DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority as a 371 of PCT/EP2018/074976 filed 9/14/2018 and further priority to UK Application GB1714917 filed 9/15/2017 is acknowledged.
Preliminary Amendment filed 3/13/2020 is acknowledged.
Claims 1-44 have been cancelled.
Claims 45-64 have been newly-added and remain pending.

Claim Objections
Claim 55 is objected to because of the following informalities:  
Abbreviation “LSTM” on line 2 of the claim should be spelled-out initially before using such abbreviation in the claims. Appropriate correction is required.

Claim Rejections - 35 USC § 102
2.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

3.	Claims 45, 62, and 63 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Tjew et al. (US20130111019A1), hereafter Tjew.


Regarding claim 45,
Tjew (Title; “User Behavior Analyzer”) discloses a computer implemented method (Fig. 4) for detecting an anomalous application message sequence in an application communication session between a user device (i.e. client device) and a network node (i.e. server), the application communication session associated with an application executing on the user device (Fig. 1; paragraphs 2, 9-10, 20-21, 29-31; detection of abnormal client behavior of various applications).
Tjew shows receiving an application message sent between the user device and the network node, wherein the received application message is associated with a received application message sequence comprising application messages that have been received so far (Fig. 4, step 402-410) and generating an estimate of the next application message to be received using traffic analysis based on techniques in the field of deep learning on the received application message sequence, wherein the estimated next application message forms part of a predicted application message sequence (Fig. 4, 410-414; paragraphs 29, 38-41; analyzer/learn unit forms an expected sequence of communications based on received/grouped messages).
Tjew further shows classifying the received application message sequence as normal or anomalous based the received application message sequence and a corresponding predicted application message sequence (Fig. 4, steps 418-424; paragraphs 38-45) and sending an indication of an anomalous received application message sequence in response to classifying the received application message sequence as anomalous (paragraph 45; forward abnormal behaviors and associated client information to analysis unit).
Regarding claim 62,
Tjew discloses the application messages received during the application communication session between the user device and the network node are application messages based on an application layer protocol, wherein the application layer protocol is based on at least one protocol from the group consisting of Hypertext Transfer Protocol; Simple Mail Transfer Protocol; File Transfer Protocol; Dormain Name System Protocol; any application-layer protocol and/or messaging structure that can be described by a domain specific language that convey application message semantics through a specific syntax; and any other suitable application level communication protocol used by the application and reciprocal application for communicating between user device and network node (paragraphs 10, 19-22, 36, ; messaging sequences of various applications/protocols).

Regarding claim 63,
Tjew (Title; “User Behavior Analyzer”) discloses an apparatus for detection of anomalous application message sequences associated with a user device communicating with a network node in an application communication session, the apparatus comprising a processor (Fig. 1, unit 18), a communication interface (Fig. 1, 129a-c), and a storage unit (Fig. 1, units 16-17), the processor coupled to the communication interface and the storage unit, wherein the communication interface is configured to receive an application message sent between the user device and the network node (Fig. 1; paragraphs 2, 9-10, 20-21, 29-31; detection of abnormal client behavior of various applications), wherein the received application message forms part of a received application message sequence comprising application messages that have been received so far (Fig. 4, step 402-410).
Tjew further shows the processor and storage unit are configured to: (a) generate an estimate of the next application message to be received using traffic analysis based on techniques in the field of deep learning on the received application message sequence, wherein the estimated next application message forms part of a predicted application message sequence (Fig. 4, 410-414; paragraphs 29, 38-41; analyzer/learn unit forms an expected sequence of communications based on received/grouped messages) and (b) classify the received application message sequence as normal or anomalous based the received application message sequence and corresponding application messages of the predicted application message sequence (Fig. 4, steps 418-424; paragraphs 38-45) and the communication interface is further configured to send an indication of an anomalous received application message sequence in response to classifying the received application message sequence as anomalous (paragraph 45; forward abnormal behaviors and associated client information to analysis unit).







Claim Rejections - 35 USC § 103
4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 46-48, 50, 53, 56-58, and 64 are rejected under 35 U.S.C. 103 as being unpatentable over Tjew in view of Lan et al. (USP 10546123B1), hereafter Lan.

Regarding claim 46,
Tjew does not expressly show generating the estimate of the next application message expected to be received further comprises converting the received application message to a received application message vector, wherein the received application message vector represents the information content of the received application message; and processing the received application message vector to estimate the next application message expected to be received during the application communication session using a neural network for estimating the next application message and trained on a set of application message sequences associated with normal operation of the application, wherein the estimated next application message expected to be received is represented as a prediction application message vector. 
Analogous art to Lan (Title; Systems and Methods for Identifying Malicious Computer Files) shows converting the received application message to a received application message vector (i.e. feature vector), wherein the received application message vector represents the information content of the received application message (Col. 7, lines 19-25); and processing the received application message vector to estimate the next application message expected to be received during the application communication session using a neural network for estimating the next application message and trained on a set of application message sequences associated with normal operation of the application, wherein the estimated next application message expected to be received is represented as a prediction application message vector (Col. 7, lines 29-35; feature vector derived from decision trees created using initial data to train the trees to accurately classify data, including training specifically to indicate malicious/anomalous content).
It would have been obvious to one of ordinary skill in the art before the time of effective filing to modify Tjew by converting the received application message to a received application message vector, wherein the received application message vector represents the information content of the received application message; and processing the received application message vector to estimate the next application message expected to be received during the application communication session using a neural network for estimating the next application message and trained on a set of application message sequences associated with normal operation of the application, wherein the estimated next application message expected to be received is represented as a prediction application message vector, as shown by Lan, thereby utilizing machine learning for more accurately predicting anomalous data sequences.


Regarding claim 47,
The combination of Tjew and Lan discloses the converting the received application message to a received application message vector further comprises generating the received application message vector as a lower dimensional representation or an informationally dense representation of the received application message (Tjew: Fig. 2; Lan: Fig. 5) based on using neural network techniques and a tree graph representation of the received application message (Lan: Fig. 5; Col. 7, lines 29-35; Col. 8, lines 1-36; use of decision trees to derive accurate pattern). See motivation above.


Regarding claim 48,
The combination of Tjew and Lan discloses each application message comprises a textual representation, encoding and compressing the textual representation into a plurality of symbols, and embedding the plurality of symbols of the application message as an application message vector in a vector space of real values (Lan: Fig. 4-6; Col. 7, lines 19-35; each file of a set of files produces a representative hash value, set of features/vectors that are extracted/provided to resultant decision trees for classifying the files as normal/abnormal).  See motivation above. 




Regarding claim 50,
           The combination of Tjew and Lan discloses generating an application message vector associated with the application message by passing symbol data representative of the encoded and compressed application message through a neural network for embedding an application message as a message vector, the neural network for embedding having been trained to embed a set of application messages into corresponding application message vectors, wherein the neural network outputs an application message vector representing the informational content of the received application message  (Lan: Fig. 4-6; Col. 7, lines 19-35; each file of a set of files produces a representative hash value, set of features/vectors that are extracted/provided to resultant decision trees for classifying the files as normal/abnormal; Col. 7, lines 29-35; feature vector derived from decision trees created using initial data to train the trees to accurately classify data, including training specifically to indicate malicious/anomalous content).  See motivation above. 








Regarding claim 53,
The combination of Tjew and Lan further shows converting the received application message to a received application message vector further comprises generating a tree graph associated with the application message and encoding and embedding the tree graph as a message vector associated with the application message by passing data representative of the tree graph through a neural network comprising an encoding and decoding neural network structure with corresponding weights trained to embed a set of application messages as application message vectors (Lan: Col. 7, lines 19-35; feature vector derived from decision trees created using initial data to train the trees to accurately classify data, including training specifically to indicate malicious/anomalous content), and wherein the encoding neural network structure processes the tree graph associated with the application message to output an application message vector representing the informational content of the received application message (Lan: Fig. 5; Col. 7, lines 29-35; Col. 8, lines 1-36; use of decision trees to derive accurate pattern).  See motivation above.







Regarding claim 56, 
The combination of Tjew and Lan discloses processing the received application message vector based on the neural network for estimating the next application message expected to be received further comprising inputting the received application message vector associated with the received application message to the recurrent neural network, wherein the application message vector represents an embedding of the received application message; and outputting from the recurrent neural network an estimate of the next application comprising a prediction vector representing an embedding of the estimated next application message expected to be received (Tjew: Fig. 4, 410-414; paragraphs 29, 38-41; analyzer/learn unit forms an expected sequence of communications based on received/grouped messages; Lan: Fig. 4-6; Col. 7, lines 19-35; each file of a set of files produces a representative hash value, set of features/vectors that are extracted/provided to resultant decision trees for classifying the files as normal/abnormal; Col. 7, lines 29-35; feature vector derived from decision trees created using initial data to train the trees to accurately classify data, including training specifically to indicate malicious/anomalous content).  See motivation above.






Regarding claims 57 and 58, 
The combination of Tjew and Lan discloses classifying the received application message sequence as normal or anomalous based on the received application message sequence and corresponding application messages of the predicted application message sequence further comprising calculating an error associated with the similarity between the received application message sequence and corresponding predicted application message sequence; and determining the error to be either normal or anomalous based on a classifier trained and adapted on a training set of error vectors for labelling an error as normal or abnormal, wherein, determining whether the received application message sequence is anomalous further comprising determining whether the error corresponding to the received application message sequence is within an error region, the error region having being defined based on a set of errors, the error region defines an error threshold surface associated with the error, the threshold surface for separating error determined to be normal error and error determined to be abnormal error (Tjew: paragraphs 39-45; difference (i.e. error) between historical, recorded sequence of defined types of messages and sequence constructed by the detect unit is normal if falling inside a preset window (i.e. threshold)).
Tjew does not expressly show this comparison in a vector space determined from training the neural network for estimating the next application message with a training set of application message sequences.
Analogous art to Lan (Title; Systems and Methods for Identifying Malicious Computer Files) shows processing in a vector space determined from training the neural network for estimating the next application message with a training set of application message sequences, including a first set of application message vector sequences that are labelled as normal and a second set of application message vector sequences that are labelled as anomalous, and the classifier is based on a two-class support vector machine that defines the error region to separate error vectors labelled as normal and error vectors labelled as anomalous (Col. 7, lines 29-35; feature vector derived from decision trees created using initial data to train the trees to accurately classify data, including training specifically to indicate malicious/anomalous content (i.e. two-class = normal/abnormal)).
It would have been obvious to one of ordinary skill in the art before the time of effective filing to modify Tjew by processing in a vector space determined from training the neural network for estimating the next application message with a training set of application message sequences including a first set of application message vector sequences that are labelled as normal and a second set of application message vector sequences that are labelled as anomalous, and the classifier is based on a two-class support vector machine that defines the error region to separate error vectors labelled as normal and error vectors labelled as anomalous, as shown by Lan, thereby utilizing machine learning for more accurately predicting anomalous data sequences.






Regarding claim 64,  
Tjew (Title; “User Behavior Analyzer”) discloses an apparatus for detection of anomalous application message sequences associated with a user device communicating with a network node in an application communication session, the apparatus comprising a processor (Fig. 1, unit 18), a communication interface (Fig. 1, 129a-c), and a storage unit (Fig. 1, units 16-17), the processor coupled to the communication interface and the storage unit, wherein the communication interface is configured to receive an application message sent from the user device during the application communication session (Fig. 1; paragraphs 2, 9-10, 20-21, 29-31; detection of abnormal client behavior of various applications), wherein the received application message is associated with a sequence of received application messages sent during the application communication session (Fig. 4, step 402-410).
Tjew further discloses the processor and storage unit are configured to predict the next application message expected to be received in the application message sequence (Fig. 4, 410-414; paragraphs 29, 38-41; analyzer/learn unit forms an expected sequence of communications based on received/grouped messages), and generate an error representing the similarity between a sequence of messages associated with the received application message sequence and a corresponding sequence of predictions and determine whether the received application message sequence is an anomalous application message sequence based on the error (Fig. 4, steps 418-424; paragraphs 38-45); and the communication interface further configured to send an indication of an anomalous received application message sequence in response to determining the received application message sequence is anomalous (paragraph 45; forward abnormal behaviors and associated client information to analysis unit).
Tjew does not expressly disclose to convert the received application message to a current message vector, wherein the current message vector represents the information content of the received application message, and to predict based on the current message vector and a neural network trained on a set of application message sequences associated with the application, wherein the predicted next application message expected to be received is represented as a prediction vector.
Analogous art to Lan (Title; Systems and Methods for Identifying Malicious Computer Files) shows to convert the received application message to a current message vector (i.e. feature vector), wherein the current message vector represents the information content of the received application message (Col. 7, lines 19-25), and to predict based on the current message vector and a neural network trained on a set of application message sequences associated with the application, wherein the predicted next application message expected to be received is represented as a prediction vector (Col. 7, lines 29-35; feature vector derived from decision trees created using initial data to train the trees to accurately classify data, including training specifically to indicate malicious/anomalous content).
It would have been obvious to one of ordinary skill in the art before the time of effective filing to modify Tjew by converting the received application message to a current message vector, wherein the current message vector represents the information content of the received application message, and predicting based on the current message vector and a neural network trained on a set of application message sequences associated with the application, wherein the predicted next application message expected to be received is represented as a prediction vector, as shown by Lan, thereby utilizing machine learning for more accurately predicting anomalous data sequences.
Allowable Subject Matter
6.	Claims 49, 51, 52, 54, 55, and 59-61 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
7.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY B SEFCHECK whose telephone number is (571)272-3098. The examiner can normally be reached Monday-Friday 6AM-4PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GREGORY B SEFCHECK/Primary Examiner, Art Unit 2477