DETAILED ACTION
This office action is in response to the application filed on 6/30/2020.  Claim(s) 1-23 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 11/22/2021 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 

Examiner’s Note – Allowable Subject Matter
Claims 4-8, and 15-17 are objected to as being allowable over the prior art, yet remain dependent upon a rejected claim and would otherwise be allowable if incorporated into the independent claim along with any intervening claims. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 9-14, and 18-23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Raugas et al. (US 2015/0128263 A1) in view of Muddu et al. (US 2017/0063896 A1). 
Regarding claims 1, and 18, Raugas teaches:
“A method for training a machine learning model using information pertaining to characteristics of upload activity performed at one or more client devices (Raugas, ¶ 80-81 teaches a processor and memory to execute the method steps), the method comprising: 	generating training data to train the machine learning model (Raugas, ¶ 6, 28 and 74 teaches sampling network traffic which is used to train the machine learning model), wherein generating the training data comprises: 	generating first training input (Raugas, ¶ 28 teaches features 140), the first training input comprising (i) information identifying first amounts of data uploaded during a specified time interval for one or more of a plurality of application categories (Raugas, ¶ 54, particular destination ports with unique ip addresses for the port art counted to detect particular applications), and (ii) information identifying first locations to a client device to which the first amounts of data are uploaded (Raugas, ¶ 54, the destination ports for the TCP and UDP packets are captured), wherein each of the one or more application categories comprise one or more applications that are installed at the client device and that upload the first amounts of data (Raugas, ¶ 54, the particular applications that are attempting to use a given port art monitored); and 	generating a first target output for the first training input, wherein the first target output indicates whether the first amounts of data uploaded to the first locations correspond to malicious or non-malicious upload activity (Raugas, ¶ 67 teaches training where scoring network traffic is accomplished by analyzing the similarity of malicious activity); and 	providing the training data to train the machine learning model on (i) a set of training inputs comprising the first training input, and (ii) a set of target outputs comprising the first target output (Raugas, ¶ 69, machine learning model 125 accepts extracted features 120 for inputs and produces a score for the output)”.
Raugas does not, but in related art, Muddu teaches:
	“external locations (Muddu, ¶ 243, 273-274, 290, and 712 teach using the geo location associated with the ip address in a machine learning model to detect malicious behavior)”.  
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Raugas and Muddu, to modify the malicious upload detection system of Raugas to include the location based machine learning malicious behavior detection method as taught in Muddu.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results. 
 
Regarding claims 2 and 19, Raugas in view of Muddu teaches:
“The method of claim 1 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), 	wherein the first training input further comprises (iii) information identifying data categories corresponding to the first amounts of data uploaded during the specified time interval for each of the one or more application categories (Raugas, ¶ 54, particular destination ports with unique ip addresses for the port art counted to detect particular applications); and 	wherein the first target output further indicates whether the data categories corresponding to the first amounts of data correspond to the malicious or non-malicious upload activity (Raugas, ¶ 67 teaches training where scoring network traffic is accomplished by analyzing the similarity of malicious activity)”.

Regarding claims 3 and 20, Raugas in view of Muddu teaches:
“The method of claim 2 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), 	wherein the first training input further comprises (iv) information identifying a frequency of upload activity that corresponds to uploading the first amounts of data during the specified time interval for each of the one or more application categories (Raugas, ¶ 54, particular destination ports with unique ip addresses for the port art counted to detect particular applications); and 	wherein the first target output further indicates whether the frequency of upload activity that corresponds to uploading the first amounts of data correspond to malicious or non-malicious upload activity (Raugas, ¶ 67 teaches training where scoring network traffic is accomplished by analyzing the similarity of malicious activity)”.

Regarding claim 9, Raugas in view of Muddu teaches:
“The method of claim 1 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), wherein each training input of the set of training inputs is mapped to the first target output in the set of target outputs (Raugas, Fig. 2, ¶ 71, features 210 are mapped through scoring system, fuser and final score)”.

Regarding claims 10 and 21, Rougas teaches:
“A method for using a trained machine learning model with respect to information pertaining to characteristics of upload activity performed at a client device (Raugas, ¶ 80-81 teaches a processor and memory to execute the method steps), the method comprising: 	providing to the trained machine learning model first input (Raugas, ¶ 69 machine learning module 125 receives the extracted features 120 as inputs) comprising (i) information identifying first amounts of data uploaded during a specified time interval (Raugas, ¶ 6 network traffic is sampled for a adjustable window of time) for one or more of a plurality of application categories (Raugas, ¶ 54, particular destination ports with unique ip addresses for the port art counted to detect particular applications.  The traffic includes TCP and UDP signaling types), and (ii) information identifying first locations to the client device to which the first amounts of data are uploaded (Raugas, ¶ 54, the destination ports for the TCP and UDP packets are captured), wherein each of the plurality of application categories comprise one or more applications that are installed at the client device and that upload the first amounts of data (Raugas, ¶ 54, the particular applications that are attempting to use a given port art monitored); and 	obtaining, from the trained machine learning model, one or more outputs identifying (i) an indication of the first amounts of data uploaded to the first locations for each of the one or more application categories, and (ii) for each of the one or more application categories, a level of confidence that the first amounts of data uploaded to the first locations correspond to a malicious upload activity (Raugas, ¶ 67 training includes scoring network traffic based on the similarity to malicious behavior of software executing on a networked client)”.
Raugas does not, but in related art, Muddu teaches:
	“external locations (Muddu, ¶ 243, 273-274, 290, and 712 teach using the geo location associated with the ip address in a machine learning model to detect malicious behavior)”.  
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Raugas and Muddu, to modify the malicious upload detection system of Raugas to include the location based machine learning malicious behavior detection method as taught in Muddu.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results. 

Regarding claim 11, Raugas in view of Muddu teaches:
“The method of claim 10 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), wherein the first input further comprising (iii) information identifying data categories corresponding to the first amounts of data uploaded during the specified time interval for each of the one or more application categories (Raugas, ¶ 54, particular destination ports with unique ip addresses for the port art counted to detect particular applications)”.

Regarding claims 12 and 22, Raugas in view of Muddu teaches:
“The method of claim 11 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), wherein the first input further comprising (iv) information identifying a frequency of upload activity that corresponds to uploading the first amounts of data during the specified time interval for each of the one or more application categories (Raugas, ¶ 67 training includes scoring network traffic based on the similarity to malicious behavior of software executing on a networked client)”.

Regarding claims 13 and 23, Raugas in view of Muddu teaches:
“The method of claim 10 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), further comprising: 	determining, for any of the one or more application categories, whether the level of confidence satisfies a threshold level of confidence (Raugas, ¶ 67 training includes scoring network traffic based on the similarity to malicious behavior of software executing on a networked client); and 	responsive to determining that the level of confidence for a particular application category satisfies the threshold level of confidence, performing a first remedial action with respect to the malicious upload activity associated with the particular application category (Raugas, ¶ 23 teaches creating an alert when a malicious activity is detected)”.

Regarding claim 14, Raugas in view of Muddu teaches:
“The method of claim 13 (Raugas in view of Muddu teaches the limitations of the parent claims as discussed above), wherein performing the first remedial action with respect to the malicious upload activity comprises one or more of: 	providing a user notification identifying the malicious upload activity (Raugas, ¶ 23 teaches creating an alert when a malicious activity is detected)”.

Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435