DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending in this Office Action.

Response to Arguments
Applicant’s arguments filed in the amendment filed 05/02/2022, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below.

Drawings
The formal drawings received on 06/19/2020 have been entered.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same,  and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention. MPEP 2161.01(I) and 2163.05(I)(3)(ii) give guidance. Generic claim language in the original disclosure does not satisfy the written description requirement if it fails to support the scope of the genus claimed. Ariad Pharms, Inc. v. Eli Lilly & Co., 598 F.3d 1336, 1350 (Fed. Cir. 2010)(en banc); Enzo Biochem, Inc. v. Gen-Probe, Inc., 323 F.3d 956, 968, 63 USPQ2d 1609, ___ (Fed. Cir. 2002) (holding that generic claim language appearing in ipsis verbis in the original specification did not satisfy the written description requirement because it failed to support the scope of the genus claimed); Fiers v. Revel, 984 F.2d 1164, 1170, 25 USPQ2d 1601, ___ (Fed. Cir. 1993) (rejecting the argument that “only similar language in the specification or original claims is necessary to satisfy the written description requirement”).
Even original claims may fail to satisfy the written description requirement when the invention is claimed and described in functional language but the specification does not sufficiently identify how the invention achieves the claimed function. Ariad, 598 F.3d at 1349 (“[A]n adequate written description of a claimed genus requires more than a generic statement of an invention’s boundaries.”) (citing Regents of the University of California v. Eli Lilly, 119 F.3d 1559, 1568). In Ariad, the court recognized the problem of using functional claim language without providing in the specification examples of species that achieve the claimed function:
“The problem is especially acute with genus claims that use functional language to define the boundaries of a claimed genus. In such a case, the functional claim may simply claim a desired result, and may do so without describing species that achieve that result. But the specification must demonstrate that the applicant has made a generic invention that achieves the claimed result and do so by showing that the applicant has invented species sufficient to support a claim to the functionally-defined genus.” Ariad, 598 F.3d at 1349.
The standard for description of computer-implemented functions is a description within the specification itself of the algorithm steps that are necessary to perform the claimed function. In re Hayes Microcomputer Prods., Inc. Patent Litigation, 982 F.2d 1527, 1533-34, 25 USPQ2d 1241, ___ (Fed. Cir. 1992). See also Aristocrat Technologies v. IGT, 521 F.3d 1328 (Fed. Cir. 2008). Specifically, if one skilled in the art would know how to program the disclosed computer to perform the necessary steps described in the specification to achieve the claimed function and the inventor was in possession of that knowledge, the written description requirement would be satisfied. Hayes, 982 F.2d at 1534.
Further, when a specification provides a single means of performing a function it does not entitle the inventor to all means of achieving the function. Lizardtech Inc. v. Earth Res. Mapping Inc., 424 F.3d 1336, 1346 (Fed. Cir. 2005). The written description requirement for a claimed genus may be satisfied through sufficient description of a representative number of species by actual reduction to practice (see MPEP 2163.05(I)(3)(i)(A)), reduction to drawings ((i)(B)), or by disclosure of relevant, identifying characteristics, i.e., structure or other physical and/or chemical properties, by functional characteristics coupled with a known or disclosed correlation between function and structure, or by a combination of such identifying characteristics, sufficient to show the applicant was in possession of the claimed genus ((i)(C)). See Eli Lilly, 119 F.3d at 1568.
Thus it is clear what is required of computer-implemented functional claims: As Ariad stated, mere claim to the functionality, without more, is insufficient to meet the written description requirement. Hayes and Aristocrat teach that the applicant must provide at least a single means of achieving the function within the specification itself. That means the algorithm steps which achieve the function must be described in sufficient detail that one of ordinary skill in the art would reasonably conclude that the applicant had possession of the claimed subject matter. The applicant must provide at least a single set of algorithm steps which perform the function, but even then that only entitles the applicant to claim those steps, as a claim to the broader function without proof of the enlarged scope is insufficient under Lizardtech. Therefore, a claim to the functional result must include at least a single means, and then other means or some expanding principle sufficient to prove possession of the full scope.
In the instant case:
Examiner contends that Applicant does not even disclose a representative number of species (i.e., algorithms or steps/procedures) in the specification for the claimed genus for achieving the functionality “(B) generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; (C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and (D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon” of claim(s) 1 and 11. The aforementioned limitations are merely examples and there may be additional limitations for which the Applicant does not even disclose a representative number of species in the specification for the claimed genus for achieving the additional functionalities. A claim to functionality must be supported by at least a single algorithm or step/procedure for achieving it, see Ariad and Hayes, above. Even if Applicant discloses an algorithm or step/procedure for achieving the functionality, a claim to functionality is overbroad of the disclosure of a single means of achieving it, as described by Lizardtech, Ariad and Eli Lily above. Because applicant is seeking to claim more than he has invented, the full scope of his claim is not described and a 112, 1st rejection is proper.
The applicant, on page 9 of the remarks, states that various embodiments provide support for the representative number of species in the specification for the claimed genus for achieving the functionalities; however, that is not true. The applicant’s specification does not provide support for the representative number of species in the specification for the claimed genus for achieving the functionalities. Also, the applicant does not point to the sections of the specification where the support for the for the representative number of species in the specification for the claimed genus for achieving the functionalities is provided.
Furthermore, the applicant admits in paragraphs [0003] and [0004] of the specification, that the applicant provides a network policy generation procedure which goes beyond existing methods to provide further improvements to technology and technical processes especially concerning improving the generation and maintenance of network policies for security and more. This admission makes it even more important for the applicant to disclose support for the representative number of species in the specification for the claimed genus for achieving the functionalities. Moreover, compliance with § 112(a) for these types of claims is critical to ensure that inventors do not “attempt to preempt the future before it has arrived” by claiming pure functions without limit as to how they are accomplished (MPEP 2161.01). Whether one of ordinary skill in the art could devise a way to accomplish the function is not relevant to the issue of whether the inventor has shown possession of the claimed invention. The ability of one skilled in the art to make and use the claimed invention does not satisfy the written description requirement if details of how the function is to be performed are not disclosed (MPEP 2161.01(I)).
Claims 1 and 11 recite “wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network,” which is not present in the applicant’s specification.
Claims 1 and 11 recite “updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon,” which is not present in the applicant’s specification.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Independent Claim(s):
Step 1: Statutory Category. Claim(s) 1-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter.
Step 2A: Prong One. Judicial Exception. Claim(s) 1-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; calculating an accuracy of the network communication model based on the allowed data and the positive data; and updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon, as explained in detail below. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea. 
The independent claim(s) recites, in part, (A) for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications; (B) generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; (C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and (D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon. These steps describe the concept of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; calculating an accuracy of the network communication model based on the allowed data and the positive data; and updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon, which corresponds to concepts identified as abstract ideas by the courts, such as Collecting information, analyzing it, and displaying certain results of the collection and analysis (Electric Power Group); Filtering content (BASCOM); Monitoring delivery of real-time information to users (Two-Way Media‘622 patent); Organizing and manipulating information through mathematical correlations (Digitech); Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning); A formula for computing an alarm limit (Flook); An algorithm for calculating parameters indicating an abnormal condition (Grams). All of these concepts relate to the “An Idea ‘Of Itself’” in which “An idea standing alone such as an uninstantiated concept, plan or scheme, as well as a mental process (thinking) that “can be performed in the human mind, or by a human using a pen and paper;” “Certain Methods of Organizing Human Activity” in which “Concepts relating to interpersonal and intrapersonal activities, such as managing relationships or transactions between people, social activities, and human behavior; satisfying or avoiding a legal obligation; advertising, marketing, and sales activities or behaviors; and managing human mental activity;” and/or “Mathematical Relationships/Formulas” in which “Mathematical concepts such as mathematical algorithms, mathematical relationships, mathematical formulas, and calculations.” The concept described in the claim(s) is/are not meaningfully different than “An Idea ‘Of Itself’”, “Certain Methods of Organizing Human Activity”, and/or “Mathematical Relationships/Formulas” found by the courts to be abstract ideas. As such, the description in the claim(s) of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; calculating an accuracy of the network communication model based on the allowed data and the positive data; and updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon is an abstract idea. Enfish, LLC v. Microsoft Corp. 822 F.3d 1327, 1335-36 (Fed. Cir. 2016) (“[T]he first step in the Alice inquiry in this case asks whether the focus of the claims [was] on the specific asserted improvement in computer capabilities … or, instead, on a process that qualifies as an ‘abstract idea’ for which computers are invoked merely as a tool.”) No such evidence exists on this record. Unlike Enfish, where the claims were focused on a specific improvement in how the computer functioned, the claim here merely uses the computer as a tool to perform the abstract concepts, and the claims are not rooted in technology and simply employs conventional techniques used by humans for estimation of security policy risk. The claim here is not similar to claimed patent’s innovative logical model for a computer database (p. 2-3), nor does the claim here have similar specific asserted improvement in computer capabilities (p. 7) as in the Enfish patent. Rather here, the claim is directed to such as automating the human behavior or task. (See Enfish Memo and Enfish v. Microsoft, May 2016).  In addition, simply limiting the invention to a technological environment does “not make an abstract concept any less abstract under step one.” Intellectual Ventures I, 850 F.3d at 1340. Therefore, based on the similarity of the concept described in this claim to abstract ideas identified by the courts in the claim is directed to an abstract idea. For these reasons, afford are ineligible.
Step 2A: Prong Two. Practical Application. Adding the words “apply it” (or an equivalent) with the judicial exception, or mere instructions to implement an abstract idea on a computer, or merely uses a computer as a tool to perform an abstract idea - see MPEP 2106.05(f). Adding insignificant extra-solution activity to the judicial exception - see MPEP 2106.05(g). Generally linking the use of the judicial exception to a particular technological environment or field of use – see MPEP 2106.05(h).
Step 2B: Additional Elements Significantly More Then the Judicial Exception. The independent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a “non-transitory computer-readable medium” and a “computer processor” for collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; calculating an accuracy of the network communication model based on the allowed data and the positive data; and updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon. The “non-transitory computer-readable medium” and “computer processor” are recited at a high level of generality and are recited as performing generic computer functions routinely used in computer applications. Generic computer components recited as performing generic computer functions that are well-understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system. Next, “collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; calculating an accuracy of the network communication model based on the allowed data and the positive data; and updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon” is stated at a high level of generality without tying it to an algorithm that would improve the functionality of the technology and its broadest reasonable interpretation comprises only automated estimation of security policy risk through the use of some unspecified generic computers. The use of generic computer components for collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; calculating an accuracy of the network communication model based on the allowed data and the positive data; and updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon does not impose any meaningful limit on the computer implementation of the abstract idea. These independent claims include insignificant pre-solution and/or post-solution limitation(s) limitation(s) [for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications; updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon] and that do not transform the patent-ineligible concept of an abstract idea to a patent-eligible concept even if they are performed using general purpose computer, as these pre-solution limitation(s) and post-solution limitation(s) add insignificant extrasolution activity to the judicial exception. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation. Additionally, adding the words ‘‘apply it’’ (or an equivalent) with the judicial exception (i.e., applying the judicial exception to the network security), or mere instructions to implement an abstract idea on a computer or generally linking the use of the judicial exception to a particular technological environment or field of use (i.e., the network security) is also found to not be enough to qualify as significantly more.
The Office has not oversimplified the claims in finding the claims to be directed to an abstract idea and does not ignore any feature that go beyond an alleged abstract idea. The pending claims do not require specific features that could not possibly be performed by a human relying solely on his or her mental processes, pen, and paper. 
The claims do not go beyond collecting information, analyzing it, and displaying certain results of the collection and analysis, filtering content, monitoring delivery of real-time information to users, organizing and manipulating information through mathematical correlations, collecting and analyzing information to detect misuse and notifying a user when misuse is detected, a formula for computing an alarm limit, or an algorithm for calculating parameters indicating an abnormal condition. Since the present claims describe the generation of a network model based on observed data which does not go beyond collecting and manipulating information through mathematical correlations and the simple delivery of information. Furthermore, the applicant does not explain how the claims go beyond collecting and manipulating information through mathematical correlations and the simple delivery of information.
The pending claims as a whole do not integrate the purported abstract idea into a practical application of the purported abstract idea, instead the purported abstract idea is generally applied to a particular technological environment or field of use (i.e., the network security), which was found to not be enough to qualify as significantly more.
The applicant states the applicant has determined how to generate and maintain a network security policy as an ongoing process which allows the accuracy of the model to be estimated without first waiting to apply the model to actual network, thereby reducing the risk associated with applying the model before its accuracy is known. The applicant further claims that the Applicant therefor provides a network policy generation procedure which goes beyond existing methods to provide further improvements to technology and technical processes especially concerning improving the generation and maintenance of network policies for security and more. However, this is merely improving a statistical model and applying to the field of network security and thus does not improve the technology and technical process. 



Dependent Claim(s):
Step 1: Statutory Category. Claim(s) 2-10 and 12-20 is/are directed to statutory category of subject matter. The claim(s) does/do fall within at least one of the four categories of patent eligible subject matter because the claim(s) is/are directed to either a process, machine, manufacture, or composition of matter.
Step 2A: Judicial Exception. Claim(s) 2-10 and 12-20 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. The claim(s) are directed to abstract idea of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and calculating an accuracy of the network communication model based on the allowed data and the positive data with insignificant extrasolution activites, as explained in detail below. The claim(s) do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional computer elements, which are recited at a high level of generality, provide conventional computer functions that do not add meaningful limits to practicing the abstract idea. 
The dependent claim(s) recites, in part, Claim 2 - wherein the plurality of observed communications does not include any of the plurality of hypothetical communications; Claim 3 - wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication; Claim 4 - wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model; Claim 5 - wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data: (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value; Claim 6 - wherein (F) (3) comprises calculating F as (2.times.P.times.R)/(P+R); Claim 7 - wherein (F) (1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model; Claim 8 - wherein (F) (2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model; Claim 9 - wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network; Claim 10 - wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model. These steps describe the concept of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and calculating an accuracy of the network communication model based on the allowed data and the positive data, which corresponds to concepts identified as abstract ideas by the courts, such as Collecting information, analyzing it, and displaying certain results of the collection and analysis (Electric Power Group); Filtering content (BASCOM); Monitoring delivery of real-time information to users (Two-Way Media‘622 patent); Organizing and manipulating information through mathematical correlations (Digitech); Collecting and analyzing information to detect misuse and notifying a user when misuse is detected (FairWarning); A formula for computing an alarm limit (Flook); An algorithm for calculating parameters indicating an abnormal condition (Grams). All of these concepts relate to “An Idea ‘Of Itself’” in which “An idea standing alone such as an uninstantiated concept, plan or scheme, as well as a mental process (thinking) that “can be performed in the human mind, or by a human using a pen and paper;” “Certain Methods of Organizing Human Activity” in which “Concepts relating to interpersonal and intrapersonal activities, such as managing relationships or transactions between people, social activities, and human behavior; satisfying or avoiding a legal obligation; advertising, marketing, and sales activities or behaviors; and managing human mental activity;” and/or “Mathematical Relationships/Formulas” in which “Mathematical concepts such as mathematical algorithms, mathematical relationships, mathematical formulas, and calculations.” The concept described in the claim(s) is/are not meaningfully different than “An Idea ‘Of Itself’”, “Certain Methods of Organizing Human Activity”, and/or “Mathematical Relationships/Formulas” found by the courts to be abstract ideas. As such, the description in the claim(s) of collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and calculating an accuracy of the network communication model based on the allowed data and the positive data is an abstract idea. Enfish, LLC v. Microsoft Corp. 822 F.3d 1327, 1335-36 (Fed. Cir. 2016) (“[T]he first step in the Alice inquiry in this case asks whether the focus of the claims [was] on the specific asserted improvement in computer capabilities … or, instead, on a process that qualifies as an ‘abstract idea’ for which computers are invoked merely as a tool.”) No such evidence exists on this record. Unlike Enfish, where the claims were focused on a specific improvement in how the computer functioned, the claim here merely uses the computer as a tool to perform the abstract concepts, and the claims are not rooted in technology and simply employs conventional techniques used by humans for estimation of security policy risk. The claim here is not similar to claimed patent’s innovative logical model for a computer database (p. 2-3), nor does the claim here have similar specific asserted improvement in computer capabilities (p. 7) as in the Enfish patent. Rather here, the claim is directed to such as automating the human behavior or task. (See Enfish Memo and Enfish v. Microsoft, May 2016).  In addition, simply limiting the invention to a technological environment does “not make an abstract concept any less abstract under step one.” Intellectual Ventures I, 850 F.3d at 1340. Therefore, based on the similarity of the concept described in this claim to abstract ideas identified by the courts in the claim is directed to an abstract idea. For these reasons, afford are ineligible.
Step 2B: Additional Elements Significantly More Then the Judicial Exception. The dependent claim(s) do/does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. The claim recites the additional limitations of a “non-transitory computer-readable medium” and a “computer processor” for: Claim 2 - wherein the plurality of observed communications does not include any of the plurality of hypothetical communications; Claim 3 - wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication; Claim 4 - wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model; Claim 5 - wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data: (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value; Claim 6 - wherein (F) (3) comprises calculating F as (2.times.P.times.R)/(P+R); Claim 7 - wherein (F) (1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model; Claim 8 - wherein (F) (2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model; Claim 9 - wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network; Claim 10 - wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model. The “non-transitory computer-readable medium” and “computer processor” are recited at a high level of generality and are recited as performing generic computer functions routinely used in computer applications. Generic computer components recited as performing generic computer functions that are well-understood, routine and conventional activities amount to no more than implementing the abstract idea with a computerized system. Next, collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and calculating an accuracy of the network communication model based on the allowed data and the positive data is stated at a high level of generality without tying it to an algorithm that would improve the functionality of the technology and its broadest reasonable interpretation comprises only automated estimation of security policy risk through the use of some unspecified generic computers. The use of generic computer components for collecting and storing observed communications data representing the plurality of observed communications; generating a network communication model based on the observed communications data; generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and calculating an accuracy of the network communication model based on the allowed data and the positive data does not impose any meaningful limit on the computer implementation of the abstract idea. These dependent claims include insignificant pre-solution limitation(s) and post-solution limitation(s) that do not transform the patent-ineligible concept of an abstract idea to a patent-eligible concept even if they are performed using general purpose computer, as these pre-solution limitation(s) and post-solution limitation(s) add insignificant extrasolution activity to the judicial exception. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the limitations as an ordered combination adds nothing that is not already present when looking at the elements taken individually. There is no indication that the combination of elements improves the functioning of a computer or improves any other technology. Their collective functions merely provide conventional computer implementation. Additionally, adding the words ‘‘apply it’’ (or an equivalent) with the judicial exception (i.e., applying the judicial exception to the network security), or mere instructions to implement an abstract idea on a computer or generally linking the use of the judicial exception to a particular technological environment or field of use (i.e., the network security) is also found to not be enough to qualify as significantly more.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 4-12, and 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gudov et al. (Patent No.: US 8,151,341, hereinafter, “Gudov”) in view of Inamdar et al. (Pub. No.: US 2020/0112487, hereinafter, “Inamdar”), and further in view of Chalvadi et al. (Pub. No.: US 2017/0317976, hereinafter, “Chalvadi”), Kuperman et al. (Pub. No.: US 2017/0244737, hereinafter, “Kuperman”), and Rostami-Hesarsorkh et al. (Patent No.: US 2015/0101013, hereinafter, “Rostami-Hesarsorkh”).
Claims 1, 11. Gudov teaches:
A method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising: – on lines 60-62 in column 1 (Disclosed are systems, methods and computer program products for reduction of false positives during detection of network attacks on a protected computer.)
(A) for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications; – on lines 13-16 in column 6 (At step 510, in parallel with filtering, the system mirrors network traffic to traffic sensors 330 that gather statistical information and track network anomalies from the redirected traffic.)
(B) generating a network communication model based on the observed communications data; – on lines 16-19 in column 6 (At step 520, the collected statistical information is used to create/update one or more filtering rules (or profiles) used by the filtering centers 210.)

Gudov does not explicitly teach:
(C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications.
However, Inamdar teaches:
(C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications; – in paragraph [0108] (The traffic generator 612 can receive the model or models and the traffic distribution information to generate simulated traffic corresponding to actual network traffic captured by the traffic analysis engine 600.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov with Inamdar to include (C) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, as taught by Inamdar, in paragraph [0015], to determine one or more traffic patterns included in the network traffic.

Combination of Gudov and Inamdar does not explicitly teach:
wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model.
However, Chalvadi teaches:
wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model – in paragraph [0080] (The modification to a rule might also (or alternatively) change the action to perform for packets that match the parameters specified by the rule. For instance, a firewall rule might change from dropping packets matching certain characteristics to allowing those packets.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov and Inamdar with Chalvadi to include wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model, as taught by Chalvadi, in paragraphs [0001] and [0002], to provide a network security system that implements rules in an efficient manner to monitor and control incoming and outgoing network traffic based on security rules.

Combination of Gudov, Inamdar, and Chalvadi does not explicitly teach:
(D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon.
However, Kuperman teaches:
(D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; – in paragraph [0079] (False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious.)
(E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; and – in paragraph [0079] (False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious.)
(F) calculating an accuracy of the network communication model based on the allowed data and the positive data; – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
(G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon. – in paragraph [0090] (Turning back to FIG. 3, the model generator 309 incorporates the user classified requests in the attributes database 307 as new unprocessed known malicious/non-malicious request training data for updating a model in the model database 311. For example, once enough unprocessed requests are stored in the attributes database 307, the model generator 209 may update a model in the model database 311 according the various methods describes herein. In turn, the updated model that takes into account these additional classifications may be utilized by the prediction services 327 for classifying requests.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, and Chalvadi with Kuperman to include (D) identifying allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (E) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (F) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (G) updating the network communication model based on the accuracy and providing the network communication model to any of a plurality of hosts on the network for communication thereon, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Combination of Gudov, Inamdar, Chalvadi, and Kuperman does not explicitly teach:
the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network.
However, Rostami-Hesarsorkh teaches:
the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network; – in paragraph [0031] (Encrypted peer-to-peer detection includes monitoring network traffic from a client to determine that the client is sending a request for information for a peer-to-peer application executing on the client; and generating a network traffic response to the client that emulates peer-to-peer network traffic. In some embodiments, encrypted peer-to-peer detection further includes blocking the request sent from the client that is for the peer-to-peer application executing on the client. In some embodiments, the generated network traffic response is sent from a security appliance that includes a firewall function, and the client is located within a network perimeter protected by the security appliance. In some embodiments, the peer-to-peer application violates a firewall policy stored on the security appliance, and the generated network traffic is sent using an IP address associated with the security appliance and a port number selected by the security appliance for communicating with the client to poison traffic associated with the peer-to-peer application executing on the client.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, Chalvadi, and Kuperman with Rostami-Hesarsorkh to include the observed communications data including flow matches between applications and hosts, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network, as taught by Rostami-Hesarsorkh, in paragraph [0002], to protect networks from unauthorized access while permitting authorized communications to pass.

Claims 2, 12. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s). 

Inamdar further teaches:
wherein the plurality of observed communications does not include any of the plurality of hypothetical communications. – in paragraph [0108] (The traffic generator 612 can receive the model or models and the traffic distribution information to generate simulated traffic corresponding to actual network traffic captured by the traffic analysis engine 600.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Kuperman, and Rostami-Hesarsorkh with Inamdar to include wherein the plurality of observed communications does not include any of the plurality of hypothetical communications, as taught by Inamdar, in paragraph [0015], to determine one or more traffic patterns included in the network traffic.

Claims 4, 14. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 5, 15. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data; (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F) comprises: (F)(1) calculating a precision value P based on the allowed data and the positive data; (F)(2) calculating a recall value R based on the allowed data and the positive data; and (F)(3) calculating the accuracy F based on the precision value and the recall value, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 6, 16. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 5 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F)(3) comprises calculating F as (2XPXR)/(P+R). – in paragraph [0079] (Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F)(3) comprises calculating F as (2XPXR)/(P+R), as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 7, 17. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 6 – refer to the indicated claim for reference(s).  

Kuperman further teaches:
wherein (F)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 8, 18. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 7 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein (F)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy. The model generator 209 utilizes the cross validation set to verify that an indicated increase in accuracy of the model fitted to the training data during training iterations also translates to an actual increase in accuracy over the requests in the cross validation set. If the accuracy over the training data set increase, but the accuracy over the cross validation set decreases, that is an indication that the model (e.g., the ANN) is being overfitted and further training would decrease accuracy. The test set, in turn, by presenting requests not factored into the training is utilized by the model generator 209 to confirm the predictive accuracy of the model. The model generator 209 may compute one or more of the following metrics based on model output for requests in the test data set to represent model accuracy to the system administrator. Accuracy Rate as a percentage of total requests predicted correctly in the cross validation and test data sets. False Positive Rate as a percentage of total requests predicted as malicious but where the requests were labeled as known non-malicious. False Negative Rate as a percentage of total requests predicted as non-malicious but where the requests were labeled as known malicious. Precision (P) as a measure of True Positives/(True Positives+False Positives), Recall (R) as a measure of True Positives/(True Positives+False Negatives) and a Balanced F Score: 2*(P*R/(P+R)). The F Score may be monitored by the model generator 209 to optimize the model, by choosing a malicious prediction threshold that maximizes F as a tradeoff between the Precision (P) and Recall (R) metrics.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein (F)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 9, 19. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Kuperman further teaches:
wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network. – in paragraph [0079] (The model generator 209 utilizes a set of requests reserved for cross validation to verify validity of the model, and inputs a set of requests in a test data set to compute overall accuracy.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claims 10, 20. Combination of Gudov, Chalvadi, Kuperman, Inamdar, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).  

Kuperman further teaches:
wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model. – in paragraph [0054] (Profile/Anomaly detection WAFs differ from this approach in that they are unsupervised and the number of labeled positive examples is zero. Positive examples (e.g., malicious requests) may be utilized to verify a profile/anomaly detection WAF but are not considered in generating profiles themselves. In contrast, the model generator 209 ingests both positively labeled (e.g., known malicious requests) and negatively labeled (e.g., known non-malicious requests) training examples. In addition, the requests collected by the attribute collector 207 may be specific to the web application 120 to which the requests are directed. Hence, the model generator 209 may train a model 205 for any number of web applications.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Chalvadi, Inamdar, and Rostami-Hesarsorkh with Kuperman to include wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model, as taught by Kuperman, in paragraph [0020], to protecting web applications at a host by analyzing web application behavior to detect malicious client requests.

Claim(s) 3 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gudov et al. (Patent No.: US 8,151,341, hereinafter, “Gudov”) in view of Inamdar et al. (Pub. No.: US 2020/0112487, hereinafter, “Inamdar”), and further in view of Chalvadi et al. (Pub. No.: US 2017/0317976, hereinafter, “Chalvadi”), Kuperman et al. (Pub. No.: US 2017/0244737, hereinafter, “Kuperman”), Rostami-Hesarsorkh et al. (Patent No.: US 8,892,665, hereinafter, “Rostami-Hesarsorkh”), and Bansal et al. (Pub. No.: US 2018/0176184, hereinafter, “Bansal”).
Claims 3, 13. Combination of Gudov, Inamdar, Chalvadi, Kuperman, and Rostami-Hesarsorkh teaches The method of claim 1 – refer to the indicated claim for reference(s).

Combination of Gudov, Inamdar, Chalvadi, Kuperman, and Rostami-Hesarsorkh does not explicitly teach:
wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication.
However, Bansal teaches:
wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication. – in paragraph [0042] (Firewall flow records include tuples for identifying the packet or packet(s) associated with the firewall flow record. In one embodiment, the firewall flow records include the following five data tuples: source IP address, destination IP address, source port, destination port, and the protocol used.)
It would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gudov, Inamdar, Chalvadi, Kuperman, and Rostami-Hesarsorkh with Bansal to include wherein collecting and storing the observed communications data comprises collecting and storing, for each of the plurality of observed communications: data representing a source application of the observed communication; data representing a destination application of the observed communication; data representing a local Internet Protocol (IP) address of the observed communication; and data representing a remote IP address of the observed communication, as taught by Bansal, in paragraph [0001], to allow for increased granularity of firewall control.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734.  The examiner can normally be reached on Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449