DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
	Applicants arguments filed the the Pre-Appeal Brief filed on 10/27/21 have been fully considered however they are moot in view of new grounds of rejection.  Please see office action below for details.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-11, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al US (20150113132) and in further view of Lefebvre et al US (20150341379).  
(Currently Amended) Regarding claim 1, Srinivas teaches a method, comprising: automatically discovering, by a packet broker in a visibility network, an entity in a core network (For packet broker see Fig. 1 and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs”; where the packet broker is part of a collector per paragraph [0078]; and the collector automatically discovers network elements in an enterprise network from the raw data, see Fig. 2A-2B for enterprise network and see paragraph [0075], “The raw data includes data that can be collected or crawled by a collector or a manager... The raw data can further include statistical, topological and configuration data--received either from network elements directly, or via an intervening controller or a manager... Similarly, topology information can be gleaned from a SDN controller if available” and see paragraph [0183], “While an explicit machine-to-machine programmability (e.g., SDN controller) may not be required in some embodiments, it may be required for the present system to discover the configuration state and capabilities of the various network elements in other embodiments”); setting up, by the packet broker in the visibility network, a filter associated with the discovered entity of the core network (collector can access network traffic of the wireless controller or network element including access point per paragraph [0065]; and for filters specifically see paragraph [0077], “Crawling herein refers to an act of dynamically selecting a different set of raw data for the collectors to examine at any given time. For example, crawling includes observing different physical or virtual links, and applying different filters to the raw data”); selecting, by the packet broker in the visibility network (See Fig. 1 and paragraph [0055] In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs; and for selecting see citation below), based on a pattern of network traffic of the core network and from a plurality of machine learning models associated with a parameter of the core network (see trends/patterns in paragraph [0067]-[0068], “For example at a particular time interval, a user/device may have poor page load times, high transmission control protocol (TCP) retransmits, low signal-to-noise ratio (SNR), high AP channel utilization. The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions”), a machine learning model (selects to use machine learning for higher layer information in paragraph [0055], “A portion of the present system and method performs as a network security and performance tool…The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”) to be trained (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]); training, by the packet broker in the visibility network, the machine learning model (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]); applying, by the packet broker in the visibility network (a “collector” includes a “network packet broker equivalent (NPBE) functionality”, where the collector additionally can perform all the functionality of a “manager”; for collector including NPBE functionality see paragraph [0078], “The present system and method dynamically programs one or more NPBE devices with filtering and steering rules to get selected access to the data… In one embodiment, the NPBE is one or more software elements, for example, running as part of the collector; and for collector including manager functionality see paragraph [0137], “Summarization and indexing functionalities are implemented in a manager although it is possible to embed some or all of this functionality in a collector as well”), the trained machine learning model to the network traffic that is replicated from the core network (For applying the machine learning model Summarization and indexing functionalities can be embedded in collector, see paragraph [0054], “The network packet broker 126 (or a matrix switch) gathers, aggregates and filters network traffic from port mirrors, network TAPs, and probes”; and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs. The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”)); detecting, by the packet broker based on the applying of the trained machine learning model, that a network traffic anomaly has occurred or is occurring in the core network (see paragraph [0154], “Another example concerns detecting application behaviors. For example, the machine learning at the manager can identify that the presence of certain packets (e.g., HTTP error packets) indicate certain types of errors; and paragraph [0178], “According to some embodiments, the present system and method involves using the visibility of the network and controlling the network. An example of controlling the network is enforcing a higher-layer policy throughout the network. Another example is automatic problem and security/anomaly/performance remediation where applicable”).  Although Srinivas teaches the limitations above, they fail to explicitly teach applying a filter as further recited in the claim.  Conversely Lefebvre et al teaches such limitations; and in response to the detecting, , by the packet broker, the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools (see paragraph [0071], In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole, e.g., silently discard or redirect, traffic to or from the particular device, quarantine or disable the particular device, block traffic to and/or from the particular device, disconnect the particular device from the network, create a computer-implemented network rule for communications with the particular device, transition an application executing on the particular device to another device, or adjust network mapping tables, to name a few examples).  Therefore it would have been obvious to a person of ordinary skill in the art prior to the effective filing date of the invention to have combined the teachings of Srinivias with the applying of a filter to steer traffic as taught by Lefebvre et al.  The motivation for this would have been to optimize and prevent malicious activating on a network (see paragraph [0001]).
Regarding claim 2, Srinivas further teaches the method of claim 1, wherein the plurality of machine learning models comprise a plurality of time-series models configured to model changes in value of the parameter of the core network over time (see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”;

Regarding claim 3, Srinivas further teaches the modified Srinivas teaches the method of claim 1, wherein the plurality of machine learning models comprise a plurality of protocol language models configured to model valid message exchanges with respect to a particular network protocol in the core network (see paragraph [0068], “According to some embodiments, the present system and method analyzes for trends/patterns is across networks. For example, the present system and method identifies the specific network/protocol/wireless metrics to determine the application performance”; and see paragraphs [0140-0151], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data… The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”).
Regarding claim 4, Srinivas further teaches the method of claim 1, wherein the training comprises: training, by the packet broker, the machine learning model (see claim 1 citations for training the machine learning model) using historical traffic data collected from the core network (see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”.
Regarding claim 5, Srinivas further teaches the method of claim 1, wherein the training comprises: training, by the packet broker, the machine learning model (see claim 1 citations for training the machine learning model) using live traffic data replicated from the core network (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features; and paragraph [0156] According to another embodiment, the present system and method performs, in real time, a segment-by-segment analysis of a particular user/application/device's traffic”).
Regarding claim 6, Srinivas further teaches the method of claim 1, wherein the applying the trained machine learning model comprises: determining, from the network traffic replicated from the core network, an actual value of the parameter of the core network modeled by the trained machine learning model (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features”); and determining, using the trained machine learning model, an expected value of the parameter of the core network (see paragraphs [0140-0151], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth”).
Regarding claim 7, Srinivas further teaches, wherein the detecting comprises: determining that a discrepancy between the actual value and the expected value exceeds a predefined threshold (see paragraphs [0151] and [0192], “Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”). 
Regarding claim 9, Srinivas further teaches wherein the parameter of the core network comprises at least one of a subscriber attach rate, a paging rate, a data throughput, or packets per second and the second parameter comprises a day of a week (see paragraph [0063]).
Regarding claim 10, Srinivas further teaches the method of claim 1, wherein the applying the filter further comprises generating and sending metadata information associated with the steered the network traffic to the one or more analytic tools (see claim 1 for packet broker/collector steering data to analytic tools including a network manager; and see paragraph [0060], “The collector 202 captures all of these data, extracts key metadata or features, and compresses and sends the key metadata or features to the manager 201 that is located in a public cloud 220”), and the method further comprising:
in response to the detecting, metering the network traffic from the core network related to the network traffic anomaly (see claim 1 and paragraphs [0178-0182], “Another example is automatic problem and security/anomaly/performance remediation where applicable. The present system and method may implement a network control in (a) a manual, or prescribed control, and (b) an automatic closed loop control... Examples of the high-level control objectives include, but are not limited to: [0179] Block user X from accessing the network, [0180] Maintain high performance for Application Y, [0181] Detect and mitigate denial of service (DOS) attacks, and [0182] Prioritize user class Z traffic”; and also see rate-limits in paragraph [0190], “Another use case of an automatic closed loop control is where the control objective is to maintain high performance for application X. In this case, the present system and method simply programs rules that place all traffic corresponding to that application into the highest performing queue. If improved application X performance is not observer, the present system and method attempts to program rules that re-routes or rate-limits traffic from applications that share common network links with application X. If improvements are observed, the present system and method restores the performance of other applications”).
Regarding claim 11, Srinivas further teaches the method of claim 1, further comprising:
predicting, by the packet broker and based on the applying of the trained machine learning model, another network traffic anomaly will occur in the core network at a future point in time (see predicts in paragraph [0068], “According to some embodiments, the present system and method analyzes for trends/patterns is across networks. For example, the present system and method identifies the specific network/protocol/wireless metrics to determine the application performance. As an example, the present system and method analyzes a bad Microsoft Lync.RTM. voice application performance (e.g., mean opinion score (MOS)) across many customer networks. The present system and method learns that the most important indicator is high levels of layer 2 packet retransmissions. Based on this assessment, the present system and method predicts, for a new customer network that has high levels of layer 2 packet retransmissions, that Microsoft Lync.RTM. performance would be poor unless the packet retransmissions problem is rectified”); and in response to the predicting, performing, by the packet broker, one or more predefined actions (paragraph [0183], “The present system computes how the control is to be achieved in a distributed manner. The control instruction sets may be probabilistically ranked in the order of predicted effectiveness”).
(Currently Amended) Regarding claim 15, Srinivas teaches a non-transitory computer readable storage medium having stored thereon program code executable by a packet broker in a visibility network (See Fig. 1 and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs”), the program code causing the packet broker to: automatically discover an entity in a core network (The packet broker is part of a collector per paragraph [0078]; and the collector automatically discovers network elements in an enterprise network from the raw data, see Fig. 2A-2B for enterprise network and see paragraph [0075], “The raw data includes data that can be collected or crawled by a collector or a manager... The raw data can further include statistical, topological and configuration data--received either from network elements directly, or via an intervening controller or a manager... Similarly, topology information can be gleaned from a SDN controller if available” and see paragraph [0183], “While an explicit machine-to-machine programmability (e.g., SDN controller) may not be required in some embodiments, it may be required for the present system to discover the configuration state and capabilities of the various network elements in other embodiments”), wherein the core network comprises a mobile network (See Fig. 2B where enterprise network comprises access points and mobile devices per paragraph [0062], “FIG. 2B illustrates system architecture of an exemplary system deployed in an enterprise network… The wireless controller 265 controls and/or configures the access points 256 and terminates data plane traffic coming from mobile devices that are wirelessly connected to the access points 256” ); set up a filter associated with the discovered entity of the core network (collector can access network traffic of the wireless controller or network element including access point per paragraph [0065]; and for filters specifically see paragraph [0077], “Crawling herein refers to an act of dynamically selecting a different set of raw data for the collectors to examine at any given time. For example, crawling includes observing different physical or virtual links, and applying different filters to the raw data”);  determine select, based on a pattern of network traffic of the core network (see trends/patterns in paragraph [0067], “For example at a particular time interval, a user/device may have poor page load times, high transmission control protocol (TCP) retransmits, low signal-to-noise ratio (SNR), high AP channel utilization. The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions” ; and for selecting see citation below) and from a plurality of machine learning models associated with a first parameter of the core network (selects to use machine learning for higher layer information in  paragraph [0055], “A portion of the present system and method performs as a network security and performance tool…The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”), a machine learning model to be trained (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]); train a plurality of variations of the machine learning model associated with the first parameter of the core network (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]); apply, based on a second parameter, one of the plurality of trained variations of the machine learning model to the network traffic that is replicated from the core network (a “collector” includes a “network packet broker equivalent (NPBE) functionality”, where the collector additionally can perform all the functionality of a “manager”; for collector including NPBE functionality see paragraph [0078] and for collector including manager functionality see paragraph [0137]; and for applying the machine learning model Summarization and indexing functionalities can be embedded in collector, see paragraph [0054], “The network packet broker 126 (or a matrix switch) gathers, aggregates and filters network traffic from port mirrors, network TAPs, and probes”; and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs. The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”); detect, based on the applying of the one of the plurality of trained variations of machine learning model, that a network traffic anomaly has occurred or is occurring in the core network (see paragraph [0154], “Another example concerns detecting application behaviors. For example, the machine learning at the manager can identify that the presence of certain packets (e.g., HTTP error packets) indicate certain types of errors; and paragraph [0178] According to some embodiments, the present system and method involves using the visibility of the network and controlling the network. An example of controlling the network is enforcing a higher-layer policy throughout the network. Another example is automatic problem and security/anomaly/performance remediation where applicable”).  Although Srinivas teaches the limitations above, they fail to explicitly teach applying a filter as further recited in the claim.  Conversely Lefebvre et al teaches such limitations; and in response to the detecting, take one or more predefined actions that comprise applying apply the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools (see paragraph [0071], In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole, e.g., silently discard or redirect, traffic to or from the particular device, quarantine or disable the particular device, block traffic to and/or from the particular device, disconnect the particular device from the network, create a computer-implemented network rule for communications with the particular device, transition an application executing on the particular device to another device, or adjust network mapping tables, to name a few examples).  Therefore it would have been obvious to a person of ordinary skill in the art prior to the effective filing date of the invention to have combined the teachings of Srinivias with the applying of a filter to steer traffic as taught by Lefebvre et al.  The motivation for this would have been to optimize and prevent malicious activating on a network (see paragraph [0001]).
Regarding claim 16, Srinivas further teaches the non-transitory computer readable storage medium of claim 15, wherein to apply the one of the plurality of trained variations of the machine learning model, the program code causes the packet broker to: determine, from the network traffic replicated from the core network, an actual value of the first parameter of the core network modeled by the one of the plurality of trained variations of the machine learning model (paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features”); and determine, using the one of the plurality of trained variations of the machine learning model, an expected value of the first parameter of the core network (see paragraphs [0140-0151], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth”), wherein to detect that the network traffic anomaly has occurred or is occurring in the core network, the program code causes the packet broker to determine that a discrepancy between the actual value and the expected value exceeds a predefined threshold (paragraph [0151] and [0192], “Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”).
Regarding claim 17,  Srinivas further teaches the non-transitory computer readable storage medium of claim 15, wherein the program code further causes the packet broker to: predict, based on the applying of the one of the plurality of trained variations of the machine learning model, another network traffic anomaly will occur in the core network at a future point in time (paragraph [0068], “According to some embodiments, the present system and method analyzes for trends/patterns is across networks. For example, the present system and method identifies the specific network/protocol/wireless metrics to determine the application performance. As an example, the present system and method analyzes a bad Microsoft Lync.RTM. voice application performance (e.g., mean opinion score (MOS)) across many customer networks. The present system and method learns that the most important indicator is high levels of layer 2 packet retransmissions. Based on this assessment, the present system and method predicts, for a new customer network that has high levels of layer 2 packet retransmissions, that Microsoft Lync.RTM. performance would be poor unless the packet retransmissions problem is rectified”); and in response to the predicting, perform one or more predefined actions (paragraph [0183], “The present system computes how the control is to be achieved in a distributed manner. The control instruction sets may be probabilistically ranked in the order of predicted effectiveness”).
(Currently Amended) Regarding claim 18, Srinivas teaches a packet broker, comprising: a processor; and a non-transitory computer readable medium having stored thereon program code that, when executed by the processor (See Fig. 1 and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs”), causes the processor to: automatically discover an entity in a core network and one or more properties associated with the entity The packet broker is part of a collector per paragraph [0078]; and the collector automatically discovers network elements in an enterprise network from the raw data, see Fig. 2A-2B for enterprise network and see paragraph [0075], “The raw data includes data that can be collected or crawled by a collector or a manager... The raw data can further include statistical, topological and configuration data--received either from network elements directly, or via an intervening controller or a manager... Similarly, topology information can be gleaned from a SDN controller if available” and see paragraph [0183], “While an explicit machine-to-machine programmability (e.g., SDN controller) may not be required in some embodiments, it may be required for the present system to discover the configuration state and capabilities of the various network elements in other embodiments”); set up a filter associated with the discovered entity of the core network (collector can access network traffic of the wireless controller or network element including access point per paragraph [0065]; and for filters specifically see paragraph [0077], “Crawling herein refers to an act of dynamically selecting a different set of raw data for the collectors to examine at any given time. For example, crawling includes observing different physical or virtual links, and applying different filters to the raw data”), wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network (see paragraph [0069], a WAN can be used); select, based on a pattern of network traffic of the core network  (see trends/patterns in paragraph [0067], “For example at a particular time interval, a user/device may have poor page load times, high transmission control protocol (TCP) retransmits, low signal-to-noise ratio (SNR), high AP channel utilization. The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions” ; and for selecting see citation below)and from a plurality of machine learning models associated with a first parameter of the core network (selects to use machine learning for higher layer information in  paragraph [0055], “A portion of the present system and method performs as a network security and performance tool…The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”) , a machine learning model to be trained; train a plurality of variations of the machine learning model associated with the first parameter of the core network (see training/re-training in paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data”; also see training in paragraphs [0071, 0155, 0159]);; apply, based on a second parameter, one of the plurality of trained variations of the machine learning model to the network traffic that is replicated from the core network (a “collector” includes a “network packet broker equivalent (NPBE) functionality”, where the collector additionally can perform all the functionality of a “manager”; for collector including NPBE functionality see paragraph [0078] and for collector including manager functionality see paragraph [0137]; and for applying the machine learning model Summarization and indexing functionalities can be embedded in collector, see paragraph [0054], “The network packet broker 126 (or a matrix switch) gathers, aggregates and filters network traffic from port mirrors, network TAPs, and probes”; and paragraph [0055], “In one embodiment, the present system and method intelligently and dynamically programs a network packet broker 126 to gain access to the traffic it needs. The present system and method also summarizes and indexes higher layer information about users, applications, devices, behaviors, and the like (e.g., via machine learning), and enables the higher layer information to be queried using a natural language processing technique”); detect, based on the applying of the one of the plurality of trained variations of the machine learning model, that a network traffic anomaly has occurred or is occurring in the core network (see paragraph [0154], “Another example concerns detecting application behaviors. For example, the machine learning at the manager can identify that the presence of certain packets (e.g., HTTP error packets) indicate certain types of errors; and paragraph [0178] According to some embodiments, the present system and method involves using the visibility of the network and controlling the network. An example of controlling the network is enforcing a higher-layer policy throughout the network. Another example is automatic problem and security/anomaly/performance remediation where applicable”).  Although Srinivas teaches the limitations above, they fail to explicitly teach applying a filter as further recited in the claim.  Conversely Lefebvre et al teaches such limitations; and in response to the detecting, apply the filter associated with the discovered entity of the core network to steer the network traffic from the core network related to the network traffic anomaly to one or more analytic tools (see paragraph [0071], In response, the user interface 300 may present the menu of actions to allow a user to redirect some of the communications from the particular device to another device, black-hole, e.g., silently discard or redirect, traffic to or from the particular device, quarantine or disable the particular device, block traffic to and/or from the particular device, disconnect the particular device from the network, create a computer-implemented network rule for communications with the particular device, transition an application executing on the particular device to another device, or adjust network mapping tables, to name a few examples).  Therefore it would have been obvious to a person of ordinary skill in the art prior to the effective filing date of the invention to have combined the teachings of Srinivias with the applying of a filter to steer traffic as taught by Lefebvre et al.  The motivation for this would have been to optimize and prevent malicious activating on a network (see paragraph [0001]).
In regards to claims 19-20, they are rejected for the same reasoning as claims 16-17 respectively as they are analogous in scope. 

 
Claims 12-13, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al. in view of Lefebvre et al US (20150341379), and further in view of Rosensweig et al. (US 2014/0351414 A1).

In regards to claim 12, the modified Srinivas teaches the method of claim 11, wherein the predicting comprises: 
retrieving a plurality of historical values of the parameter of the core network that is modeled by the trained machine learning model (see claim 1 and 11 for machine learning model and paragraph [0068] for predicting, and see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”).
Srinivas does not disclose fitting the plurality of historical values to a linear regression model; and extrapolating a value of the parameter of the core network at the future point in time.
Rosensweig teaches fitting a plurality of historical values to a linear regression model (see [Rosensweig] paragraph [0007], “Yet further, a method may additionally comprise generating, by the controller, the predictive indication by: (i) applying a multi-dimensional, regression analysis process to the collected state information (e.g., linear regression process), or (ii) applying a Bayesian analysis process to the collected state information, to name two examples of processes that may be applied to the collected state information”; and paragraph [0008], “The collected state information may comprise recent and past information concerning the operation of each element in the network, or information from outside of the network, for example, and may be selected from among the group consisting of at least load-based information, error-based information and power-based information, for example”); and 
extrapolating a value of the parameter of the core network at the future point in time (determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009], “In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches retrieving a plurality of historical values of the first parameter of the core network that is modeled by the one of the plurality of variations of the machine learning model to further include fitting a plurality of historical values to a linear regression model and extrapolating a value of the parameter of the core network at the future point in time such as taught by Rosensweig in order that “Advantageously, by providing prediction-based dynamic monitoring, the amount of overhead required to monitor elements of a network may be reduced without compromising the quality of the monitoring services provided. Moreover, the manner in which elements of a cloud-based network are monitored may be improved without exceeding overhead capabilities” (see paragraph [0025]).

In regards to claim 13, the modified Srinivas teaches the method of claim 12, wherein the predicting further comprises:
comparing the extrapolated value of the parameter of the core network at the future point in time with a predefined threshold (see claim 12 and determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009] In addition to the exemplary methods described above, the present invention is also directed at a system or systems for setting a monitoring rate of an element of a network. In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period).

In regards to claim 21, the modified Srinivas teaches the packet broker of claim 20, wherein to predict that another network traffic anomaly will occur the program code further causes the processor to:
retrieve a plurality of historical values of the first parameter of the core network that is modeled by the one of the plurality of trained variations of the machine learning model (see claims 18 and 20 for machine learning model and paragraph [0068] for predicting, and see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”).
Srinivas does not disclose fit the plurality of historical values to a linear regression model; extrapolate a value of the first parameter of the core network at the future point in time; and compare the extrapolated value of the first parameter of the core network at the future point in time with a predefined threshold.
Rosensweig teaches fit the plurality of historical values to a linear regression model (see [Rosensweig] paragraph [0007], “Yet further, a method may additionally comprise generating, by the controller, the predictive indication by: (i) applying a multi-dimensional, regression analysis process to the collected state information (e.g., linear regression process), or (ii) applying a Bayesian analysis process to the collected state information, to name two examples of processes that may be applied to the collected state information”; and paragraph [0008], “The collected state information may comprise recent and past information concerning the operation of each element in the network, or information from outside of the network, for example, and may be selected from among the group consisting of at least load-based information, error-based information and power-based information, for example”); and 
extrapolate a value of the first parameter of the core network at the future point in time (determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009], “In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period”); and 
compare the extrapolated value of the first parameter of the core network at the future point in time with a predefined threshold (determine predictive threshold crossing of the parameter, see [Rosensweig] paragraph [0009] In addition to the exemplary methods described above, the present invention is also directed at a system or systems for setting a monitoring rate of an element of a network. In one exemplary system, a controller may be operable to: collect state information associated with an element in a network; determine a time that a resource threshold crossing occurs for the element based on a predictive indication associated with the resource threshold crossing; compare the determined time to a reference time period for the element; and set a monitoring rate of the element based on the comparison. The controller maybe further operable to generate the predictive indication based on the collected state information for the element, and to set the monitoring rate for the reference time period).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches retrieving a plurality of historical values of the first parameter of the core network that is modeled by the one of the plurality of variations of the machine learning model to further include fitting a plurality of historical values to a linear regression model and extrapolating a value of the first parameter of the core network at the future point in time as well as comparing the extrapoldated parameter with a predefined threshold such as taught by Rosensweig in order that “Advantageously, by providing prediction-based dynamic monitoring, the amount of overhead required to monitor elements of a network may be reduced without compromising the quality of the monitoring services provided. Moreover, the manner in which elements of a cloud-based network are monitored may be improved without exceeding overhead capabilities” (see paragraph [0025]).

Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Srinivas et al. in view of Lefebvre et al US (20150341379), and further in view of Francisco et al. (US 2016/0248655 A1).
In regards to claim 22, the modified Srinivas teaches the method of claim 1, wherein:
the core network comprises a mobile network (See Fig. 2B where enterprise network comprises access points and mobile devices per paragraph [0062], “FIG. 2B illustrates system architecture of an exemplary system deployed in an enterprise network… The wireless controller 265 controls and/or configures the access points 256 and terminates data plane traffic coming from mobile devices that are wirelessly connected to the access points 256” ),
the training comprises training, by the packet broker, the machine learning model (see claim 1 citations for training the machine learning model) using historical traffic data collected from the core network (see paragraph [0067], “The present system and method collects and stores this time series data, and analyzes the time series data for trends/patterns over time and other dimensions (e.g., device type, location)”; and paragraph [0140], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data)”; and see [Bhagavatula] paragraph [0023], “In one embodiment, active probing is initiated when there is a need to update the performance estimation algorithm. Thereafter, the performance estimation algorithm is trained via passive operational probing data”; where passive data is collected operational data per [Bhagavatula] paragraph [0013]) and using live traffic data replicated from the core network (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features; and paragraph [0156] According to another embodiment, the present system and method performs, in real time, a segment-by-segment analysis of a particular user/application/device's traffic”),
the applying comprises: determining, from the network traffic replicated from the core network, an actual value of the parameter of the core network modeled by the trained machine learning model (see paragraph [0140], “From the set of input features and relevant input data, the present system and method uses two background processes to summarize (i.e., extract higher-layer information) and index the summarized data. The incremental process acts upon the reception of any new raw (i.e., un-summarized) feature data or any data update that causes previously indexed information to be immediately erroneous (e.g., a user changed IP address). This process runs a heuristic classification algorithm to summarize the raw features”); and 
determining, using the trained machine learning model, an expected value of the parameter of the core network (see paragraphs [0140-0151], “The second process is a global process that runs periodically to update a learning model (e.g., re-training the classification algorithm), as well as re-summarize past data. Examples of the higher layer information include, but are not limited to: [0141] Users; [0142] Applications; [0143] Protocols; [0144] Device; [0145] Content; [0146] Network and Physical Location (Telemetry); and [0147] Derived metadata, including: [0148] Learned relationships between the above (e.g., User X tend to access applications of type Y, tend to generate Z amount of traffic), [0149] Learned attributes of the above (e.g., rate of change vs. "stickiness" of the relationships), [0150] Learned behaviors about the above (e.g., this application appears to be having TCP issues, this user appears to be doing something malicious), and [0151] Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth”), and
the detecting comprises determining that a discrepancy between the actual value and the expected value exceeds a predefined threshold (see paragraph [0151] and [0192], “Learned changes in behavior of the above (e.g., this application has had an abnormally high set of errors, this application is using abnormally high bandwidth)”) 
Although Srinivas discloses a mobile network as shown above, Srinivas does not disclose wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network, and the network traffic comprises general packet radio service (GPRS) tunneling protocol (GTP) traffic.
Francisco teaches a similar system of filtering network traffic (see paragraph [0053], “The network filters 306 are modules for receiving and processing particular types of the network traffic 108”) wherein the core network comprises a mobile third generation (3G) network or a mobile Long Term Evolution (LTE) network (filters relate to 3G and LTE data networks per paragraphs [0059-0060], “A filter-3 318 can be configured to process GPRS Tunneling Protocol-Control Plane ( GTP-C) data... The General Packet Radio Service (GPRS) is a packet orientated mobile data service of 2G (2.sup.nd generation) and 3G (3.sup.rd generation) cellular communication systems… The GPRS tunneling protocol is a group of IP-based communications protocols used to carry GPRS (General Packet Radio Service) data with GSM (Global System for Mobile communications), UMTS (Universal Mobile Telecommunication Service), and LTE (Long Term Evolution) networks”), and 
the network traffic comprises general packet radio service (GPRS) tunneling protocol (GTP) traffic (See GTP-C cited in paragraph [0059] above; and also see paragraph [0060], “GTP is the main protocol used by the GPRS core network to allow 2G, 3G, and WCDMA mobile networks to transmit IP packets to external networks” and also see paragraph [0061], “A filter-4 320 can be configured to process GPRS Tunneling Protocol-User plane ( GTP-U) data… The GTP-U data can be used for the transfer of user data in separated tunnels for each Packet Data Protocol (PDP) context”).
It would have been obvious to one of ordinary skill in the art before the effective filing date to create the invention of the modified Srinivas which teaches filtering network traffic with relation to an enterprise network to further include filtering network traffic with relation to a 3G or LTE network as well as the network traffic comprising GTP traffic such as taught by Francisco in order that “GTP is the main protocol used by the GPRS core network to allow 2G, 3G, and WCDMA mobile networks to transmit IP packets to external networks” (see paragraph [0060]) and “Thus, it has been discovered that the network traffic system of the present invention furnishes important and heretofore unknown and unavailable solutions, capabilities, and functional aspects for a network traffic system” (see paragraph [0221]).

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHRIPAL K KHAJURIA whose telephone number is (571)270-5662. The examiner can normally be reached Monday - Friday 9:30AM - 6:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Avellino can be reached on (571)272-3905. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHRIPAL K KHAJURIA/Primary Examiner, Art Unit 2478