DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
Claims 7-9 and  16-18 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1, 4, 6, 10, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Luo et al. (CN 108234430 A – English Translation) in view of Chhabra et al. (WO 2017019103 A).

Claim 1. Luo et al. disclose a method of protecting a computer network against unauthorized intrusion (read as A malicious web crawler detection method based on hidden Markov model (page 1)), comprising the steps of: 
receiving network packet data at a processor of a computer-implemented network traffic monitor module (read as observed in HTTP request of resource type is the observation, the observation sequence of HTTP traffic is expressed (page 2)); 
generating at said processor meaningful Hidden Markov Model ("HMM") observations formatted as data input for one or more first HMMs (read as HTTP flow behaviour model parameter estimation task is by sequence estimation out of the collected observation value corresponding to a hidden Markov model parameters (page 2)), said one or more first HMMs forming a first processing layer of HMMs; 
generating from said first processing layer of HMMs a first probable sequence of network traffic states (read as HTTP flow behavior model parameter estimation task is by sequence estimation out of the collected observation value corresponding to a hidden Markov model parameters (page 2)); 
processing at said processor said first probable sequence of network traffic states to form a feature vector (read as observed in HTTP request of resource type is the observation, the observation sequence of HTTP traffic is expressed (page 2)); 
processing at said processor said feature vector to generate meaningful HMM observations formatted as data input for a second HMM, said second HMM forming a second processing layer; 
generating from said second processing layer a second probable sequence of network traffic states; and 
upon determining that said second probable sequence of network traffic states exhibits a designated probability of a non-normal data traffic state, generating an alert of a likely non-normal data traffic state and transmitting said alert to an administrator (read as A malicious web crawler detection method based on hidden Markov model (page 1). Alerting an administrator of the malicious intrusion is a very well-known feature and can easily be added).
Luo et al. do not explicitly disclose first and second Hidden Markov Models. However, in the related field of endeavor Chhabra et al. disclose: An example of a Markov model includes a Markov chain. Other examples of a Markov model include a hidden Markov model (HMM), a hierarchical hidden Markov model (HHMM), and a layered hidden Markov model (LHMM). HMMs may be used independently or jointly in either a HHMM or a LHMM… identify malicious activity, log information about the malicious activity, attempt to block/stop the malicious activity, and report the malicious activity [0021, 0047]. The idea, of using layered Hidden Markov Model to detect unauthorized network traffic, is clearly disclosed by Chhabra et al.
Therefore, it would have been obvious to a person of ordinary skill in the art, at the time the invention was filed, to modify the teaching Luo et al. of with the teaching of Chhabra et al. in order to identify malicious activity, log information about the malicious activity, attempt to block/stop the malicious activity, and report the malicious activity. Further, the corrective measure implementation module 122 may quarantine the source/destination of the malicious activity (Chhabra et al. [0047]).

Claim 4. The method of claim 1, the combination of Luo et al. and Chhabra et al. teaches,
wherein said maximum likelihood estimates of HMM model parameters for said second HMM are not recognizable in said first probable sequence of network traffic states (Chhabra et al.: read as An example of a Markov model includes a Markov chain. Other examples of a Markov model include a hidden Markov model (HMM), a hierarchical hidden Markov model (HHMM), and a layered hidden Markov model (LHMM). HMMs may be used independently or jointly in either a HHMM or a LHMM) [0021].).

Claim 6. The method of claim 1, the combination of Luo et al. and Chhabra et al. teaches,
further comprising the step of: 
prior to said step of generating meaningful HMM observations formatted as data input for said one or more first HMMs, applying at said processor data normalization to said network packet data (Luo et al.: read as observed in HTTP request of resource type is the observation, the observation sequence of HTTP traffic is expressed as Wherein…c joint at the t moment request of the resource type. the observation space is: V = (1, 2,. .., N). state value is time t the joint c request page, indicated as y = y1, y2, . .. yT state value space is S = (1, 2, ...., M) (Page 2)).

Claim 10. Luo et al. disclose a system for protecting a computer network against unauthorized intrusion (read as A malicious web crawler detection method based on hidden Markov model (page 1), comprising: 
one or more processors (computer (page 1)); and 
one or more memories coupled to said one or more processors, wherein the one or more memories are configured to provide the one or more processors with instructions which when executed cause the one or more processors (read as A malicious web crawler detection method based on hidden Markov model (page 1). The method being described must be implemented using instructions executed by a processor.) to: 
receive network packet data (read as observed in HTTP request of resource type is the observation, the observation sequence of HTTP traffic is expressed (page 2)); 
generate meaningful Hidden Markov Model ("HMM") observations formatted as data input for one or more first HMMs, said one or more first HMMs forming a first processing layer of HMMs (read as HTTP flow behavior model parameter estimation task is by sequence estimation out of the collected observation value corresponding to a hidden Markov model parameters (page 2)); 
generate from said first processing layer of HMMs a first probable sequence of network traffic states (read as HTTP flow behavior model parameter estimation task is by sequence estimation out of the collected observation value corresponding to a hidden Markov model parameters (page 2)); 
Luo et al. do not explicitly disclose 
process said first probable sequence of network traffic states to form a feature vector; process said feature vector to generate meaningful HMM observations formatted as data input for a second HMM, said second HMM forming a second processing layer; 
generate from said second processing layer a second probable sequence of network traffic states; and 
upon determining that said second probable sequence of network traffic states exhibits a designated probability of a non-normal data traffic state, generate an alert of a likely non-normal data traffic state and transmit said alert to an administrator.
However, in the related field of endeavor Chhabra et al. disclose: An example of a Markov model includes a Markov chain. Other examples of a Markov model include a hidden Markov model (HMM), a hierarchical hidden Markov model (HHMM), and a layered hidden Markov model (LHMM). HMMs may be used independently or jointly in either a HHMM or a LHMM… identify malicious activity, log information about the malicious activity, attempt to block/stop the malicious activity, and report the malicious activity [0021, 0047]. The idea, of using layered Hidden Markov Model to detect unauthorized network traffic, is clearly disclosed by Chhabra et al.
Therefore, it would have been obvious to a person of ordinary skill in the art, at the time the invention was filed, to modify the teaching Luo et al. of with the teaching of Chhabra et al. in order to identify malicious activity, log information about the malicious activity, attempt to block/stop the malicious activity, and report the malicious activity. Further, the corrective measure implementation module 122 may quarantine the source/destination of the malicious activity (Chhabra et al. [0047]).

Claim 13. The system of claim 10, the combination of Luo et al. and Chhabra et al. teaches,
wherein said maximum likelihood estimates of HMM model parameters for said second HMM are not recognizable in said first probable sequence of network traffic states (Chhabra et al.: read as An example of a Markov model includes a Markov chain. Other examples of a Markov model include a hidden Markov model (HMM), a hierarchical hidden Markov model (HHMM), and a layered hidden Markov model (LHMM). HMMs may be used independently or jointly in either a HHMM or a LHMM) [0021].).

Claim 15. The system of claim 10, the combination of Luo et al. and Chhabra et al. teaches,
wherein said instructions are further configured to cause the one or more processors to: 
prior to generating meaningful HMM observations formatted as data input for said one or more first HMMs, apply data normalization to said network packet data (Luo et al.: read as observed in HTTP request of resource type is the observation, the observation sequence of HTTP traffic is expressed as Wherein…c joint at the t moment request of the resource type. the observation space is: V = (1, 2,. .., N). state value is time t the joint c request page, indicated as y = y1, y2, . .. yT state value space is S = (1, 2, ...., M) (Page 2)).


Claims 2-3, 5, 11-12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Luo et al. (CN 108234430 A – English Translation) and Chhabra et al. (WO 2017019103 A) in view of  Larue et al. (Modified k-means clustering method of HMM states for initialization of Baum-Welch training algorithm).

Claim  2. The method of claim 1, the combination of Luo et al. and Chhabra et al. does not explicitly disclose,
said step of generating from said first processing layer of HMMs a first probable sequence of network traffic states to form a feature vector further comprising: 
processing at said processor said observations formatted as data input for said one or more first HMMs as HMM training data using a vector quantization algorithm; 
applying at said processor a Baum-Welch algorithm to compute maximum-likelihood estimates of HMM model parameters for each of said one or more first HMMs; and 
forming said feature vector as a data matrix comprising said maximum-likelihood estimates of HMM model parameters.
However, in the related field of endeavor Larue et al. disclose
said step of generating from said first processing layer of HMMs a first probable sequence of network traffic states to form a feature vector further comprising: 
processing at said processor said observations formatted as data input for said one or more first HMMs as HMM training data using a vector quantization algorithm (read as The initial set of N centers depend on the type of HMM…N consecutive sets and center is estimated for each set according to the k-means algorithm (Section 2)); 
applying at said processor a Baum-Welch algorithm to compute maximum-likelihood estimates of HMM model parameters for each of said one (read as …the model parameters are generally estimated with training sequences and Baum-Welch algorithm, i.e. and expectation maximization algorithm … (Abstract).  Also Section 3 and more detailed description of initialization oh HMM using k-means and Baum-Welch algorithms.) or more first HMMs; and 
forming said feature vector as a data matrix comprising said maximum-likelihood estimates of HMM model parameters (read as The initial set of N centers depend on the type of HMM…N consecutive sets and center is estimated for each set according to the k-means algorithm (Section 2)).
Therefore, it would have been obvious to a person of ordinary skill in the art, at the time the invention was filed, to modify the teaching the combination of Luo et al. and Chhabra et al. of with the teaching of Larue et al. in order to reduce the training sequences using k-means (Larue et al.: Abstract).

Claim 3. The method of claim 2, the combination of Luo et al., Chhabra et al. and Larue et al. teaches,
  said step of generating from said second processing layer a second probable sequence of network traffic states further comprising: 
processing at said processor said feature vector using a vector quantization algorithm (Larue et al.: read as The initial set of N centers depend on the type of HMM…N consecutive sets and center is estimated for each set according to the k-means algorithm (Section 2)); and 
applying at said processor a Baum-Welch algorithm to compute maximum likelihood estimates of HMM model parameters for said second HMM (Larue et al.: read as …the model parameters are generally estimated with training sequences and Baum-Welch algorithm, i.e. and expectation maximization algorithm … (Abstract).  Also Section 3 and more detailed description of initialization oh HMM using k-means and Baum-Welch algorithms.).

Claim 5. The method of claim 1, the combination of Luo et al. and Chhabra et al. does not explicitly disclose,
wherein said first probable sequence of network traffic states is defined by:
Q1T = {q11, q12, … , q1T}, {q21, q22, … , q2T}, … , {qp1, qp2, … , qpT}; and
wherein said feature vector is constructed as:

    PNG
    media_image1.png
    125
    230
    media_image1.png
    Greyscale

Larue et al. disclose similar data for initiating HHM in the introduction section.
Therefore, it would have been obvious to a person of ordinary skill in the art, at the time the invention was filed, to modify the teaching the combination of Luo et al. and Chhabra et al. of with the teaching of Larue et al. in order to reduce the training sequences using k-means (Larue et al.: Abstract).

Claim 11. The system of claim 10, the combination of Luo et al. and Chhabra et al. does not explicitly disclose,
wherein said instructions that generate from said first processing layer of HMMs a first probable sequence of network traffic states to form a feature vector are further configured to: 
process said observations formatted as data input for said one or more first HMMs as HMIM training data using a vector quantization algorithm; 
apply a Baum-Welch algorithm to compute maximum-likelihood estimates of HMM model parameters for each of said one or more first HMMs; and 
form said feature vector as a data matrix comprising said maximum-likelihood estimates of HMM model parameters.
However, in the related field of endeavor Larue et al. disclose
wherein said instructions that generate from said first processing layer of HMMs a first probable sequence of network traffic states to form a feature vector are further configured to: 
process said observations formatted as data input for said one or more first HMMs as HMIM training data using a vector quantization algorithm (read as The initial set of N centers depend on the type of HMM…N consecutive sets and center is estimated for each set according to the k-means algorithm (Section 2)); 
apply a Baum-Welch algorithm to compute maximum-likelihood estimates of HMM model parameters for each of said one or more first HMMs (read as …the model parameters are generally estimated with training sequences and Baum-Welch algorithm, i.e. and expectation maximization algorithm … (Abstract).  Also Section 3 and more detailed description of initialization oh HMM using k-means and Baum-Welch algorithms.); and 
form said feature vector as a data matrix comprising said maximum-likelihood estimates of HMM model parameters (read as The initial set of N centers depend on the type of HMM…N consecutive sets and center is estimated for each set according to the k-means algorithm (Section 2)).
Therefore, it would have been obvious to a person of ordinary skill in the art, at the time the invention was filed, to modify the teaching the combination of Luo et al. and Chhabra et al. of with the teaching of Larue et al. in order to reduce the training sequences using k-means (Larue et al.: Abstract).

Claim 12. The system of claim 11, the combination of Luo et al., Chhabra et al. and Larue et al. teaches,
wherein said instructions that generate from said second processing layer a second probable sequence of network traffic states are further configured to: 
process said feature vector using a vector quantization algorithm (Larue et al.: read as The initial set of N centers depend on the type of HMM…N consecutive sets and center is estimated for each set according to the k-means algorithm (Section 2)); and 
apply a Baum-Welch algorithm to compute maximum likelihood estimates of HMM model parameters for said second HMM (Larue et al.: read as …the model parameters are generally estimated with training sequences and Baum-Welch algorithm, i.e. and expectation maximization algorithm … (Abstract).  Also Section 3 and more detailed description of initialization oh HMM using k-means and Baum-Welch algorithms.).

Claim 14. The system of claim 10, the combination of Luo et al. and Chhabra et al. does not explicitly disclose,
wherein said first probable sequence of network traffic states is defined by:
Q1T = {q11, q12, … , q1T}, {q21, q22, … , q2T}, … , {qp1, qp2, … , qpT}; and
wherein said feature vector is constructed as:

    PNG
    media_image1.png
    125
    230
    media_image1.png
    Greyscale

Larue et al. disclose similar data for initiating HHM in the introduction section.
Therefore, it would have been obvious to a person of ordinary skill in the art, at the time the invention was filed, to modify the teaching the combination of Luo et al. and Chhabra et al. of with the teaching of Larue et al. in order to reduce the training sequences using k-means (Larue et al.: Abstract).


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED RACHEDINE whose telephone number is (571)272-9249. The examiner can normally be reached Mon-Fri 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lester Kincaid can be reached on (571)272-7922. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MOHAMMED RACHEDINE
Examiner
Art Unit 2649



/MOHAMMED RACHEDINE/Primary Examiner, Art Unit 2646