EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Judy Naamat on 5/8/2022.

The application has been amended as follows: 

1.	(Currently Amended)  A method for automatically classifying protected devices included in a protected network to a plurality of protection groups, each protection group providing customized protection, the method comprising:
accessing network flow information, the network flow information including network statistics ‎ processed from observed data obtained by packet interception devices configured to intercept packets of network traffic;
accessing at least one ‎model, wherein each model of the at least one model is a machine learning (ML)‎ model, 
wherein the at least one model was trained using machine learning and a training data set of the network flow information, the at least one model being trained to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set, [[;]]
wherein the training data set of the network flow information is determined from the intercepted packets of network traffic determined to be associated with one or more devices previously assigned to the plurality of protection groups, and
		wherein a test score is assigned to each of the at least one models representing the ML model’s performance in making accurate classifications of previously classified devices;
responsive to each of the ML models of the at least one model being assigned a test score meeting a threshold, classifying a protected device to at least one protection group of the plurality of protection groups, the protected device having an address that corresponds to a destination address associated with a portion of the network flow information, 
wherein the protected device is classified to the at least one protection group using the at least one model and machine learning and as a function of the network statistics that correspond to the portion of the network flow information[[;]], and
		wherein the portion of the network flow information is associated with devices that were not previously assigned to the plurality of protection groups; and
outputting results of the classification of the protected device to the at least one protection group together with identification and/or parameters of the at least one model used for the classification, 
		wherein the parameters of the respective at least one model include [[a]] the test score assigned to the corresponding ML model.

2.	(Currently Amended)  The method of claim 1,wherein the parameters of the respective at least one model further include a description of the type of model used for the corresponding ML model and/or settings that were used for performing the ‎classification. ‎

3.	(Previously Presented)  The method of claim 1, further comprising, wherein the protection group to which the protected device is classified includes several protection groups: 
determining a probability score for each protection group of the several protection groups, wherein the probability score is a function of at least one of a number of models of the least one model used for the classification, the parameters of the at least one model used for the classification, and a number of times the protected device was classified or assigned to the protection group; and
outputting results of the classification of the protected device to each of the several protection groups together with the probability score determined for each protection group of the several protection groups.

4.	(Currently Amended)  The method of claim 3, wherein the network flow information further includes test network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and one of the classifications was verified for each of the protection devices by assigning the protection group to the protection group, the method further comprising: 
testing the at least one model, including comparing the protection group to which the protected device was classified with the protection group to which the protected device was previously assigned; and
associating the test score with the respective at least one model as a function of performance of the model as indicated by comparison.

5.	(Previously Presented)  The method of claim 1, further comprising ignoring network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and the classifications were verified.

6.	(Currently Amended)  The method of claim 1, further comprising intercepting packets of the network traffic, aggregating network flows from the intercepted packets, and forming the network flow information from the aggregated network flow, wherein a network flow is a series of bounded communications between a source address and a destination address associated with one of the protected devices.

7.	(Previously Presented)  The method of claim 1, further comprising training the at least one model using machine learning and the training data set, including training the at least one model to classify the protected devices having addresses that correspond to the destination addresses associated with the training data set to the respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set.‎ 

8.	(Previously Presented)  The method of claim 1, further comprising: 
receiving user feedback regarding one of the at least one protection group to which one of the protected devices was classified; and
assigning the protected device to the protection group  based on the user feedback.

9.	(Previously Presented)  The method of claim 8, further comprising prompting a user for the user feedback.

10.	(Previously Presented)  The method of claim 1, further comprising determining augmented data for the protected device, the augmented data including at least one of a traceroute tree, hop numbers to the destination address, and ping latency, wherein the network flow information used for the classification of the protected device further includes the augmented data.

11.	‎(Currently Amended) ‎ ‎A system of automatically classifying protected devices included in a protected network to a plurality of protection groups, each protection group providing customized protection, the system comprising:‎
a memory configured to store a plurality of programmable instructions; and
at least one processing device in communication with the memory, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable instructions is configured ‎‎to:‎ ‎ ‎
access network flow information, the network flow information including network statistics‎ processed from observed data obtained by packet interception devices configured to intercept packets of network traffic;
access at least one model, wherein each model of the at least one model is a machine learning (ML)‎ model and the at least one model was trained using machine learning and a training data set of the network flow information, the at least one model being trained to classify protected devices having addresses that correspond to destination addresses associated with the training data set to respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set, [[;]] 
wherein the training data set of the network flow information is determined from the intercepted packets of network traffic determined to be associated with one or more devices previously assigned to the plurality of protection groups, and
wherein a test score is assigned to each of the at least one models representing the ML model’s performance in making accurate classifications of previously classified devices;
responsive to each of the ML models of the at least one model being assigned a test score meeting a threshold, classify a protected device to at least one protection group of the plurality of protection groups, the protected device having an address that corresponds to a destination address associated with a portion of the network flow information, 
	wherein the protected device is classified to the at least one protection group using the at least one model and machine learning and as a function of the network statistics that correspond to the portion of the network flow information[[;]], and
	wherein the portion of the network flow information is associated with devices that were not previously assigned to the plurality of protection groups; and
output results of the classification of the protected device to the at least one protection group together with identification and/or parameters of the at least one model used for the classification, 	wherein the parameters of the respective at least one model include [[a]] the test score assigned to the corresponding ML model.

12.	‎(Currently Amended) ‎ The system of claim 11, wherein the wherein the parameters of the respective at least one model  further include a description of the type of model used for the corresponding ML model and/or settings that were used for performing the ‎classification. 

13.	‎(Previously Presented) ‎ The system of claim 11, wherein the protection group to which the protected device is classified includes several protection groups and wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable instructions is further configured ‎‎to:
determine a probability score for each protection group of the several protection groups, wherein the probability score is a function of at least one of a number of models of the least one model used for the classification, the parameters of the at least one model used for the classification, and a number of times the protected device was classified or assigned to the protection group; and
output results of the classification of the protected device to each of the several protection groups together with the probability score determined for each protection group of the several protection groups.

14.	‎( Currently Amended)  ‎The system of claim 13, wherein the network flow information further includes test network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and one of the classifications was verified for each of the protection devices by assigning the protection group to the protection group, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable ‎instructions is further configured ‎‎to: 
test the at least one model, including compare the protection group to which the protected device was classified with the protection group to which the protected device was previously assigned; and
associate the test score with the respective at least one model as a function of performance of the model as indicated by comparison.

15.	‎(Previously Presented)  ‎The system of claim 11, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable instructions is further configured ‎‎to ignore network flow information having corresponding destination addresses of protection devices that were previously classified to a protection group and the classifications were verified.

16.	‎(Previously Presented)  ‎The system of claim 11, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable instructions is further configured to ‎‎access the intercepted packets or aggregated network flows that were aggregated from the intercepted packets, and form network flow information from the aggregated network flow, wherein a network flow is a series of bounded communications between a source address and a destination address associated with one of the protected devices.

17.	‎(Previously Presented)  ‎The system of claim 11, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable ‎instructions is further configured ‎‎to ‎train the at least one model using machine learning and the training data set, including training the at least one model to classify the protected devices having addresses that correspond to the destination addresses associated with the training data set to the respective protection groups of the plurality of protection groups as a function of the network statistics that correspond to the training data set.‎ 

18.	‎(Previously Presented)  ‎The system of claim 11, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable ‎instructions is further configured ‎‎to: 
receive user feedback regarding one of the at least one protection group to which one of the protected devices was classified; and
assign the protected device to the protection group based on the user feedback.

19.	‎(Previously Presented)  ‎The system of claim 18, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable ‎instructions is further configured ‎‎to ‎prompt a user for the user feedback.

20.	‎(Previously Presented)  ‎The system of claim 11, wherein the at least ‎‎‎one processing device, upon execution of the plurality of programmable ‎instructions is further configured ‎‎to ‎determine augmented data for the protected device, the augmented data including at least one of a traceroute tree, hop numbers to the destination address, and ping latency, wherein the network flow information used for the classification of the protected device further includes the augmented data.


Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
With regard to claims 1 and 11, the prior art of record, as applied in the Office Action mailed 2/1/2022 (Parashar in view of Harvey) fails to fairly teach or suggest the claims as amended herein, as a whole.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCOTT B CHRISTENSEN whose telephone number is (571)270-1144. The examiner can normally be reached Monday through Friday, 6AM to 2PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SCOTT B. CHRISTENSEN
Examiner
Art Unit 2444



/SCOTT B CHRISTENSEN/Primary Examiner, Art Unit 2444