DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


The following is a final office action in response to communications received 06/07/2018. Claims 1, 10, 19 have been amended. Claims 2, 11 have been cancelled. Therefore, claims 1, 3-10, 12-20 are pending and addressed below.


Response to Arguments
Applicant’s arguments filed 05/09/22 have been fully considered but they are not persuasive. Applicant argues that (1) Frayman does not disclose analyzing the trained machine learning model to identify features not used in the trained machine learning model, 2) removing the features not used in the trained machine learning and information overhead in the machine learning model.

In response to argument (1), Examiner respectfully disagrees. Frayman discloses the behavior analysis engine received known-benign training data…the known benign training data may be received from the network traffic hub or from a third party entity…to generate the known benign training data, the behavior analysis engine may establish secure connections with the known non-malicious sites and use data from the communication that establish the encrypted connections to train the threat detection model, see par. 53…the threat detection model generates a confidence score for whether malicious behavior is present in encryption metadata…if the confidence score for a particular handshake is less than some threshold, the classifier may send the encryption metadata for analysis by a human operator…and can be further trained based on the classification of the human operator, see par. 68, also Frayman discloses where the threat detection model is generated into a decision tree, the network traffic hub can extract all of the feature values and use the values to traverse the decision tree…if a feature X is extracted, one of the nodes in the tree may include a threshold for feature X and direct the network traffic hub one way if feature X exceeds the threshold and the other way if feature X does not…see par. 71. Therefore Examiner maintains that Frayman does disclose this limitation.

In response to argument (2), Examiner respectfully disagrees. Frayman discloses extracting features from the known benign training data…see par. 53. Therefore Examiner maintains that Frayman does discloses this limitation.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 3-10, 12-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 10, 19 recite “…removing the feature not used in the trained machine learning model and information overhead in the machine learning model…”.  There is insufficient antecedent basis for this limitation in the claim.

Claim 20 recite “…metadata that is extra overhead in the trained machine learning model, information used to train the machine learning model…”. There is insufficient antecedent basis for this limitation in the claim.



Claim Rejections - 35 USC § 102

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3-10, 12-20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Frayman et al (Pub. No. US 2018/0124085).


As per claims 1, 10, 19, Frayman discloses a non-transitory computer-readable storage medium having computer-readable code stored thereon for programming one or more processors to perform steps of: training a machine learning model with data for identifying features in monitored traffic in a network (…the network traffic hub to monitor traffic that travels through the local network…generating a threat detection model…a behavior analysis engine receives known-malicious training data…see par. 24, 51); analyzing the trained machine learning model to identify features not used in the trained machine learning model and information overhead therein, wherein the information overhead is utilized in part for the training (…see par. 53, 68, 71); removing the features not used in the trained machine learning model and information overhead in the machine learning model; and providing the machine learning model for runtime use for identifying the features in the monitored traffic, with the removed information overhead from the machine learning model (…the behavior analysis engine extracts features from the known-malicious training data…from the extracted features from the training data, the behavior analysis engine generates the threat detection model…see par. 53-66).


As per claims 2, 11, Frayman discloses wherein the steps further include identifying features that are not used in the trained machine learning model; and removing the identified features prior to the providing (see par. 66-67).


As per claims 3, 12, Frayman discloses wherein the steps further include determining thresholds for the identifying features in the trained machine learning model; and normalizing the thresholds to a scoring system (see par. 68).


As per claims 4, 13, Frayman discloses wherein the information overhead includes hyperparameters (see par. 48-49).


As per claims 5, 14, Frayman discloses wherein the information overhead includes metadata that is extra overhead in the trained machine learning model (see par. 48).


As per claims 6, 15, Frayman discloses wherein the information overhead includes information from the training that is not useful at runtime in the trained machine learning model (see par. 70-71).


As per claims 7, 16, Frayman discloses wherein the information overhead includes parameters that are used to understand the training (see par. 70-71).


As per claims 8, 17, Frayman discloses wherein the machine learning model includes a gradient boosting framework that uses tree-based learning algorithms (see par. 71).


As per claims 9, 18, Frayman discloses wherein the providing is to a cloud-based system that utilizes the machine learning model for inline monitoring of the monitored traffic (see par. 27).


As per claim 20, Frayman discloses wherein the information overhead includes any of metadata that is extra overhead in the trained machine learning model, information used to train the machine learning model and that is not useful at runtime in the trained machine learning model, and parameters that are used to understand the how the machine learning model was trained (see par. 48, 70-71).





Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
The following Patents and Papers are cited to further show the state of the art at the time of Applicant’s invention with respect to prudent ensemble models in machine learning with high precision for use in network security.

Zhang (Pub. No. US 2014/0237597); “Automatic Signature Generation for Malicious PDF Files”;

-Teaches signature generator to generate one or more signatures using information supplied from script scan engine…signature matcher is configured to match stored signature…see par. 35-36.



Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479. The examiner can normally be reached Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2499