DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
2. 	Claims 1-20 are pending wherein claims 1, 8, 15 are in independent form. 
Response to Arguments
3.	Applicant’s arguments, see appeal brief, filed on 04/08/2022, with respect to the rejection(s) of claim(s) 1-4, 7-11, 14-18 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Cardente et al (US 9621431 B1).
Claim Objections
4.	“a network conversation” in line 2 of claim 2 should read “the network conversation”. Otherwise, “the characteristics” in line 1 of claim 2 lacks its antecedent basis and “the network conversation” in lines 2-3 of claim 2 has multiple antecedent bases.
5.	“a network conversation” in line 2 of claim 9 should read “the network conversation”. Otherwise, “the characteristics” in line 1 of claim 9 lacks its antecedent basis and “the network conversation” in lines 2-3 of claim 9 has multiple antecedent bases.
6.	“a network conversation” in line 2 of claim 16 should read “the network conversation”. Otherwise, “the characteristics” in line 2 of claim 16 lacks its antecedent basis and “the network conversation” in line 3 of claim 16 has multiple antecedent bases.

Claim Rejections - 35 USC § 102
7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


8.	Claims 1-5, 7-12, 14-19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Cardente et al (US 9621431 B1, hereinafter referred to as Cardente).
		Re claim 1, Cardente teaches a method (Abstract) comprising:
	(i) receiving captured packet traffic (collecting network activity data by the network activity and communications monitoring system), the captured packet traffic including a plurality of packets transmitted over a network (network activity data collected from packets/frames communicated over the network 10) (Fig. 1-3, Col 4, Line 61-67, Col 5, 1-16, Col 7, Line 1-4, Col 9, Line 27-60, Col 12, Line 45-53);
	(ii) detecting, using metadata of the captured packet traffic (packet contents (table 1) such as MAC address, IP address, TCP/UDP ports), one or more communication patterns within each of one or more levels in a network stack (behavioral characteristics of network entities such as TCP connection direction, bandwidth profile, Fan in/Fan out, DNS resolutions as disclosed in Table 1, Col 11, Line 40-67; detection of transmission direction/connection based on source and destination MAC address, IP address, TCP/UDP port number as disclosed in Col 9, Line 29-67, Col 10, Line 1-31; DNS resolutions associating multiple IP addresses to a name to distribute network services for load balancing as disclosed in Col 10, Line 42-65; TCP/UDP port in each packet indicates the transport protocol; communication patterns data of different endpoints of known types (Fig. 4, step 406) including the identified endpoint type), each communication pattern defined by characteristics of a network conversation (behavioral characteristics of network entities such as TCP connection direction, bandwidth profile, Fan in/Fan out, DNS resolutions as disclosed in Table 1, Col 11, Line 40-67; detection of transmission direction/connection based on source and destination MAC address, IP address, TCP/UDP port number as disclosed in Col 9, Line 29-67, Col 10, Line 1-31, DNS resolutions associating multiple IP addresses to a name to distribute network services for load balancing as disclosed in Col 10, Line 42-65; TCP/UDP port in each packet indicates the transport protocol) between two components in the network (network entities such as endpoints, intermediate points, client server), wherein the metadata of the captured packet traffic includes a source address (source MAC address, source IP address), a destination address (destination MAC address, destination IP address), and a protocol name for each packet of the captured packet traffic (Ether type field indicating the protocol, Col 9, Line 47-67, Col 10, Line 1-31, Col 11, Line 20-45) (Fig. 1-4, Col 4, Line 47-67, Col 5, Line 1-15, Col 9, Line 29-67, Col 10, Line 1-67, Col 11, Line 1-6, Col 11, Line 11-61, Col 12, Line 1-35, Col 12, Line 45-67, Col 13, Line 1-11, Claim 1); and
	(iii) generating, by a processing device, a topology of the network (determining network topology based on different endpoints of known type including the identified endpoint type) in view of the one or more communication patterns (behavioral characteristics of network entities such as TCP connection direction, bandwidth profile, Fan in/Fan out, DNS resolutions as disclosed in Table 1, Col 11, Line 40-67; detection of transmission direction/connection based on source and destination MAC address, IP address, TCP/UDP port number as disclosed in Col 9, Line 29-67, Col 10, Line 1-31, DNS resolutions associating multiple IP addresses to a name to distribute network services for load balancing as disclosed in Col 10, Line 42-65) detected within each of the one or more levels in the network stack (layers of the OSI protocol stack) (Fig. 1-4, Col 4, Line 47-67, Col 5, Line 1-15, Col 7, Line 1-67, Col 9, Line 29-43, Col 10, Line 66-67, Col 11, Line 1-6, Col 11, Line 37-61, Col 12, Line 45-67, Col 13, Line 1-12, Claim 1---- unknown endpoint types are identified using behavioral characteristics of network entities (claimed communication patterns) and the identified endpoint types are used to determine network topology).
		Claim 8 recites a system performing the steps recited in claim 1 and thereby, is rejected for the reasons discussed above with respect to claim 1. Claim 8 further recites that the system comprises a memory to store metadata and a processing device. Cardente teaches that the system comprises a memory to store metadata (system memory 185, Fig. 1) and a processing device (Processing unit 180, Fig. 1) (Fig. 1, Col 5, Line 36-67).
		Claim 15 recites a non-transitory computer-readable storage medium including instructions to be executed by a processing device to perform the steps recited in claim 1 and thereby, is rejected for the reasons discussed above with respect to claim 1.
		Re claims 2, 9, 16, Cardente teaches that the characteristics of a network conversation include a set of packets involved in the network conversation (network activity data collected from packets/frames communicated over the network 10), a protocol of the packets in the set of packets involved in the network conversation (Ether type field indicating the protocol, TCP/UDP port in each packet indicates transport protocol), a payload of the packets in the set of packets involved in the network conversation (each packet includes a payload), and a relationship among packets in the set of packets involved in the network conversation (network activity data collected from packets/frames communicated between different endpoints/source and destination endpoints; contents of the packet fields provide identifiable characteristics of network entities) (Fig. 1-4, Col 4, Line 47-67, Col 5, Line 1-15, Col 9, Line 29-67, Col 10, Line 1-67, Col 11, Line 1-6, Col 11, Line 11-61, Col 12, Line 1-35, Col 12, Line 45-67, Col 13, Line 1-11).
		Re claims 3, 10, 17, Cardente teaches that the topology of the network indicates for each component in the network: a type of the component (type of endpoints) and a connection between the component (topology represents connection between network entities) and one or more other components in the network (network topology includes different network entities, topology represents connection between network entities) (Fig. 1-4, Col 4, Line 47-67, Col 5, Line 1-15, Col 7, Line 1-55, Col 10, Line 66-67, Col 11, Line 1-6, Col 11, Line 37-61, Col 12, Line 45-67, Col 13, Line 1-12).
		Re claims 4, 11, 18, Cardente teaches that generating the topology of the network comprises: determining a type of each component in the network (identifying endpoint type) and a connection between each component and one or more other components in the network (topology represents connection between network entities) in view of the one or more communication patterns behavioral characteristics of network entities such as TCP connection direction, bandwidth profile, Fan in/Fan out, DNS resolutions as disclosed in Table 1, Col 11, Line 40-67; detection of transmission direction/connection based on source and destination MAC address, IP address, TCP/UDP port number as disclosed in Col 9, Line 29-67, Col 10, Line 1-31, DNS resolutions associating multiple IP addresses to a name to distribute network services for load balancing as disclosed in Col 10, Line 42-65) detected within each of the one or more levels in the network stack (layers of the OSI protocol stack) (Fig. 1-4, Col 4, Line 47-67, Col 5, Line 1-15, Col 7, Line 1-67, Col 9, Line 29-43, Col 10, Line 66-67, Col 11, Line 1-6, Col 11, Line 37-61, Col 12, Line 45-67, Col 13, Line 1-12, Claim 1---- unknown endpoint types are identified using behavioral characteristics of network entities (claimed communication patterns) and the identified endpoint types are used to determine network topology).
		Re claims 5, 12, 19, Cardente teaches to map the detected one or more communication patterns (communication patterns of different endpoints of known types) within each of the one or more levels in the network stack((layers of the OSI protocol stack) to a network topology from a data set of known network topologies (trained network topology classification models) using a neural network (machine learning classification), the neural network being trained on the data set of known network topologies (machine learning classification is trained using communication patterns data of different endpoints of known types) (Fig. 1-4, Table 1, Col 2, Line 1-12, Col 4, Line 47-67, Col 5, Line 1-15, Col 6, Line 56-67, Col 7, Line 1-67, Col 8, Line 26-57, Col 9, Line 29-43, Col 10, Line 66-67, Col 11, Line 1-6, Col 11, Line 37-61, Col 12, Line 1-6, Col 12, Line 45-67, Col 13, Line 1-12, Claim 1).
		Re claims 7, 14, Cardente teaches that detecting a communication pattern within a level in the network stack comprises: identifying one or more packets from the captured packet traffic forming a conversation between two components in the network (identifying packet contents class of attributes from different packets communicated between different endpoints), each of the one or more packets having a protocol corresponding to the level in the network stack (Ether type field indicating the protocol, TCP/UDP port in each packet indicates transport protocol); and determining a relationship among the identified one or more packets involved in the communication (packet contents class of attributes provide unique identifiable characteristics of network entities) (Fig. 1-4, Table 1, Col 4, Line 47-67, Col 5, Line 1-15, Col 7, Line 1-55, Col 9, Line 29-43, Col 10, Line 1-31, Col 10, Line 66-67, Col 11, Line 1-6, Col 11, Line 37-61, Col 12, Line 1-35, Col 12, Line 45-67, Col 13, Line 1-12, Claim 1).

Allowable Subject Matter
		Claims 6, 13, 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
















Conclusion

		Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUN UR R CHOWDHURY whose telephone number is (571)270-3895. The examiner can normally be reached Monday-Friday 9AM-5PM.
		Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kwang B Yao can be reached on 5712723182. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
		Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





	/HARUN CHOWDHURY/Examiner, Art Unit 2473