Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04-06-2022 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Amendments Under 37 CFR 1.312
The proposed amendment filed on 04/04/2022 under 37 CFR 1.312 has NOT been entered. The amendments change the scope, form and content of the claims. The previously allowed set of amended claims are only allowed but NOT this 312 amendments.

Response to Amendments
The amended claims 1, 3 – 11 and 13 – 22 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Cohen et al (US 20210349979), hereafter Cohen, Misu et al (US 20200364579), hereafter Misu, Chan et al (US 20200387818) hereafter Chan, Dong et al (US 20200210808) hereafter Dong and Zhang et al (US 20180165554) have been fully considered and are persuasive. Claim(s) 2 and 12 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3 – 11 and 13 – 22 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment is/are be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with Wesley Austin (attorney) for filed amended claims on 03-15-2021:
1.	(Currently amended) A system for detecting potential malicious network activities in data traffic, the system comprising:
at least one memory;
a data pre-processing module, implemented on the at least one memory, configured to:
extract time-series features from a set of traffic data;
tokenize categorical features from the extracted time-series features and embed the tokenized features into corresponding dimensional embedding vectors;
an alert module, implemented on the at least one memory, communicatively connected to an output of the data pre-processing module, the alert module comprising a trained auto-encoder having a trained encoder with an output coupled to a trained classifier neural network, the alert module being configured to:
detect and classify 
whereby the trained encoder comprises locked-in encodings associated with the trained auto-encoder, and whereby the auto-encoder is trained, using a bootstrapping method, based on time-series features that were extracted and processed from an entire training set of data traffic, whereby the processed time-series features comprise numerical features and dimensional embedding vectors generated from tokenized categorical features using the data pre-processing module, and
whereby the classifier neural network is initialized using time-series labelled data provided as input to the trained data pre-processing module, wherein the initialized classifier neural network is subsequently trained using static labels for labelled data and dynamically generated labels for unlabelled data, wherein the bootstrapping method comprises the steps of:
for each iteration in the training of the auto-encoder, 
reducing a L2 reconstruction loss between an output of the auto-encoder and a fixed copy of input time-series comprising numerical features and learnable embeddings of categorical features
2.	(Cancelled)
3.	(Original) The system according to claim 1 wherein the auto-encoder comprises Multi-Layered Perceptrons (MLP), Convolutional Neural Networks (CNN), Recurrent Neural Networks (RNN) or any combination thereof.
4.	(Original) The system according to claim 1 wherein the locked-in encodings associated with the trained encoder comprise fixed encodings generated as a result of the auto-encoder being trained.
5.	(Original) The system according to claim 1 wherein the tokenizing of the categorical features from the extracted time-series features comprises the data pre-processing module being configured to assign unique integer values to each unique categorical feature in the entire set of extracted time-series.
6.	(Original) The system according to claim 1 wherein the tokenizing of the categorical features from the extracted time-series features comprises the data pre-processing module being configured to assign unique integer values to each occurrence of the categorical feature in each extracted time-series.
7.	(Original) The system according to claim 1 wherein the conversion of tokens to dimensional embeddings comprises the data pre-processing module being configured to assign dimensional embeddings for each unique token in the time series.
8.	(Original) The system according to claim 1 wherein the initialization of the classifier neural network comprises the alert module being configured to use a supervised learning technique to train the classifier neural network, based on the labelled time-series data provided to the input of the trained data pre-processing module.
9.	(Original) The system according to claim 1 wherein the training of the initialized classifier neural network using static labels for labelled data and dynamically generated labels for unlabelled data comprises the alert module being configured to:
compute confidence scores for each threat type in the labelled data;
generate a threshold value for each threat type based on the computed confidence scores for each threat in the labelled data; 
dynamically label the unlabelled data using the generated threshold values for each of the threat types; and
train the initialized classifier neural network using the labelled and dynamically labelled data.
10.	(Original) The system according to claim 1 wherein the alert module is configured to be updated in an online manner using new network traffic data and associated alerts from other existing models.
11.	(Currently amended) A method for detecting potential malicious network activities in data traffic using a system comprising a data pre-processing module and an alert module communicatively connected to an output of the data pre-processing module, whereby the alert module comprises a trained auto-encoder having a trained encoder with an output coupled to a trained classifier neural network, the method comprising:
extracting, using the data pre-processing module, time-series features from a set of traffic data;
tokenizing, using the data pre-processing module, categorical features from the extracted time-series features and embedding the tokenized features into corresponding dimensional embedding vectors;
detecting and classifying, using the alert module, 
whereby the trained encoder comprises locked-in encodings associated with the trained auto-encoder, and whereby the auto-encoder is trained, using a bootstrapping method, based on time-series features that were extracted and processed from an entire training set of data traffic, whereby the processed time-series features comprise numerical features and dimensional embedding vectors generated from tokenized categorical features using the data pre-processing module, and
whereby the classifier neural network is initialized using time-series labelled data provided as input to the trained data pre-processing module, wherein the initialized classifier neural network is subsequently trained using static labels for labelled data and dynamically generated labels for unlabelled data,
wherein the bootstrapping method comprises the steps of:
for each iteration in the training of the auto-encoder, 
reducing a L2 reconstruction loss between an output of the auto-encoder and a fixed copy of input time-series comprising numerical features and learnable embeddings of categorical features.
12.	(Cancelled) 
13.	(Original) The method according to claim 11 wherein the auto-encoder comprises Multi-Layered Perceptrons (MLP), Convolutional Neural Networks (CNN), Recurrent Neural Networks (RNN) or any combination thereof.
14.	(Original) The method according to claim 11 wherein the locked-in encodings associated with the trained encoder comprise fixed encodings generated as a result of the auto-encoder being trained.
15.	(Original) The method according to claim 11 wherein the tokenizing of the categorical features from the extracted time-series features comprises:
assigning, using the data pre-processing module, unique integer values to each unique categorical feature in the entire set of extracted time-series.
16.	(Original) The method according to claim 11 wherein the tokenizing of the categorical features from the extracted time-series features comprises:
assigning, using the data pre-processing module, unique integer values to each occurrence of the categorical feature in each extracted time-series.
17.	(Original) The method according to claim 11 wherein the conversion of tokens to dimensional embeddings comprises: 
assigning, using the data pre-processing module, dimensional embeddings for each unique token in the time series.
18.	(Original) The method according to claim 11 wherein the initialization of the classifier neural network comprises:
training, using the alert module, the classifier neural network using a supervised learning technique, the training being based on the labelled time-series data provided to the input of the trained data pre-processing module.
19.	(Original) The method according to claim 11 wherein the training of the initialized classifier neural network using static labels for labelled data and dynamically generated labels for unlabelled data comprises: 
computing, using the alert module, confidence scores for each threat type in the labelled data;
generating, using the alert module, a threshold value for each threat type based on the computed confidence scores for each threat in the labelled data; 
dynamically labelling, using the alert module, the unlabelled data using the generated threshold values for each of the threat types; and
training, using the alert module, the initialized classifier neural network using the labelled and dynamically labelled data.
20.	(Original) The method according to claim 11 further comprising the step of:
detecting, using the alert module, potential malicious network activities in data traffic by using a static or a dynamically computed threshold that is based on recent network traffic data and alerts.
21.	(New) A system for detecting potential malicious network activities in data traffic, the system comprising:
at least one memory;
a data pre-processing module, implemented on the at least one memory, configured to:
extract time-series features from a set of traffic data;
tokenize categorical features from the extracted time-series features and embed the tokenized features into corresponding dimensional embedding vectors;
an alert module, implemented on the at least one memory, communicatively connected to an output of the data pre-processing module, the alert module comprising a trained auto-encoder having a trained encoder with an output coupled to a trained classifier neural network, the alert module being configured to:
detect and classify 
whereby the trained encoder comprises locked-in encodings associated with the trained auto-encoder, and whereby the auto-encoder is trained, using a bootstrapping method, based on time-series features that were extracted and processed from an entire training set of data traffic, whereby the processed time-series features comprise numerical features and dimensional embedding vectors generated from tokenized categorical features using the data pre-processing module, and
whereby the classifier neural network is initialized using time-series labelled data provided as input to the trained data pre-processing module, wherein the initialized classifier neural network is subsequently trained using static labels for labelled data and dynamically generated labels for unlabelled data,
wherein the training of the initialized classifier neural network using static labels for labelled data and dynamically generated labels for unlabelled data comprises the alert module being configured to:
compute confidence scores for each threat type in the labelled data;
generate a threshold value for each threat type based on the computed confidence scores for each threat in the labelled data; 
dynamically label the unlabelled data using the generated threshold values for each of the threat types; and
train the initialized classifier neural network using the labelled and dynamically labelled data.
22.	(New) A method for detecting potential malicious network activities in data traffic using a system comprising a data pre-processing module and an alert module communicatively connected to an output of the data pre-processing module, whereby the alert module comprises a trained auto-encoder having a trained encoder with an output coupled to a trained classifier neural network, the method comprising:
extracting, using the data pre-processing module, time-series features from a set of traffic data;
tokenizing, using the data pre-processing module, categorical features from the extracted time-series features and embedding the tokenized features into corresponding dimensional embedding vectors;
detecting and classifying, using the alert module, 
whereby the trained encoder comprises locked-in encodings associated with the trained auto-encoder, and whereby the auto-encoder is trained, using a bootstrapping method, based on time-series features that were extracted and processed from an entire training set of data traffic, whereby the processed time-series features comprise numerical features and dimensional embedding vectors generated from tokenized categorical features using the data pre-processing module, and
whereby the classifier neural network is initialized using time-series labelled data provided as input to the trained data pre-processing module, wherein the initialized classifier neural network is subsequently trained using static labels for labelled data and dynamically generated labels for unlabelled data, 
wherein the training of the initialized classifier neural network using static labels for labelled data and dynamically generated labels for unlabelled data comprises: 
computing, using the alert module, confidence scores for each threat type in the labelled data;
generating, using the alert module, a threshold value for each threat type based on the computed confidence scores for each threat in the labelled data; 
dynamically labelling, using the alert module, the unlabelled data using the generated threshold values for each of the threat types; and
training, using the alert module, the initialized classifier neural network using the labelled and dynamically labelled data.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Cohen teaches Abstract: detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack is/are be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the user, investigation priority determined for the user and/or successful logon events associated with the user. An alert is/are indicate a user is the target of a successful or unsuccessful slow brute force attack. Time-series data is analyzed on a user-by-user basis to identify localized anomalies and global anomalies, which is/are be scored and evaluated to determine an investigation priority and whether and what alert to issue for a user.

Further, a second prior art of record Misu teaches Abstract: anomalous event detection based on deep learning is/are include a system for anomalous event detection for a device. The system includes a computing device having a processor, an encoding module, and a decoding module. The processor is configured to receive sensor data. The encoding module generates reconstruction data based on the sensor data, identifies at least one reconstruction error in the reconstruction data, and determines an anomaly score based on the at least one reconstruction error. The decoding module generates an action prediction based on the sensor data and determines a likelihood value based on the action prediction. The processor can then calculate a scaled anomaly score based on the anomaly score and the likelihood value and causes the processor to execute an action based on the scaled anomaly score.

Further, a third prior art of record Chan teaches Abstract: The systems generate a dataset of recorded measurements for variables of the process, and reduce the dataset by cleansing bad quality data segments and measurements for uninformative process variables from the dataset. The dataset is then enriched by, for example, applying nonlinear transforms, engineering calculations, and statistical measurements. The systems and methods use for example, a simplified first principles model (FPM), AI/ML model, or both in a hybrid model format to build a model and solution, which is deployed online to perform asset optimization tasks in real-time plant operations.

Further, a fourth prior art of record Dong teaches [0025] The method (fig. 3) proceeds to block 304, where for each batch of the training dataset, jointly train the neural network models (e.g., the autoencoder 218, classifier 208, prior distribution GAN 214, and fraud transaction GAN 216) of the neural network system 200. As shown in FIG. 3, the training performed using each batch of the training dataset includes a reconstruction phase 306, a regularization phase 308, and a semi-supervised classification phase 310. At block 306, in a reconstruction phase, the autoencoder 218 is trained using unlabeled data in the batch with a reconstruction loss function. At block 308, in a regularization phase, the prior distribution GAN 214, and fraud transaction GAN 216 are trained based on the predetermined prior distribution. At block 310, in a semi-supervised classification phase, the classifier 208 is trained using labeled data in the batch using a cross-entropy loss function.

Further, a fifth prior art of record Zhang teaches [0053] The autoencoder is/are comprise a neural network, wherein said training comprises training the neural network. The autoencoder is/are be a denoising autoencoder. The denoising autoencoder is/are be denoised stochastically. The denoising autoencoder is/are comprise a neural network trained according to stochastic gradient descent training using randomly selected data samples, wherein a gradient is calculated using back propagation of errors. The training is/are comprise training the objective function of the linear classifier with a bag of words, wherein the linear classifier comprises a support vector machine classifier with squared hinge loss and l.sub.2 regularization. The training is/are comprise training the objective function of the linear classifier with a bag of words, wherein the linear classifier comprises a Logistic Regression classifier. [0102] As the training of the autoencoder part of SBDAE does not require the availability of labels, incorporating unlabeled data after learning the linear classifier in SBDAE was assessed. As shown in Table 2, doing so further improves the performance over using labeled data only. This justifies that it is possible to bootstrap from a relatively small amount of labeled data and learn better representations with more unlabeled data with SBDAE.

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: preprocessing the received network traffic by tokenizing the time-series data and embedding the tokens into different channel vectors. Further, an auto-encoder is used to train using a bootstrapping method comprises locked-in encodings, whose output is fed into the classifier neural network, trained using labelled data, to detect malicious network behavior in unlabeled data; where the bootstrapping method comprises the steps of: for each iteration in the training of the auto-encoder, reducing a L2 reconstruction loss between an output of the auto-encoder and a fixed copy of input time-series comprising numerical features and learnable embeddings of categorical features.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 10 and 16 mutatis mutandis.  Claim(s) 2 and 12 is/are cancelled.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 8:30am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BADRINARAYANAN /Examiner, Art Unit 2496.