Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This is the initial office action that has been issued in response to patent application, 16/887,650, filed on 05/29/2020. Claims 1-19, as originally filed, are currently pending and have been considered below. Claim 1, 10 and 19 are independent claim.

Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 05/29/2020 AND 04/30/2021 are in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings filed on 05/29/2020 are accepted by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

The claimed invention is not directed to patent eligible subject matter.  Based upon consideration of all of the relevant factors with respect to the 10-19 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claim 10 recites “a network apparatus" and claim 19 recites “a network system”. The claim recites apparatus/system without having any hardware positively recited. Under broadest reasonable interpretation, Examiner assumes that “the apparatus/system” is no more than software. Computer programs per se do not fit within recognized categories of statutory subject matter. The claim 10/19 recites “a/an apparatus/system” without reciting any component or structure. The preamble recites “an apparatus or a system” but the apparatus or system cannot be implemented in software or tangible component. If the device / apparatus / system is considered as machine, then the machine needs to consist of some concrete part or structure which is absent in the claim. See MPEP § 2106
A claim that covers both statutory and non-statutory embodiments (under the broadest reasonable interpretation of the claim when read in light of the specification and in view of one skilled in the art) embraces subject matter that is not eligible for patent protection and therefore is directed to non-statutory subject matter.
Claim 11-18 are dependent claims dependent on claim 10 and have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore they are rejected based on the same rationale as applied to the parent claim 10 above.
Invitation to Participate in DSMER Pilot Program

The present application satisfies the criteria for participation set forth in the Federal Register Notice entitled “Deferred Subject Matter Eligibility Response (DSMER) Pilot Program.” Therefore, the examiner invites applicant to participate in the DSMER pilot program. 

An applicant who accepts the invitation to participate in this pilot program must still file a reply to every Office action mailed in this application, but may defer presenting arguments or amendments in response to subject matter eligibility (SME) rejection(s) until the earlier of final disposition of the application, or the withdrawal or obviation of all other outstanding non-SME rejections. A final disposition for purposes of this pilot program occurs upon the earliest of: mailing of a notice of allowance; mailing of a final Office action; filing of a notice of appeal; filing of a request for continued examination; or abandonment of the application. Other than applicant’s ability to defer responding to SME rejections, participation in the DSMER pilot program does not alter the normal examination process (e.g., as outlined in MPEP 700), and applicant must still respond to all non-SME rejections when replying to Office actions. 

Further information about the pilot program, including an explanation of the criteria for receiving an invitation, and the conditions of participation, is provided in the Federal Register Notice announcing the program, which is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response.
Applicant has two choices with respect to this invitation:
(1) Applicant may elect to participate in the DSMER pilot program. To effect this choice, applicant MUST accept this invitation by filing a completed request form PTO/SB/456 with a timely response to this Office action. The DSMER Pilot request form must be signed in accordance with 37 CFR § 1.33(b) by a person having authority to prosecute the application, and must be submitted via the USPTO’s patent electronic filing systems (EFS-Web or Patent Center). The form is available on the pilot program website https://www.uspto.gov/patents/initiatives/patent-application-initiatives/deferred-subject-matter-eligibility-response. If the form is properly completed and timely received, the application will be entered into the pilot program.

(2) Applicant may decline to participate in the pilot program. No action is required from applicant to effect this choice, because if applicant does not timely file a properly completed form PTO/SB/456, the application will not be entered into the pilot program.

Claim Rejections - 35 USC § 112

The following is a quotation of 35 U.S.C. 112(b): 
(b) CONCLUSION. - The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. 

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly
claiming the subject matter which the applicant regards as his invention.


The claim 1, 10 and 19 recite “obtaining,….., network traffic between the web application and a server outside the network”. It is not clear who is outside the network. It could be the web application or it could be a server. Thus claim is vague and indefinite.
Claim 2-9 and 11-18 are dependent claims dependent on claim 1 and 10 respectively and have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore they are rejected based on the same rationale as applied to the parent claim above

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in 

Claim 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Ranjan (US Patent No 8,682,812 B1) in view of Karin (US Patent Application Publication No 2018/0063188 A1). 

Regarding Claim 1, Ranjan discloses a method for detecting Command and Control (C&C) toward a web application in a network (Ranjan, Fig-1), comprising:
obtaining, using a Web Application Firewall (WAF) of the network, network traffic between the web application and a server (Ranjan, col 1, line 45-55, the botnet’s originator can control the bots remotely from a command and control (C&C) server. Detecting C&C channel is difficult as HTTP protocol bypass firewall. Col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or C&C server) or legitimate/non-malicious as it is observed for the first time in real-time network traffic. Web traffic data collected is analyzed);
transmitting the network traffic from the WAF to a machine learning model (Ranjan, Fig-1, element 125, col 4, line 55-65, given the nature of botnets, embodiments of the invention re-learn new machine learning models over time, utilizing continually updated lists of known bots for training. Col 8, line 45-55, machine learning based model generator is configured to analyze, using a machine learning algorithm, the historical 
determining, using the machine learning model, whether the network traffic comprises a command signature (Ranjan, col 14, line 15-20, the BotWatch system includes a list of IP addresses of known bots and C&C servers in the external IP blacklists. Col 18, line 5-15, based on the machine learning algorithm, the function F(X) is adjusted such that the predicted label Y matches, within a statistical range, the known label “malicious' for all data units of the historical network data that are also found in the external IP blacklist); 
in response to determining that the network traffic comprises a command signature, generating a notification (Ranjan, col 6, line 5-15, an alert identifying detected malicious node names or an instruction to block malicious traffic may be provided); and 
Ranjan does not explicitly teach the following limitation that Karin teaches:
a server outside the network (Karin, Fig-1, ¶[0015], the command and control may identify a target entity to attack. The C&C may direct the botnet to perform a distributed denial of service attack on the target entity. ¶[0054]- ¶[0055], similar entities in a cluster are all under the same command and control. If there are T1 hits on several machines in a given cluster, embodiments can alert the rest of the machines in the cluster of the same threat);
 ¶[0055], similar entities in a cluster are all under the same command and control. If there are T1 hits on several machines in a given cluster, embodiments can alert the rest of the machines in the cluster of the same threat).
Ranjan in view of Karin are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “malicious network activity in network system”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Ranjan in view of Karin to include the idea of using machine learning to train a classifier for identifying or classifying entities to increase confidence with respect to an entity being part of a distributed denial of service attack.

Regarding Claim 2, Ranjan in view of Karin discloses the method according to claim 1, 
wherein the machine learning model comprises a Random Forest (RF) classifier, and wherein the RF classifier comprises a plurality of decision trees (Ranjan, col 12, line 25-35, the machine learning algorithm may include, alternating decision tree. Karin, ¶[0044], each classifier 

Regarding Claim 3, Ranjan in view of Karin discloses the method according to claim 2, further comprising: 
obtaining, using the WAF, an original dataset that comprises a plurality of network traffic samples (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training process a decision tree is built with its internal nodes correspond to different attributes of the data samples. Karin, ¶[0051], Fig-2, an optimal number of clusters is found by the intersection of the two lines that best fit the graph of merge distance vs number of clusters); and 
generating, from the original dataset, a plurality of bootstrapped datasets, wherein each of the plurality of decision trees corresponds to one of the plurality of bootstrapped datasets (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training process a decision tree is built with its internal nodes correspond to different attributes of the data samples. Karin, ¶[0051], Fig-2, an optimal number of clusters is found by the intersection of the two lines that best fit the graph of merge distance vs number of clusters), and 

 
Regarding Claim 4, Ranjan in view of Karin discloses the method according to claim 3, wherein the plurality of network traffic samples comprises a normal network traffic sample that does not have any command signature (Ranjan, col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or C&C server) or legitimate/non-malicious as it is observed for the first time in real-time network traffic. Web traffic data collected is analyzed. Karin, ¶[0048], embodiments may be able to identify a cluster of entities that are all under the same command and control). 

Regarding Claim 5, Ranjan in view of Karin discloses the method according to claim 3, wherein whether the network traffic comprises a command signature is determined based on the votes of the plurality of decision trees (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training 

Regarding Claim 6, Ranjan in view of Karin discloses the method according to claim 1, further comprising: in response to determining that the network traffic comprises a command signature, assigning an identifier to the network traffic (Ranjan, col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or C&C server) or legitimate/non-malicious as it is observed for the first time in real-time network traffic. Web traffic data collected is analyzed. Karin, ¶[0048], embodiments may be able to identify a cluster of entities that are all under the same command and control). 

Regarding Claim 7, Ranjan in view of Karin discloses the method according to claim 6, wherein the notification comprises the identifier (Ranjan, col 6, line 5-20, an alert identifying detected malicious node names or an instruction to block malicious traffic may be provided. The identified malicious node name may be used to facilitate the identification of a source node. Karin, ¶[0048], embodiments may be able to identify a cluster of entities where all of the entities in the cluster are part of a particular botnet). 

Regarding Claim 8, Ranjan in view of Karin discloses the method according to claim 1, further comprising: 
decrypting and reformatting the network traffic by the WAF before transmitting the network traffic to the machine learning model (Ranjan, col 1, line 45-55, both programs usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network).

Regarding Claim 9, Ranjan in view of Karin discloses the method according to claim 1, wherein the network is a local area network (Ranjan, col 5, line 5-15, the computer network may include local area networks).
 
Regarding Claim 10, Ranjan discloses a network apparatus for detecting Command and Control (C&C) toward a web application in a network, comprising: 
a Web Application Firewall (WAF) that obtains network traffic between the web application and a server (Ranjan, col 1, line 45-55, the botnet’s originator can control the bots remotely from a command and control (C&C) server. Detecting C&C channel is difficult as HTTP protocol bypass firewall. Col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or 
a machine learning model that receives the network traffic from the WAF and determines whether the network traffic comprises a command signature (Ranjan, Fig-1, element 125, col 4, line 55-65, given the nature of botnets, embodiments of the invention re-learn new machine learning models over time, utilizing continually updated lists of known bots for training. Col 8, line 45-55, machine learning based model generator is configured to analyze, using a machine learning algorithm, the historical network data and the ground truth data set to generate classification model), 
wherein, in response to determining that the network traffic comprises a command signature, the machine learning model generates a notification (Ranjan, col 6, line 5-15, an alert identifying detected malicious node names or an instruction to block malicious traffic may be provided). 
Ranjan does not explicitly teach the following limitation that Karin teaches:
a server outside the network (Karin, Fig-1, ¶[0015], the command and control may identify a target entity to attack. The C&C may direct the botnet to perform a distributed denial of service attack on the target entity. ¶[0054]- ¶[0055], similar entities in a cluster are all under the same command and control. If there are T1 hits on several machines in a given 
Ranjan in view of Karin are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “malicious network activity in network system”. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Ranjan in view of Karin to include the idea of using machine learning to train a classifier for identifying or classifying entities to increase confidence with respect to an entity being part of a distributed denial of service attack.

Regarding Claim 11, Ranjan in view of Karin discloses the network apparatus according to claim 10, 
wherein the machine learning model comprises a Random Forest (RF) classifier, and wherein the RF classifier comprises a plurality of decision trees (Ranjan, col 12, line 25-35, the machine learning algorithm may include, alternating decision tree. Karin, ¶[0044], each classifier selects a top number of features that may be done by random forest feature importance ranking and training a random forest on a labeled dataset).

Regarding Claim 12, Ranjan in view of Karin discloses the network apparatus according to claim 11, 
wherein the WAF obtains an original dataset that comprises a plurality of network traffic samples (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training process a decision tree is built with its internal nodes correspond to different attributes of the data samples. Karin, ¶[0051], Fig-2, an optimal number of clusters is found by the intersection of the two lines that best fit the graph of merge distance vs number of clusters), 
wherein the machine learning model generates, from the original dataset, a plurality of bootstrapped datasets (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training process a decision tree is built with its internal nodes correspond to different attributes of the data samples. Karin, ¶[0051], Fig-2, an optimal number of clusters is found by the intersection of the two lines that best fit the graph of merge distance vs number of clusters), 
wherein each of the plurality of decision trees corresponds to one of the plurality of bootstrapped datasets (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training process a decision tree is built with its internal nodes correspond to different attributes of the data samples. 
wherein each of the plurality of decision trees outputs a vote based on the network traffic (Ranjan, col 19, line 45-55, the machine learning algorithm uses a decision tree, which is a collection of classifier. During the training process a decision tree is built with its internal nodes correspond to different attributes of the data samples. Karin, ¶[0051], Fig-2, an optimal number of clusters is found by the intersection of the two lines that best fit the graph of merge distance vs number of clusters).

Regarding Claim 13, Ranjan in view of Karin discloses the network apparatus according to claim 12, wherein the plurality of network traffic samples comprises a normal network traffic sample that does not have any command signature (Ranjan, col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or C&C server) or legitimate/non-malicious as it is observed for the first time in real-time network traffic. Web traffic data collected is analyzed. Karin, ¶[0048], embodiments may be able to identify a cluster of entities that are all under the same command and control). 

Regarding Claim 14, Ranjan in view of Karin discloses the network apparatus according to claim 12, wherein whether the network traffic 

Regarding Claim 15, Ranjan in view of Karin discloses the network apparatus according to claim 10, 
wherein, in response to determining that the network traffic comprises a command signature, the machine learning model assigns an identifier to the network traffic (Ranjan, col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or C&C server) or legitimate/non-malicious as it is observed for the first time in real-time network traffic. Web traffic data collected is analyzed. Karin, ¶[0048], embodiments may be able to identify a cluster of entities that are all under the same command and control).

Regarding Claim 16, Ranjan in view of Karin discloses the network apparatus according to claim 15, wherein the notification comprises the identifier (Ranjan, col 6, line 5-20, an alert identifying detected malicious node names or an instruction to block malicious traffic may be provided. 

Regarding Claim 17, Ranjan in view of Karin discloses the network apparatus according to claim 10, wherein the WAF decrypts and reformats the network traffic before transmitting the network traffic to the machine learning model (Ranjan, col 1, line 45-55, both programs usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network).

Regarding Claim 18, Ranjan in view of Karin discloses the network apparatus according to claim 10, wherein the network is a local area network (Ranjan, col 5, line 5-15, the computer network may include local area networks). 

Regarding Claim 19, Ranjan discloses a network system that operates in a network, comprising: 
a web application, a Web Application Firewall (WAF (Ranjan, col 1, line 45-55, the botnet’s originator can control the bots remotely from a command and control (C&C) server. Detecting C&C channel is difficult 
a machine learning model, 
wherein the WAF obtains network traffic between the web application and a server (Ranjan, col 1, line 45-55, the botnet’s originator can control the bots remotely from a command and control (C&C) server. Detecting C&C channel is difficult as HTTP protocol bypass firewall. Col 4, line 40-50, a data unit may be dynamically labeled as malicious (associated with a botnet as a bot or C&C server) or legitimate/non-malicious as it is observed for the first time in real-time network traffic. Web traffic data collected is analyzed), 
wherein the machine learning model receives the network traffic from the WAF (Ranjan, Fig-1, element 125, col 4, line 55-65, given the nature of botnets, embodiments of the invention re-learn new machine learning models over time, utilizing continually updated lists of known bots for training. Col 8, line 45-55, machine learning based model generator is configured to analyze, using a machine learning algorithm, the historical network data and the ground truth data set to generate classification model), 
wherein the machine learning model determines whether the network traffic comprises a command signature (Ranjan, col 14, line 15-
wherein, in response to determining that the network traffic comprises a command signature, the machine learning model generates a notification (Ranjan, col 6, line 5-15, an alert identifying detected malicious node names or an instruction to block malicious traffic may be provided).
Ranjan does not explicitly teach the following limitation that Karin teaches:
a server outside the network (Karin, Fig-1, ¶[0015], the command and control may identify a target entity to attack. The C&C may direct the botnet to perform a distributed denial of service attack on the target entity. ¶[0054]- ¶[0055], similar entities in a cluster are all under the same command and control. If there are T1 hits on several machines in a given cluster, embodiments can alert the rest of the machines in the cluster of the same threat).
Ranjan in view of Karin are analogous art because they are from the “same field of endeavor” and are from the same “problem solving area”. Namely, they pertain to the field of “malicious network activity in .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-Form 892).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923.  The examiner can normally be reached on M-F, 8 am to 5 pm. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status 



/WASIKA NIPA/           Primary Examiner, Art Unit 2433