify the flow based (at least in part) on the byte value distribution metric. FIG. 2 shows a data exchange between a client 201 and a server 202 (e.g., two devices 101a-101e) including a handshake procedure 210-240 to establish an encrypted connection using a cryptographic protocol and exchange of application data 250 encrypted according to the cryptographic protocol. One method of encryption is TLS (Transport Layer Security).)

Claims 12, 5, 19. Combination of Anderson and Nellen teaches The apparatus as in claim 8 – refer to the indicated claim for reference(s).

Nellen further teaches:
wherein the telemetry data regarding the encrypted network traffic associated with the second endpoint device comprises one or more flow-based traffic features, and wherein the apparatus uses the one or more patterns of encrypted traffic to detect malware by: forming bags of traffic flows of the encrypted network traffic associated with the second endpoint device; constructing flow-based feature vectors from the flow-based traffic features associated with the bags of traffic flows; and using the flow-based feature vectors as input to a recurrent neural network (RNN) trained to detect malware-generated encrypted network traffic. – in paragraphs [0189], [0206] (To perform threat detection using an anomaly-based technique, the IPS can be configured classify the network traffic as including a potential threat based on heuristics or rules. In some 
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Anderson with Nellen to include wherein the telemetry data regarding the encrypted network traffic associated with the second endpoint device comprises one or more flow-based traffic features, and wherein the apparatus uses the one or more patterns of encrypted traffic to detect malware by: forming bags of traffic flows of the encrypted network traffic associated with the second endpoint device; constructing flow-based feature vectors from the flow-based traffic features associated with the bags of traffic flows; and using the flow-based feature vectors as input to a recurrent neural network (RNN) trained to detect malware-generated encrypted network traffic, as taught by Nellen, in paragraph [0003], to monitor and block incoming and outgoing network traffic between an internal network and an untrusted outside network, e.g., the Internet, to limit access, inspect traffic, and 

Claims 13, 6. Combination of Anderson and Nellen teaches The apparatus as in claim 12 – refer to the indicated claim for reference(s).
Anderson teaches:
wherein the bags of traffic flows comprise different numbers of traffic flows. – in paragraph [0056] (The method 400 includes receiving telemetry data regarding a flow including a byte value distribution metric and classifying the flow based on the byte value distribution metric. The method 400 can be performed for a number of flows based on telemetry data received from a number of different switches, endpoints, or other devices.)

Claims 14, 7. Combination of Anderson and Nellen teaches The apparatus as in claim 12 – refer to the indicated claim for reference(s).
Anderson teaches:
wherein the flow-based traffic features comprise at least one of: a number of traffic bytes, an average packet size, or a measure of popularity of a domain with which the second endpoint device communicated. – in paragraph [0057] (The telemetry data can further include at least one of source IP address of the flow, a destination IP address of the flow, a start time of the flow, a stop time of the flow, a protocol associated with the flow, a number of bytes in the flow, or a number of packets of the flow.)

Claim 20. Combination of Anderson and Nellen teaches The computer-readable medium as in claim 19 – refer to the indicated claim for reference(s).
Anderson teaches:
wherein the encrypted network traffic associated with the second endpoint device is not decrypted by the encrypted traffic analytics service. – in paragraphs [0028], [0032], [0062] (Packets in the flow are encrypted. The method 400 can further include actions taken in response to and/or based on the classification. In some implementations, the telemetry backend system generates an alert based on the classification or kills the flow based on the classification. For example, the telemetry backend system can kill the flow based on a classification of the flow as a malicious flow. As another example, the telemetry backend system can quarantine a device in response to one or more flows classified as malicious coming from that device. Give insight into specific aspects of encrypted traffic, such as cryptographic protocol identification, data exfiltration identification, and malware identification.)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449