DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 06/23/2020. Claims 1-20 are currently pending.)
Suggestions on how to overcome any objection(s) and rejection(s) raised in this office action are found at the end of such sections.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/23/2020 and 01/18/2022 was filed before the mailing date of the office correspondence on 05/05/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 19 and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
The claim(s) do not fall within at least one of the four categories of patent eligible subject matter because claim 19 is directed towards a computer readable medium which is not one of the statutory categories and the specification does not explicitly cure this deficiency.
Claim 20 was also rejected by virtue of its dependency on claim 19.    
 Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 19 is rejected under 35 U.S.C. 102 (a)(1) as being anticipated by U.S. PGPub No. 20180343280 to McQueen et al. (hereinafter McQueen).
Regarding claim 19, McQueen discloses a computer-readable medium comprising instructions that are executable by one or more processors to cause a computing system to (¶0027): 
select a conditional independence relationship from a set of conditional independence relationships (DETERMINE TIME WINDOWS, 215, Fig. 2, ¶0024 wherein the time window which represents a predetermined time range over which the traffic data is received is determined/selected and is independent of other  network traffic features such as the browser, geographic information of the Internet Protocol (IP) address, browsing history, etc. listed in ¶0022 and is conditioned on the sub-time window which represents subset feature of time window);   
wherein the conditional independence relationship describes a set of features (¶0022 “The data received may comprise browsing and other website interaction data, and/or electronic messaging data. The basic data types received may be referred to as variables, such as sender and/or destination Internet Protocol (IP) addresses, dates associated with the traffic, usernames or other user identifiers, sender information and/or sender identifiers, read or ignored data, success/failure to authenticate information, dated/timestamped user-action/event pairs, whether electronic messages were read or ignored, geographic information of the Internet Protocol (IP) address or other identifiers, device information such as computer make, model, type, and/or specifications, user demographic information, browsing history, web cookie data, and browser or other device and/or software identifiers”, wherein all these traffic feature were received or happened within the predetermined time range. In other words, the time window describes these traffic features) that, conditioned on a subset feature (sub-time windows, ¶0024, wherein the time window is divided into sub-time window which is a sub-set feature of time range), are independent of a separate feature (¶0022, browser, geographic information of the Internet Protocol (IP) address, browsing history, etc. wherein each of these represents a separate feature of the traffic data). Here, the time window represents a conditional independence feature which is independent of separate network traffic features such as the browser, geographic information of the Internet Protocol (IP) address, browsing history, etc. and is conditioned on the sub-time window which represents subset feature of time window);  
select a value for the subset feature (¶0024 “Sub-time windows may comprise, for example, weeks or months”, wherein weeks or months represents a value of subset feature). Sub-time window is a subset feature of time window determined in step 215 of fig. 2. Subset feature may have one or more possible values in view of applicant’s disclosure in ¶0106; 
select a feature from the set of features (220, Fig. 2, ¶0038 “it may be determined how often each electronic message associated with a given variable was read in the past predetermined time window”). This is in connection with one of the network features “whether electronic messages were read or ignored” listed in ¶0022). Applicant does not limit the set of network traffic features and disclosed in ¶0066 that features may be added or removed based on verification results;
and - 49 -FILED ELECTRONICALLYDocket No. 408569-US-NP conditioned on the value for the subset feature (60 days, ¶0038, wherein time which is an independent feature of the conditional independence relationship is conditioned on 60 days which is a value for the subset feature),  
 identify buckets within the feature whose distributions have a similarity above a threshold (415, Fig. 4, ¶0057 “At step 415, qualifying pairs of the plurality of pairs may be determined, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds”).  
 Wherein both Figs. 2 and 4 depict a flow diagram of exemplary methods for identifying human users on a network, according to an exemplary embodiment of the present disclosure.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-6, 11-14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over NPL “Exploring a service-based normal behavior profiling system for botnet detection” to CHEN et al. (hereinafter CHEN) in view of U.S PGPub No.20180108015 to Rogas; Adam (hereinafter Rogas).
Regarding claim 1, CHEN discloses a method for detecting bot traffic, (detection of botnet traffic-abstract) the method comprising: accessing a set of relationships (Part IV, section D “The assumption of this work is that botnet (malicious) traffic flows vary from different normal traffic flows. Moreover, we assume that botnet flows are outliers compared to the normal traffic flows. The three unsupervised learning algorithms provided an outlier factor. Hence, we need to identify an outlier decision boundary, which can be selected based on the distribution of the normal traffic. In particular, the instances in the boundary are regarded as normal (in our prediction), otherwise as suspicious traffic, i.e. potential attacks to report to the system administrators. We use a naive decision boundary calculation based on outlier factors in normal training data”). 
identifying clean buckets (Part III, “only normal traffic flows”) within network traffic data using the set of conditional independence relationships wherein the network traffic data includes values (Part III, “the threshold of the distance from normal clustering/grouping in unsupervised learning algorithm”) for features of network traffic and the values for the features are categorized into buckets (Part III, “the boundaries (in the clustering/grouping of data);    
determining clean distributions using the clean buckets (Part III, “Boundaries are based on the distribution of normal traffic”, and Part IV, section D “outlier decision boundary, which can be selected based on the distribution of the normal traffic”);
and detecting the bot traffic based on the clean distributions (Part III, “we aim to explore how far we can push an unsupervised learning system towards botnet detection without using any attack traffic (clean distribution) during the training”, and (Part III, “if the new flow is within the boundary, it is classified as normal, otherwise as suspicious (attack”). 
However, CHEN does not explicitly disclose the following limitation taught by Rogas: set of conditional independence relationships, wherein a conditional independence relationship describes a set of features that are independent of a separate feature conditioned on a subset feature;
Rogas discloses a set of conditional independence relationships, wherein a conditional independence relationship describes a set of features that are independent of a separate feature conditioned on a subset feature (¶0082 “…Information may be obtained by a host of a website from the DOM of the browser accessing the website. This information may comprise the capabilities of the browser, including the browser type, version, operating system, sensors available, etc. As a result, the DOM provides information that can be used to learn information regarding the browser and system that is accessing a web page…”).In this instance, the browser represents a conditional independence relationship that describes separate features like browser type, browser version, browser capabilities, etc. conditioned on the browser version which represents a subset of the browser and the browser is independent of other features like country and cities shown in Fig. 3. from which the traffic originated or number of hubs in the network from the source to destination.  
See also the teaching of different locations like country, cities in ¶0051” In the Example in FIG. 3, communication 3Q was sent to resolver server 140A in New York rather than DNS resolver server 140B in Los Angeles based on anycast routing. In this manner, the DNS resolver server 140 may relate a client device 110 to upstream infrastructure, that is, the upstream DNS server 130. Accordingly, network map data is created based on requesting entities or devices” 
Applicant described in ¶0065 an example of conditional independence relationship as “a particular browser family, the browser version of the session is independent of the state, the country, the city, etc. from which the traffic originated.
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN by incorporating the concept of set of conditional independence relationships as disclosed by Rogas and be motivated in doing so because it provides a utilization for evaluating trustworthiness of an online transaction-Rogas abstract.  

Regarding claim 2, CHEN discloses the method of claim 1, further comprising: obtaining the values for the features (Part IV, section B, “numerical distribution of features…..”) of the network traffic through device fingerprinting (Table II, duration, protocol, DPort etc.)

Regarding claim 3, CHEN discloses the method of claim 2, wherein the features of the network traffic include geo- location information (Table II, DPort), session information (Table II, Duration), and network information (Table II, protocol). 
However, CHEN does not explicitly disclose the following limitation taught by Rogas: browser information.
Rogas discloses browser information as one of the features of the network traffic in (¶0082, information regarding the browser)
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN by incorporating the browser information as one of the features of the network traffic as disclosed by Rogas and be motivated in doing so because it provides a utilization to evaluate or detect possible fraud (¶0082).

Regarding claim 4, CHEN in view of Rogas discloses the method of claim 3. 
Rogas further discloses wherein the features of the network traffic include one or more of a browser version, a browser family, a country, a state, a city, an autonomous system number, a session start time, a number of network hops, or browser user agent languages (¶0051, Fig.3 wherein China is a country and New York is a city)
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN by incorporating the features of the network traffic to include a country and a city as disclosed by Rogas and be motivated in doing so because it provides a utilization to create network map data (¶0051).
Regarding claim 5, CHEN in view of Rogas discloses the method of claim 1.
Rogas further discloses comprising: determining the set of conditional independence relationships (¶0051, and Fig. 3 wherein the IP address of the requesting client device, network location of the server, the city (New York), and the country (China) are the set of conditional independence relationships). Each is a separate feature of the network traffic and none depends on another.
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN by incorporating the browser information as one of the features of the network traffic as disclosed by Rogas and be motivated in doing so because it provides a utilization to create network map data based on requesting entities or devices (¶0051). 


Regarding claim 6, CHEN discloses the method of claim 1, further comprising: quantizing the values for the features of the network traffic (Part IV, section B wherein the numerical distribution of features such as duration are being quantized into seconds, see also Table II)
Regarding claim 11, CHEN in view of Rogas discloses the method of claim 1. CHEN further discloses wherein detecting the bot traffic based on the clean distributions comprises: 
determining odds ratios based on the clean distributions and observed network traffic (Part IV, section B, TABLE II, source bytes Ratio per flow);
generate a rules table based on the odds ratios (Part IV, section B, TABLE II); 
identifying an entry in the rules table associated with a session, wherein the entry has an associated score (Duration1, Part IV, section B, TABLE II); 
and comparing the associated score to a threshold (Minimal value of Duration and threshold, Part IV, section B, TABLE II). 

 Regarding claim 12, CHEN discloses a method for detecting bot traffic, (detection of botnet traffic-abstract) the method comprising: accessing a set of relationships (Part IV, section D “The assumption of this work is that botnet (malicious) traffic flows vary from different normal traffic flows. Moreover, we assume that botnet flows are outliers compared to the normal traffic flows. The three unsupervised learning algorithms provided an outlier factor. Hence, we need to identify an outlier decision boundary, which can be selected based on the distribution of the normal traffic. In particular, the instances in the boundary are regarded as normal (in our prediction), otherwise as suspicious traffic, i.e. potential attacks to report to the system administrators. We use a naive decision boundary calculation based on outlier factors in normal training data”). 
identifying clean buckets (Part III, “only normal traffic flows”) within network traffic data using the set of conditional independence relationships wherein the network traffic data includes values (Part III, “the threshold of the distance from normal clustering/grouping in unsupervised learning algorithm”) for features of network traffic and the values for the features are categorized into buckets (Part III, “the boundaries (in the clustering/grouping of data);    
determining clean distributions using the clean buckets (Part III, “Boundaries are based on the distribution of normal traffic”, and Part IV section D “outlier decision boundary, which can be selected based on the distribution of the normal traffic”);
and detecting the bot traffic based on the clean distributions (Part III, “we aim to explore how far we can push an unsupervised learning system towards botnet detection without using any attack traffic (clean distribution) during the training”, and (Part III, “if the new flow is within the boundary, it is classified as normal, otherwise as suspicious (attack”). 
 However, CHEN does not explicitly disclose the following limitation taught by Rogas: one or more processors; memory in electronic communication with the one or more processors; data stored in the memory, the data including values for features of network traffic and the values for the features categorized into buckets; and instructions stored in the memory, the instructions being executable by the one or more processors;
set of conditional independence relationships, wherein a conditional independence relationship describes a set of features that are independent of a separate feature conditioned on a subset feature;
 Rogas discloses one or more processors; memory in electronic communication with the one or more processors; data stored in the memory, the data including values for features of network traffic and the values for the features categorized into buckets; and instructions stored in the memory, the instructions being executable by the one or more processors (¶0105); and
 a set of conditional independence relationships, wherein a conditional independence relationship describes a set of features that are independent of a separate feature conditioned on a subset feature (¶0082 “…This information may comprise the capabilities of the browser, including the browser type, version, operating system, sensors available, etc. As a result, the DOM provides information that can be used to learn information regarding the browser and system that is accessing a web page…”). In this instance, the browser represents a conditional independence relationship that describes separate features like browser type, browser version, browser capabilities, etc. conditioned on the browser version which represents a subset of the browser and the browser is independent of other features like country and cities shown in Fig. 3. from which the traffic originated or number of hubs in the network from the source to destination. 
See also the teaching of different locations like country and cities in ¶0051” In the Example in FIG. 3, communication 3Q was sent to resolver server 140A in New York rather than DNS resolver server 140B in Los Angeles based on anycast routing. In this manner, the DNS resolver server 140 may relate a client device 110 to upstream infrastructure, that is, the upstream DNS server 130. Accordingly, network map data is created based on requesting entities or devices” 
Applicant described in ¶0065 an example of conditional independence relationship as “a particular browser family, the browser version of the session is independent of the state, the country, the city, etc from which the traffic originated.
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN by incorporating the concept of set of conditional independence relationships as disclosed by Rogas and be motivated in doing so because it provides a utilization for evaluating trustworthiness of an online transaction-Rogas abstract.  
Regarding claim 13, CHEN in view of Rogas discloses the system of claim 12. wherein the instructions stored in memory are executable by the one or more processors to: CHEN further discloses obtain the values for the features (Part IV, section B, Numerical distribution of features) of the network traffic through device fingerprinting (Part IV, section B, TABLE II, duration, protocol, DPort etc.).
Regarding claim 14, CHEN in view of Rogas discloses the system of claim 13. CHEN further discloses wherein the features of the network traffic include geo- location information (Table II, DPort), session information (Table II, Duration), and network information (Part IV, section B TABLE II, protocol).    
However, CHEN does not explicitly disclose the following limitation taught by Rogas: browser information.
Rogas discloses browser information as one of the features of the network traffic in (¶0082, “information regarding the browser”)
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN by incorporating the browser information as one of the features of the network traffic as disclosed by Rogas and be motivated in doing so because it provides a utilization to evaluate or detect possible fraud (¶0082).
Regarding claim 18, CHEN in view of Rogas discloses the system of claim 12, wherein the instructions stored in memory that are executable by the one or more processors to detect the bot traffic based on the clean distributions are further executable by the one or more processors to:
CHEN further discloses determine odds ratios based on the clean distributions and observed network traffic (Part IV, section B, TABLE II, source bytes Ratio per flow); 
 generate a rules table based on the odds ratios (Part IV, section B, TABLE II);  
 identify an entry in the rules table associated with a session, wherein the entry has an associated score (Duration1, Part IV, section B, TABLE II); 
 and comparing the associated score to a threshold (Minimal value of Duration and threshold, Part IV, section B, TABLE II).   
Claims 20 is rejected under 35 U.S.C. 103 as being unpatentable over U.S. PGPub No. 20180343280 to McQueen et al. (hereinafter McQueen) in view of U.S. PGPub No. 20110208714 to Soukal et al. (hereinafter Soukal). 
Regarding claim 20, McQueen discloses the computer-readable medium of claim 19. However, McQueen does not explicitly disclose the following limitation taught by Soukal: wherein the similarity of two or more buckets within the feature is determined using a divergence measure.  
Soukal discloses wherein the similarity of two or more buckets within the feature is determined using a divergence measure (¶0024 “a smoothed Kullback-Leibler divergence may be used to compare the histogram of current query-click activities against historical values).   
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the system of McQueen to include using divergence measure to determine the similarity between two or more buckets and be motivate in doing so because it provides a utilization that determines correlations between queries submitted by the network users-Soukal abstract. 
Claims 7, 10,15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over NPL “Exploring a service-based normal behavior profiling system for botnet detection” to CHEN et al. (hereinafter CHEN) in view of U.S PGPub No.20180108015 to Rogas; Adam (hereinafter Rogas) and further in view of U.S. PGPub No. 20180343280 to McQueen et al. (hereinafter McQueen)
Regarding claim 7, CHEN in view of Rogas discloses the method of claim 1. 
However, it does not explicitly disclose the following limitation taught by McQueen: wherein identifying the clean buckets within the network traffic data using the set of conditional independence relationships comprises: 
selecting a first conditional independence relationship from the set of conditional independence relationships; 
selecting a value for a subset feature of the first conditional independence relationship; 
selecting a feature from the set of features; 
and conditioned on the value for the subset feature, 
identifying buckets within the feature whose distributions have a difference or divergence below a threshold. 
McQueen discloses selecting a first conditional independence relationship from the set of conditional independence relationships (DETERMINE TIME WINDOWS, 215, Fig. 2, ¶0024 wherein the time window which represents a predetermined time range over which the traffic data is received is determined/selected and is independent of other traffic features like geographic information of the Internet Protocol (IP) address or other identifiers, device information such as computer make, model, type, and/or specifications, user demographic information, browsing history, web cookie data, and browser  listed in ¶0022 and is conditioned on the sub-time window which represents subset feature of time window); 
selecting a value for a subset feature of the first conditional independence relationship (¶0024 “Sub-time windows may comprise, for example, weeks or months”, wherein weeks or months represents a value of subset feature). Sub-time window is a subset feature of time window determined in step 215 of fig. 2. Subset feature may have one or more possible values in view of applicant’s disclosure in ¶0106; 
selecting a feature from the set of features (220, Fig. 2, ¶0038 “it may be determined how often each electronic message associated with a given variable was read in the past predetermined time window”). This is in connection with one of the network features “whether electronic messages were read or ignored” listed in ¶0022). Applicant does not limit the set of network traffic features and disclosed in ¶0066 that features may be added or removed based on verification results; 
and conditioned on the value for the subset feature (60 days, ¶0038 wherein time which is an independent feature of the conditional independence relationship is conditioned on 60 days which is a value for the subset feature),  
identifying buckets within the feature whose distributions have a difference or divergence below a threshold (420, Fig. 4, ¶0057 “the non-qualifying pairs corresponding to the subset of the plurality of pairs that do not meet or exceed one or more predetermined event frequency thresholds”)..
Wherein both Figs. 2 and 4 depict a flow diagram of exemplary methods for identifying human users on a network, according to an exemplary embodiment of the present disclosure;
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN and Rogas by incorporating selecting a first conditional independence relationship from the set of conditional independence relationships and a value for a subset feature to identify clean bucket as disclosed by McQueen
and be motivated in doing so because it provides a utilization to human and non-human users on a network-McQueen abstract.

Regarding claim 10, CHEN in view of Rogas discloses the method of claim 1. 
However, it does not explicitly disclose the following limitation taught by McQueen: wherein determining the clean distributions using the clean buckets comprises: 
selecting a conditional independence relationship from the set of conditional independence relationships;
selecting a value for a subset feature of the conditional independence relationship; 
determining, for each clean bucket of an independent feature of the conditional independent relationship, a distribution of the independent feature conditioned on the value for the subset feature;
 and determining a median of distributions determined for each clean bucket. 
McQueen discloses selecting a conditional independence relationship from the set of conditional independence relationships (DETERMINE TIME WINDOWS, 215, Fig. 2, ¶0024, wherein the time window which represents a predetermined time range over which the traffic data is received is determined/selected and is independent of other traffic features like geographic information of the Internet Protocol (IP) address or other identifiers, device information such as computer make, model, type, and/or specifications, user demographic information, browsing history, web cookie data, and browser listed in ¶0022 and is conditioned on the sub-time window which represents subset feature of time window);
 selecting a value for a subset feature of the conditional independence relationship (¶0024 “Sub-time windows may comprise, for example, weeks or months”, wherein weeks or months represents a value of subset feature). Sub-time window is a subset feature of time window determined in step 215 of fig. 2. Subset feature may have one or more possible values in view of applicant’s disclosure in ¶0106;
 determining, for each clean bucket of an independent feature of the conditional independent relationship, a distribution of the independent feature conditioned on the value for the subset feature (215-225, Fig. 2, ¶0027 wherein time which is an independent feature of the conditional independent is conditioned on 60 days which is a value for the subset feature);
and determining a median of distributions determined for each clean bucket (415, Fig.4, ¶0057 “At step 415, qualifying pairs of the plurality of pairs may be determined, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds”) wherein meeting or exceeding one or more predetermined event frequency threshold is interpreted as the median of distribution ie the one with the highest frequency).  
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN and Rogas by incorporating selecting a first conditional independence relationship from the set of conditional independence relationships and a value for a subset feature to identify clean bucket as disclosed by McQueen
and be motivated in doing so because it provides a utilization to human and non-human users on a network-McQueen abstract.
 
Regarding claim 15, CHEN in view of Rogas discloses the system of claim 12.
However, it does not disclose the following limitation taught by McQueen: wherein the instructions stored in memory that are executable by the one or more processors to identify the clean buckets within the network traffic data using the set of conditional independence relationships are further executable by the one or more processors to:
 select a conditional independence relationship from the set of conditional independence relationships;
 select a value for a subset feature of the conditional independence relationship; 
select a feature from the set of features; 
and conditioned on the value for the subset feature,
identify buckets within the feature whose distributions have a similarity above a threshold.
McQueen discloses wherein the instructions stored in memory that are executable by the one or more processors to identify the clean buckets within the network traffic data using the set of conditional independence relationships are further executable by the one or more processors to: (¶0059); 
select a conditional independence relationship from the set of conditional independence relationships (DETERMINE TIME WINDOWS, 215, Fig. 2, ¶0024 wherein the time window which represents a predetermined time range over which the traffic data is received is determined/selected and is independent of other traffic features like geographic information of the Internet Protocol (IP) address or other identifiers, device information such as computer make, model, type, and/or specifications, user demographic information, browsing history, web cookie data, and browser listed in ¶0022  and is conditioned on the sub-time window which represents subset feature of time window); 
select a value for a subset feature of the conditional independence relationship (¶0024 “Sub-time windows may comprise, for example, weeks or months”, wherein weeks or months represents a value of subset feature). Sub-time window is a subset feature of time window determined in step 215 of fig. 2. Subset feature may have one or more possible values in view of applicant’s disclosure in ¶0106; 
select a feature from the set of features (220, Fig. 2, ¶0038 “it may be determined how often each electronic message associated with a given variable was read in the past predetermined time window”). This is in connection with one of the network features “whether electronic messages were read or ignored” listed in ¶0022). Applicant does not limit the set of network traffic features and disclosed in ¶0066 that features may be added or removed based on verification results; 
and conditioned on the value for the subset feature (60 days, ¶0038 wherein time which is an independent feature of the conditional independence relationship is conditioned on 60 days which is a value for the subset feature),  
identify buckets within the feature whose distributions have a similarity above a threshold (415, Fig. 4, ¶0057 “At step 415, qualifying pairs of the plurality of pairs may be determined, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds).  
 Wherein both Figs. 2 and 4 depict a flow diagram of exemplary methods for identifying human users on a network, according to an exemplary embodiment of the present disclosure.
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN and Rogas by incorporating selection of a conditional independence relationship from the set of conditional independence relationships and a value for a subset feature to identify clean bucket as disclosed by McQueen
and be motivated in doing so because it provides a utilization to human and non-human users on a network-McQueen abstract. 
Regarding claim 17, CHEN in view of Rogas discloses the system of claim 12.
However, it does not explicitly disclose the following limitation taught by McQueen: wherein the instructions stored in memory that are executable by the one or more processors to determine the clean distributions using the clean buckets are further executable by the one or more processors to: 
select a conditional independence relationship from the set of conditional independence relationships; 
select a value for a subset feature of the conditional independence relationship; - 48 -FILED ELECTRONICALLYDocket No. 408569-US-NP 
determine, for each clean bucket of an independent feature of the conditional independent relationship, a distribution of the independent feature conditioned on the value for the subset feature; 
and determine a median of distributions determined for each clean bucket. 
 McQueen discloses: wherein the instructions stored in memory that are executable by the one or more processors to determine the clean distributions using the clean buckets are further executable by the one or more processors to (¶0059);   
select a conditional independence relationship from the set of conditional independence relationships (DETERMINE TIME WINDOWS, 215, Fig. 2, ¶0024 wherein the time window which represents a predetermined time range over which the traffic data is received is determined/selected and is independent of other traffic features like geographic information of the Internet Protocol (IP) address or other identifiers, device information such as computer make, model, type, and/or specifications, user demographic information, browsing history, web cookie data, and browser listed in ¶0022  and is conditioned on the sub-time window which represents subset feature of time window); 
 select a value for a subset feature of the conditional independence relationship (¶0024 “Sub-time windows may comprise, for example, weeks or months”, wherein weeks or months represents a value of subset feature). Sub-time window is a subset feature of time window determined in step 215 of fig. 2. Subset feature may have one or more possible values in view of applicant’s disclosure in ¶0106; 
determine, for each clean bucket of an independent feature of the conditional independent relationship, a distribution of the independent feature conditioned on the value for the subset feature (215-225, Fig. 2, ¶0027 wherein time which is an independent feature of the conditional independent is conditioned on 60 days which is a value for the subset feature); 
 and determine a median of distributions determined for each clean bucket (415, Fig.4, ¶0057 “At step 415, qualifying pairs of the plurality of pairs may be determined, the qualifying pairs corresponding to a subset of the plurality of pairs that meet or exceed one or more predetermined event frequency thresholds”) wherein meeting or exceeding one or more predetermined event frequency threshold is interpreted as the median of distribution ie the one with the highest frequency).  
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of CHEN and Rogas by incorporating selection of a conditional independence relationship from the set of conditional independence relationships and a value for a subset feature to identify clean bucket as disclosed by McQueen
and be motivated in doing so because it provides a utilization to human and non-human users on a network-McQueen abstract.  
Claims 8-9, and 16, are rejected under 35 U.S.C. 103 as being unpatentable over NPL “Exploring a service-based normal behavior profiling system for botnet detection” to CHEN et al. (hereinafter CHEN) in view of U.S PGPub No.20180108015 to Rogas; Adam (hereinafter Rogas) and further in view of U.S. PGPub No. 20180343280 to McQueen et al. (hereinafter McQueen) and further in view of U.S PGPub No. 20110208714 to Soukal et al. (hereinafter Soukal).
Regarding claim 8, CHEN in view of Rogas and further in view of McQueen discloses the method of claim 7. However, they do not explicitly disclose the following limitation taught by Soukal: wherein identifying the clean buckets within the network traffic data using the set of conditional independence relationships further comprises: determining the similarity of two or more buckets within the feature using a divergence measure.  
Soukal discloses wherein identifying the clean buckets within the network traffic data using the set of conditional independence relationships further comprises: determining the similarity of two or more buckets within the feature using a divergence measure (¶0024 “a smoothed Kullback-Leibler divergence may be used to compare the histogram of current query-click activities against historical values”)   
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of McQueen to include using divergence measure to determine the similarity between two or more buckets and be motivate in doing so because it provides a utilization that determines correlations between queries submitted by the network users-Soukal abstract.
Regarding claim 9, the combination of CHEN, Rogas, McQueen and Soukal discloses the method of claim 8. Soukal further discloses wherein the divergence measure is Kullback-Leibler divergence (¶0046).   
  	Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the method of McQueen to include using divergence measure to determine the similarity between two or more buckets and be motivate in doing so because it provides a utilization that determines correlations between queries submitted by the network users-Soukal abstract.

Regarding claim 16, CHEN in view of Rogas and further in view of McQueen discloses the system of claim 15. 
However, the combination of CHEN, Rogas and McQueen does not explicitly disclose the following limitation taught by Soukal: wherein the similarity of two or more buckets within the feature is determined using a divergence measure.  
Soukal discloses wherein the similarity of two or more buckets within the feature is determined using a divergence measure (¶0024 “a smoothed Kullback-Leibler divergence may be used to compare the histogram of current query-click activities against historical values”).   
Thus, one of ordinary skill in the art would have been motivated before the effective filing date of the claimed invention to modify the system of McQueen to include using divergence measure to determine the similarity between two or more buckets and be motivate in doing so because it provides a utilization that determines correlations between queries submitted by the network users-Soukal abstract.	

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure U.S. PGPub No. 20120071131, U.S. PGPub No. 20180077179, U.S. PAT No. 10594711, and U.S. PAT No. 10785318.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495           

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495