DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 8, 12-13, 20 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 20200382537 A1 to Compton, and further in view of USPAT No. 11,310,205 B2 to Kleopa et al. (hereinafter “Kleopa”)
Regarding claim 1:
Compton discloses:
A computer-implemented method (¶120: “… method for detecting and mitigating malicious network traffic …”) when executed by data processing hardware (¶130: “… Processor 720 …”, see also FIG. 7) causes the data processing hardware to perform operations comprising: 
obtaining a first set of network traffic messages representative of network traffic 5currently received by a network service (¶120: “… obtaining information regarding network traffic flows …”); 
determining, via a first model, whether network abuse is occurring based on the first set of network traffic messages (¶120: “… generating a classification model (rules engine 1028) based on the obtained information, the classification model comprising one or more classification rules for classifying network traffic as normal or anomalous”); 
15generating, via a third model, at least one network traffic rule (¶96: “… mitigation rules are also developed.”, ¶120: “… initiating at least one mitigation action … (operation 1140).”), each network traffic rule configured to be implemented by a firewall and, when implemented, reduce an effect of the abusing network traffic messages (¶89: “…  a mitigation action(s) is performed if the network traffic is suspected of being anomalous, if network traffic is confirmed to be anomalous … the network traffic can be blocked, rate limited, and the like; a notification regarding the anomalous network traffic can be issued …”).
However, Compton did not explicitly disclose the following limitations taught by Kleopa:
when the network abuse is occurring (Kleopa, col 11, lines 41-43: “… the traffic analysis service identifies a client in a network having an associated traffic flow that was blocked by a firewall.”):
obtaining a second set of network traffic messages representative of 10network traffic currently received by the network service (Kleopa col 11, lines 48-51: “… the traffic analysis service may obtain traffic telemetry data regarding one or more subsequent traffic flows associated with the identified client that are subsequent to the blocked flow.”); 
for each network traffic message in the second set of network traffic messages, labeling, via a second model, the network traffic message as an abusing network traffic message participating in the network abuse or a non-abusing network traffic message not participating in the network abuse (Kleopa col 11-12, lines 66-4: “… the classifier may determine whether the source application on the client is changing its behavior in such a way as to avoid further traffic blocking by the firewall. For example, the classifier can be trained using traffic samples from known malware, to label the subsequent flow(s) of the client, accordingly.”);  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Compton to incorporate the functionality of the classifier of the traffic analysis service to identify and label subsequent traffic samples, as disclosed by Kleopa. Kleopa col 1-2, lines 66-8, teaches: “The traffic analysis service obtains traffic telemetry data regarding one or more subsequent traffic flows associated with the identified client that are subsequent to the blocked flow. The traffic analysis service uses a machine learning-based classifier to determine that the identified client is exhibiting evasive network behavior, based on the obtained traffic telemetry data. The traffic analysis service initiates a mitigation action in the network, based on the determination that the identified client is exhibiting evasive network behavior.” 
Regarding claim 8:
The combination of Compton and Kleopa disclose:
The method of claim 1, wherein the operations further comprise: 
obtaining a set of historical network traffic messages representative of network traffic previously received by the network service (Compton, ¶117: “… training data, including information regarding historical classifications of network traffic and the corresponding network traffic information (such as netflows, DNS flows, and the like) is submitted to the rules engine 1028 for training (operation 1204).”), 20wherein the set of historical network traffic messages is representative of network traffic previously received by the network service prior to the network abuse (Compton, ¶117: “Classification rules are formulated based on the ingested information using, for example, supervised training (operation 1208).”), and wherein labeling the network traffic message as an abusing network traffic message participating in the network abuse or a non-abusing network traffic message not 25participating in the network abuse is based on the set of historical network traffic messages (Compton, ¶117: “One or more mitigation rules that describe how anomalous network traffic is to be handled are defined (operation 1212). … the mitigation rules may be forwarded to a network router to configure the network router to route normal traffic to its original destination, to reroute anomalous traffic to, for example, a deep packet inspection device, and the like.”).
Regarding claim 12:
The combination of Compton and Kleopa disclose:
15The method of claim 1, wherein the network abuse comprises a denial-of-service attack (Kleopa col 5, lines 38-48: “… traffic analysis process 248 may assess captured telemetry data regarding one or more traffic flows, to determine whether a given traffic flow or set of flows are caused by malware in the network, such as a particular family of malware applications. Example forms of traffic that can be caused by malware may include … denial of service (DoS) attack …”). 
The same motivation used to combine Compton with Kleopa in claim 1, is applied to claim 12.
Regarding claim 13:
Compton discloses:
A system (¶130: “… system 700 …”) comprising: 
data processing hardware (¶130: “… processor 720 …”); and 
memory hardware (¶130: “… memory 730 …”) in communication with the data processing hardware, the memory hardware storing instructions that when executed on the data processing hardware cause the data processing hardware to perform operations (¶130: “… memory 730 configures the processor 720 to implement one or more methods, steps, and functions …”) comprising:
In addition to the above limitations, claim 13 substantially recites the same limitations as claim 1 in the form of a system implementing the corresponding method, therefore it is rejected by the same rationale.
Regarding claims 20 and 24:
claims 20 and 24 substantially recite the same limitations as claims 8 and 12, respectively, in the form of a system implementing the corresponding method, therefore they are rejected by the same rationale.
Claims 2-7, 9-11, 14-19 and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Compton, Kleopa and further in view of US-PGPUB No. 20160352765 A1 to Mermoud et al. (hereinafter “Mermoud”)
Regarding claim 2:
The combination of Compton and Kleopa disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Mermoud:
wherein the first set of network traffic messages 20comprises a plurality of network traffic windows, each of the plurality of network traffic windows comprising a subset of network traffic messages of the first set of network traffic messages associated with a different discrete portion of time (Mermoud, ¶77: “… risk computation module 418 may cluster anomalies over a time range that may span several weeks or even months.”, ¶80: “Timing Information—In some cases, message 502 may include a timestamp indicative of when the anomaly occurred or was first detected, a duration indicative of the anomaly, or any other timing information regarding the anomaly.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Compton and Kleopa to incorporate the functionality of the risk computation module to detect patterns in the list of anomalies that might reveal advanced persistent threats, and cluster anomalies over a time range, as disclosed by Mermoud. Mermoud in ¶77 teaches “… anomalies might be clustered based on their associated context and the underlying topology (e.g., using techniques that support clustering based on a distance function, such as DBSCAN, k-medoids, k-modes). The clusters generated by this step can be considered as meta-anomalies in their own right, and, from that respect, can be analyzed using an outlier detection technique (e.g., using local outlier factor analysis or k-nearest neighbors), to identify such meta-anomalies that stand out and might be the result of APTs present in the network”  
Regarding claim 3:
The combination of Compton, Kleopa and Mermoud disclose: 
The method of claim 2, wherein the operations further comprise, for each of the 25plurality of network traffic windows, sampling a set of sampled network traffic messages from the subset of network traffic messages, the set of sampled network traffic messages representative of the entirety of the subset of network traffic messages (Mermoud, ¶73: “… anomaly fingerprint process 410 may analyze anomaly detection results from anomaly detectors 408 and/or a local database 412 of network records. Network records in local database 412 may be records obtained from any number of network monitoring mechanisms available within the network …”).  
The same motivation used to combine Compton and Kleopa with Mermoud in claim 2, is applied to claim 3.
Regarding claim 4:
The combination of Compton, Kleopa and Mermoud disclose:
The method of claim 3, wherein the operations further comprise storing, in a data 30structure, characteristics of the set of sampled network traffic messages for each of the plurality of network traffic windows (Mermoud, ¶73: “Network records in local database 412 may be records obtained from any number of network monitoring mechanisms available within the network (e.g., Netflow records, etc.). … DLA 402 may store network records obtained during a certain timeframe in which an anomaly was detected.”).  
The same motivation used to combine Compton and Kleopa with Mermoud in claim 2, is applied to claim 4.
Regarding claim 5:
The combination of Compton and Kleopa disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Mermoud:
wherein determining whether the network abuse is occurring comprises: 
generating, by the first model, an abuse probability score (Mermoud, ¶44: “… a given model (e.g., a supervised, un-supervised, or semi-supervised model) may be used to generate and report anomaly scores to another device. …”); and 
5determining that the abuse probability score satisfies an abuse probability threshold (Mermoud, ¶89: “… a policy engine or network administrator may create a mitigation rule on the fly for all devices whose risk level has exceeded a specific threshold resulting in recoloring the traffic, shaping or even redetecting the traffic for quarantining.”).  
The same motivation used to combine Compton and Kleopa with Mermoud in claim 2, is applied to claim 5.
Regarding claim 6:
The combination of Compton and Kleopa disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Mermoud:
wherein the first model comprises a neural network trained on sets of labeled network traffic messages (Mermoud, ¶44: “… a learning machine may construct a model of normal network behavior, to detect data points that deviate from this model. … techniques that may be used to construct and analyze such a model may include … neural networks (e.g., reservoir networks, artificial neural networks, etc”).   
The same motivation used to combine Compton and Kleopa with Mermoud in claim 2, is applied to claim 6.
Regarding claim 7:
The combination of Compton, Kleopa and Mermoud disclose:
The method of claim 4, wherein the operations further comprise, after determining that network abuse is occurring: 
receiving feedback indicating that the occurring network abuse was either a false positive or actual network abuse (Compton, ¶95: “Once the system starts analyzing operational traffic (after training), the model is revised with, for example, traffic analyzed by a DPI device that labels the traffic as false positive or true positive malicious.”); and 
15updating the first model based on the feedback (Compton, ¶95: “The results (malicious or non-malicious) are submitted to the model and the model is revised according to the reports thereby training the model to detect malicious traffic.”).   
Regarding claim 9:
The combination of Compton and Kleopa disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Mermoud:
wherein the operations further comprise: 
providing the generated at least one network traffic rule to a user associated with 30the network service (Mermoud, ¶70: “… UI process 420 may communicate with SCA 404 to provide the user of client device 406 with information regarding the anomaly detecting SLN deployed in the network (e.g., via a display, etc.).”); 22 37217258.1Attorney Docket No: 231441-481755 
receiving an indication from the user accepting one of the generated at least one network traffic rule (Mermoud, ¶70: “… the user of client device 406 may request additional information from the SLN regarding a particular portion of the network, traffic flow …”); and 
implementing the accepted network traffic rule indicated by the user (Mermoud, ¶70: “… SCA 404 may execute UI process 420, allowing the user to interface with SCA 404 directly.”).  
The same motivation used to combine Compton and Kleopa with Mermoud in claim 2, is applied to claim 9.
Regarding claim 10:
5 The combination of Compton and Kleopa disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Mermoud:
wherein the operations further comprise: 
receiving user preferences associated with desired network traffic rules (Mermoud, ¶70: “… UI process 420 may communicate with SCA 404 to provide the user of client device 406 with information regarding the anomaly detecting SLN deployed in the network (e.g., via a display, etc.).”); 
selecting one of the generated at least one network traffic rule based on the user preferences (Mermoud, ¶70: “… UI process 420 may be configured to allow the user to provide supervisory control over the SLN by sending control parameters and/or instructions from client device 406 to SCA 404.”); and 
implementing the selected network traffic rule (Mermoud, ¶89: “…  in response to receiving RISK_NOTIF message 504, one or more parameter adjustments for the SLN may be determined by the administrator operating client device 406 …  In response to learning that a device or traffic type is at high risk, the administrator … may initiate adaptive mitigation.”).  
The same motivation used to combine Compton and Kleopa with Mermoud in claim 2, is applied to claim 10.
Regarding claim 11:
The combination of Compton, Kleopa and Mermoud disclose:
The method of claim 10, wherein the user preferences comprise an amount of non-abusing network traffic messages that may be affected by the selected network traffic rule (Compton, ¶126: “… the one or more rules are based on normal behavior of a given network traffic flow (operations 1204-1208.”).   
Regarding claims 14-19 and 21-23:
claims 14-19 and 21-23 substantially recite the same limitations as claims 2-7 and 9-11, respectively, in the form of a system implementing the corresponding method, therefore they are rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Chen (US-PGPUB No. 20160196430-A1)- disclosed a protection method to be utilized for a user equipment against an attack of a malware. The protection method comprises obtaining an observed information comprising at least one of a sampled information and a labeled information
Sorge et al. (US-PGPUB No -20110239295-A1)- disclosed a method for supporting attack detection in a distributed system, wherein a message being sent within said distributed system from a source entity to one or more target entities is transmitted via one or more intermediate entities.
Ackerman et al. (US-PGPUB No. 20170310703-A1)- disclosed a method that may include monitoring outbound traffic from an endpoint in an enterprise network, detecting a potential trigger event for a distributed denial of service attack.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        

/LINGLAN EDWARDS/Primary Examiner, Art Unit 2491