DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is issued in response to application filed 8/25/2020 claims foreign priority of JP2018-03388 filed 2/27/2018.
Claims 1-7 were canceled. Claims 8-27 were added in preliminary amendment filed 8/25/2020.
Claims 8-27 are pending/rejected.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in claims 15-27 recited directly or indirectly the word “when executed” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 8-27 directly and/or indirectly are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, because the specification, while being enabling for recited limitations, does not reasonably provide enablement for the recited “predetermined distinct feature types” which was not defined in the specification in any way. The specification does not enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to the invention commensurate in scope with these claims. Clarification is required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 8-10, 12-17, 19-24, 26-27 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Data Mining Applied to Darknet traffic analysis (Data mining applied to Darkent hereinafter) Journal of the National Institute of Information and Communications technology Vol. 63 No 2(2016).

Regarding Claims 8, 15, and 22, Data mining applied to Darknet disclose a computer-implemented method for determining aspects of data, the method comprising: 
receiving a plurality of data as input (Fig. 1, on page 5, wherein the “Capture Strat” corresponds to receiving data, Data mining applied to Darknet); 
extracting, based on a plurality of predetermined distinct feature types, one or more feature values for respective predetermined distinct feature types from the plurality of data (Fig. 1, wherein the “Extracting packet in t seconds” corresponds to extracting, based on a plurality of predetermined distinct feature types, since the specification of the instant application proved no specific definition of the predetermined distinct feature type, the term was considered under BRI as extracting a data packet, Data mining applied to Darknet); 
generating, based on the extracted one or more feature values using a predetermined unit, a plurality of classes of data, wherein each class includes one or more of the plurality of data (Page 4, section 4.1 last 5 lines wherein the transforming the data packet into feature vector corresponds to generating based on extracted feature, as further described in Fig. 1, “Feature Vector”, Data mining applied to Darknet); and generating, based on the generated plurality of classes of data, one or more scores representing a number of appearances of a pattern of data where a combination of the one or more of the plurality of data among the plurality of classes is identical (Page 5, second paragraph on the left, wherein the generated feature vectors sends at least 20 packet during a 30-second corresponds to generating, based on the generated classes of data, and Table 5, which corresponds to score number of appearance and the DDoS event corresponds to identical as described at the end of page 4, right column and the first paragraph of page 5, on the left along with Table 4, Data mining applied to Darknet).
Also claims 15, and 22, recite;
A processor and a memory storing computer-executable instruction that when executed by the processor (introduction of Data mining applied to Darknet).
Regarding Claim 9, 16, and 23, Data mining applied to Darknet disclose a computer-implemented method of claim 8, the method further comprising: 
providing the pattern of data where the combination of the one or more of the plurality of data among the plurality of classes is identical (pages 3- 4, table 2, section 3.2, wherein the hosts belong to the same cluster corresponds combining data, and the DDoS corresponds to identical, Data mining applied to Darknet).
Regarding Claims 10, 17, and 24, Data mining applied to Darknet disclose a computer-implemented method of claim 8, the method further comprising: 
receiving a communication log as the plurality of data, wherein the communication log includes a plurality of traffic data (page 4, section 4.1 Fig. 1, wherein the “Labeling with expert’s knowledge” corresponds to log, Data mining applied to Darknet); and 
extracting one or more feature values for each of the plurality of predetermined distinct feature types (Fig. 1, “Extracting packets in t seconds” corresponds to extracting one or more features, Data mining applied to Darknet), wherein the plurality of predetermined distinct feature types relates to one or more of: ACTIVE. 124906705.013U.S. Patent Application Serial No. Filed herewithPreliminary Amendment dated August 25, 2020 a number of bytes of transmitted data in traffic data, a number of bytes of received data in the traffic data, a transmission flag of the traffic data, a reception flag of the traffic data, a port number of a destination of the traffic data, and a port number of a sender of the traffic data (Table 4, page 5, Data mining applied to Darknet).
Regarding Claims 12, 19, Data mining applied to Darknet disclose a computer-implemented method of claim 8, wherein the generating the one or more scores uses a process of a frequent pattern mining (page 7, section 5.1 and table 6, Data mining applied to Darknet).
Regarding Claims 13, 20, and 26, Data mining applied to Darknet disclose a computer-implemented method of claim 8, the method further comprising: 
generating a set of select data from the plurality of data, the select data satisfying one or more predetermined conditions (Page 7, last paragraph on the lift and paragraph on the right, wherein the selecting the rules that satisfy minimum threshold corresponds to data satisfying a predetermined conditions, Data mining applied to Darknet); and 
replacing the plurality of data with the set of select data for further processing of the plurality of data (Page. 7, left column #2) wherein the method of generating a new output corresponds to replacing the plurality of data.  
Regarding Claims 14, 21, and 27, Data mining applied to Darknet disclose a computer-implemented method of claim 8, wherein the plurality of classes of data relate to TCP flags and packet sizes for determining the one or more scores associated with data transmission to the darknet (page 3, section 2.3 second paragraph, Data mining applied to Darknet).  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 11, 18, and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Data Mining Applied to Darknet traffic analysis (Data mining applied to Darkent hereinafter) Journal of the National Institute of Information and Communications technology Vol. 63 No 2(2016) in view of Large-Scale Monitoring for Cyber Attacks by using cluster information on Darknet Traffic Features (Large-Scale Monitoring hereinafter), Procedia Computer Science volume 53, 2015 pages 175-182.

Regarding claim 11, 18, and 25, Data mining applied to Darknet disclose a computer-implemented method of claim 8.  Data mining applied to Darknet disclose all the limitations as stated above. However, Data mining applied to Darknet doesn’t explicitly disclose wherein the generating the plurality of classes of data uses a process of an unsupervised machine learning on the other hand, Large-Scale Monitoring disclose the wherein the generating the plurality of classes of data uses a process of an unsupervised machine learning as shown in Page 176, 2 “Related Work” wherein the method of performing unsupervised machine learning techniques on the extracted traffic corresponds to generating the plurality of classes of data as further described in Fig. 1, page 177.
The claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify the teachings of Data mining applied to Darknet, with the teachings of Large-Scale Monitoring, to extract traffic activities by similar types of hosts which grouped based on statistical behavioral analytics. Modification would have been obvious to one of ordinary skill in the art because in the event monitoring the behavior of long term cyber-attacks by mining the darknet traffic data collected by the nicter project as shown in Page 176, section 2, Large-Scale Monitoring.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Multidimensional investigation of source port 0 probing.
Unsupervised Machine Learning for Networking: Techniques, Applications and
Research Challenges.
Chandramouli et al. 20120254333 related to automated detection of decepition in short and multilingual electronic messages.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANA A AL- HASHEMI whose telephone number is (571)272-4013. The examiner can normally be reached 8:00 am-4:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pierre Vital can be reached on 571-272-4215. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SANA A AL- HASHEMI/Primary Examiner, Art Unit 2162                                                                                                                                                                                                        May 20, 2022