Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 7/7/2022.  Claims 1-20 are pending. This Office Action is Final.

Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 14 ,16 and 19 have been considered but are moot because the new ground of rejection does not rely on any the exact combination of reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: module in claims 14, 16 and 19.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-4,8, 14-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abdel-Aziz et al. (US 2009/0044276) in view of Kozlov et al. (US 2009/0037363) and Segev et al. (US 10,148,680).

	As per claim 1, Abdel-Aziz teaches a method of recognizing deviations in communication behavior of a network, the method comprising: collecting communication metadata in a switch of the network, wherein the communication metadata comprises data about characteristics of each communication over the switch (Abdel-Aziz, Paragraph 0089 recites “With reference to FIGS. 3 and 5, an exemplary embodiment of a method of monitoring the traffic in the fast datapath using an MD system 301 begins at 530 where the limits are established in limits table 321. Next, the counters 315 and buckets 319 (e.g., array) are initialized (531). It is noted that all counters 315 may be initialized at regular intervals of time, or may be initialized at the end of the respective time window. As well, the AIC unit 324 may interpret the counts at regular intervals of time, after a certain number of time windows elapsed, etc; these are design implementations that can be executed in different ways, as is well known.”);
	checking, for each communication over the switch, whether the respective at most three security values meet respective predetermined threshold values, the checking comprising checking, for each communication over the switch, whether the security point, which his defined by the derived two or three security values, lies within or on the envelope (Abdel-Aziz, Paragraph 0036 recites “The malware detection logic 20 establishes and maintains a set of counters 25 and corresponding thresholds in the limits table 41 for each client device 30 associated with the access switch 14. In operation, the counters 25 are reset periodically, with the thresholds being set so as to discern suspected malware activity, and the reset period and thresholds may be user adjustable for tailoring by network operators. If any threshold is exceeded, the corresponding client device 30 may be advantageously isolated for further analysis or other remedial action via the attack containment logic 46.”);
	 and generating a security warning in case at least one of the security points of the communication lies outside the envelope (Abdel-Aziz, Paragraph 0058 recites “ In this way, the NE 310 gets an early alert of a possible attack being under way, without overly annoying the user(s). When specific counters 315 trigger alerts, the response could be to automatically loosen the limits. This type of response is useful during initial setup to adaptively set limits for servers, etc.”).
	But fails to teach deriving for each communication over the switch two or three security values from the communication metadata of the respective communication and threshold values derived during the generation of a model of the communication behavior derived from training communication metadata of the network, wherein the model selects values from the communication metadata that contribute to evaluation of the security of the network.
	However, in an analogous art Kozlov teaches deriving for each communication over the switch two or three security values from the communication metadata of the respective communication and threshold values derived during the generation of a model of the communication behavior derived from training communication metadata of the network, wherein the model selects values from the communication metadata that contribute to evaluation of the security of the network (Kozlov, Paragraph 0080 recites “The model evaluation system 112 retrieves selected model specific metadata from the model metadata repository 108 including the model performance based triggers. Each performance based event trigger includes a threshold value. The model evaluation system 112 compares each of the performance results against the defined threshold values. If any of the conditions defined by the threshold values in the model performance based triggers are found to be TRUE, the first data mining model is designated as a deteriorated model. If the conditions defined by the threshold values of the model performance based triggers are all found to be FALSE, the performance status of the first data mining model remains designated as an operational model.” Kozlov is effectively teaching a model which is made from selected metadata, similar to the recited claim language. Further these selected metadata will have threshold values used for evaluation.).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kozlov’s Methods And Systems For Managing A Data Mining Model with Abdel-Aziz’s method and apparatus for detecting malware because the use of selecting metadata from other metadata provides a flexibility by an entity to choose criteria based on what they wish to evaluate.
	And fails to teach spanning a 2D envelope in a 2D domain or a 3D envelope in the 3D domain based on threshold values, the envelope defining an area in the 2D domain or a space in the 3D domain where all the respective threshold values are met by the respective security points.
	However, in an analogous art Segev teaches spanning a 2D envelope in a 2D domain or a 3D envelope in the 3D domain based on threshold values, the envelope defining an area in the 2D domain or a space in the 3D domain where all the respective threshold values are met by the respective security points (Segev, Col. 8 Lines 50-62 recites recites “ In an embodiment there is provided a detection system for performing anomaly detection, a detected anomaly being indicative of an undesirable event, the system comprising: a computer and an anomaly detection engine executable by the computer, the anomaly detection engine configured to perform a method comprising receiving data comprising a plurality m of multidimensional datapoints (MDDPs), each data point having n features constructing a dictionary D based on the received data, embedding D into a lower dimensional space and then classifying a NAMDDP as an anomaly or as normal based on either a threshold determined in the embedded space or by the geometry of the embedded space.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Segev’s System And Method For Anomaly Detection In Dynamically Evolving Data Using Hybrid Decomposition with Abdel-Aziz’s method and apparatus for detecting malware because the use of a multidimensional analysis would be a more accurate way to determine anomalies.

	As per claim 2, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, Abdel-Aziz’s further teaches displaying, by a display, the security points and the envelope (Abdel-Aziz, Paragraph 0163 recites “ This data may be likewise stored in an electronic memory, at least for a time, wherein the packets and data described herein may be of any suitable form including without limitation optical, electrical, or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated, and wherein these may be referred to in various terms such as bits, values, elements, symbols, characters, terms, numbers, etc. In this regard, unless specifically stated otherwise, or as is apparent from the discussion, terms such as "processing" or "computing" or "calculating" or "determining" or "displaying" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical, electronic quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage, transmission or display devices.”).

	As per claim 3, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, Abdel-Aziz’s further teaches wherein generating the security warning comprises generating the security warning in case one or more security values of the two or three security values does not suffice with respect to the respective predetermined threshold value for a predefined number of communications, for a predefined duration, or for the predefined number of communications and for the predefined duration (Abdel-Aziz, Paragraph 0058 recites “ In this way, the NE 310 gets an early alert of a possible attack being under way, without overly annoying the user(s). When specific counters 315 trigger alerts, the response could be to automatically loosen the limits. This type of response is useful during initial setup to adaptively set limits for servers, etc.”).

	As per claim 4, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, Abdel-Aziz’s further teaches wherein deriving the two or three security values comprises pre-processing the communication metadata with a data cleansing function determining valid data of the communication metadata, and wherein only the determined valid data are provided to the model of the communication behavior for deriving the at most three security values (Abdel-Aziz, Paragraph 0136 recites “With reference to FIG. 2, the malware ID logic 44 operates to compare one or more of the count values to at least one of the preset limits in the limits table 41 and may also perform mathematical computations using two or more count values to derive a result and compare the result to a further limit from the limits table 41. In processing each PDU 17, once the counters 25 are updated, the attack ID logic 43 checks the count values against the limits table 41, according to the following simple counter value comparison tests to identify suspected malware activity: i) If countSYN&gt;100 (e.g., this catches malware (e.g., worms) trying to connect to many hosts); ii) If countUDPout&gt;100 (e.g., this catches malware (e.g., worms) trying to connect to many hosts with UDP); and iii) If countARP&gt;100 (e.g., this catches malware (e.g., worms) probing the local sub-net).”).

	As per claim 8, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, Abdel-Aziz’s further teaches wherein the model of the communication behavior is derived from training communication metadata by an analytical algorithm for deriving at most three security values describing a communication over the switch only considering security relevant data of communication metadata  (Abdel-Aziz, Paragraph 0136 recites “With reference to FIG. 2, the malware ID logic 44 operates to compare one or more of the count values to at least one of the preset limits in the limits table 41 and may also perform mathematical computations using two or more count values to derive a result and compare the result to a further limit from the limits table 41. In processing each PDU 17, once the counters 25 are updated, the attack ID logic 43 checks the count values against the limits table 41, according to the following simple counter value comparison tests to identify suspected malware activity: i) If countSYN&gt;100 (e.g., this catches malware (e.g., worms) trying to connect to many hosts); ii) If countUDPout&gt;100 (e.g., this catches malware (e.g., worms) trying to connect to many hosts with UDP); and iii) If countARP&gt;100 (e.g., this catches malware (e.g., worms) probing the local sub-net).”).

	Regarding claims 14, 16 and 19, claims 14, 16 and 19 are directed to a similar devices and systems associated with the method of claim 1 respectively. Claims 14, 16 and 19 are similar in scope to claim 1, respectively, and are therefore rejected under similar rationale. 

	Regarding claims 15 and 17, claims 15 and 17 are directed to a similar devices associated with the method of claim 3 respectively. Claims 15 and 17 are similar in scope to claim 3, respectively, and are therefore rejected under similar rationale. 

	As per claim 18, Abdel-Aziz in view of Kozlov and Segev teaches the device of claim 16, Abdel-Aziz further teaches wherein the device is an edge device coupleable to the switch (Abdel-Aziz, Paragraph 0025 recites “With reference to FIG. 1, an exemplary embodiment of a wireless LAN 10 includes a router 12 that provides operative connection to a core network 6 with ultimate connectivity to any number of such networks, including the Internet 8. The router 12 provides communicative interfacing between the core network 6 and the wireless LAN 10 via one or more wireless access switches 14, individually including one or more ports 15.”).

	As per claim 20, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, Segev further teaches wherein the two or three security values define a security point of the respective communication in a two-dimensional (2D) domain or a
three-dimensional (3D) domain (Segev, Col. 8 Lines 50-62 recites recites “ In an embodiment there is provided a detection system for performing anomaly detection, a detected anomaly being indicative of an undesirable event, the system comprising: a computer and an anomaly detection engine executable by the computer, the anomaly detection engine configured to perform a method comprising receiving data comprising a plurality m of multidimensional datapoints (MDDPs), each data point having n features constructing a dictionary D based on the received data, embedding D into a lower dimensional space and then classifying a NAMDDP as an anomaly or as normal based on either a threshold determined in the embedded space or by the geometry of the embedded space.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Segev’s System And Method For Anomaly Detection In Dynamically Evolving Data Using Hybrid Decomposition with Abdel-Aziz’s method and apparatus for detecting malware because the use of a multidimensional analysis would be a more accurate way to determine anomalies.

Claims 5, 6, 9, 10 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abdel-Aziz et al. (US 2009/0044276), Kozlov et al. (US 2009/0037363) and Segev et al. (US 10,148,680) and in further view of Khurshudov et al. (US 2018/0211176).

	As per claim 5, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, but fails to teach deriving the model of the communication behavior from training communication metadata by a forward feature selection algorithm, a backward feature selection algorithm, or the forward feature selection algorithm and the backward feature selection algorithm for deriving at most three security values describing the respective communication over the switch only considering security relevant data of communication metadata.
	However, in an analogous art Khurshudov teaches deriving the model of the communication behavior from training communication metadata by a forward feature selection algorithm, a backward feature selection algorithm, or the forward feature selection algorithm and the backward feature selection algorithm for deriving at most three security values describing the respective communication over the switch only considering security relevant data of communication metadata (Khurshudov, Paragraph 0058 recites “n addition to statistical anomaly detection techniques including statistical process control (SPC), other analytical techniques may be used to evaluate sensor data for anomalies. For any time scale, other statistical techniques including single variable 3*sigma outliers, use of Mahalanobis metricsdistance, Z-score/weighted Z-score, and other techniques may be used. Model-based approaches (when some sort of assumption about the data is made) include Robust covariance estimation, Subspace-based anomaly detection, Kernel-based density estimation, and other model-based techniques. Unsupervised machine learning approaches may also be used, including K-means-based approaches, dbscan (finds contiguous regions of common density), Isolation forest, One-class support vector machines, and other techniques.”  Khurshudov teaches a robust covariance to determine estimations).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Khurshudov’s Blended IoT Device Health Index with Abdel-Aziz’s method and apparatus for detecting malware because the use of a estimation models helps to determine proper values.	

	As per claim 6, Abdel-Aziz in view of Kozlov, Segev and Khurshudov teaches the method of claim 5, Khurshudov further teaches wherein the forward feature selection algorithm, the backward feature selection algorithm, or the forward feature selection algorithm and the backward feature selection algorithm are a support vector machine, a robust covariance, or an Isolation Forrest algorithm (Khurshudov, Paragraph 0058 recites “n addition to statistical anomaly detection techniques including statistical process control (SPC), other analytical techniques may be used to evaluate sensor data for anomalies. For any time scale, other statistical techniques including single variable 3*sigma outliers, use of Mahalanobis metricsdistance, Z-score/weighted Z-score, and other techniques may be used. Model-based approaches (when some sort of assumption about the data is made) include Robust covariance estimation, Subspace-based anomaly detection, Kernel-based density estimation, and other model-based techniques. Unsupervised machine learning approaches may also be used, including K-means-based approaches, dbscan (finds contiguous regions of common density), Isolation forest, One-class support vector machines, and other techniques.”  Khurshudov teaches a robust covariance to determine estimations).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Khurshudov’s Blended IoT Device Health Index with Abdel-Aziz’s method and apparatus for detecting malware because the use of a estimation models helps to determine proper values.	

	As per claim 9, Abdel-Aziz in view of Kozlov, Segev and Khurshudov teaches the method of claim 5, Abdel-Aziz further teaches wherein the training communication metadata is pre-processed with a data cleansing function determining valid training data of the training communication metadata, and wherein only the determined valid training data is used for deriving the model of the communication behavior (Abdel-Aziz, Paragraph 0136 recites “With reference to FIG. 2, the malware ID logic 44 operates to compare one or more of the count values to at least one of the preset limits in the limits table 41 and may also perform mathematical computations using two or more count values to derive a result and compare the result to a further limit from the limits table 41. In processing each PDU 17, once the counters 25 are updated, the attack ID logic 43 checks the count values against the limits table 41, according to the following simple counter value comparison tests to identify suspected malware activity: i) If countSYN&gt;100 (e.g., this catches malware (e.g., worms) trying to connect to many hosts); ii) If countUDPout&gt;100 (e.g., this catches malware (e.g., worms) trying to connect to many hosts with UDP); and iii) If countARP&gt;100 (e.g., this catches malware (e.g., worms) probing the local sub-net).”).

	As per claim 10, Abdel-Aziz in view of Kozlov, Segev and Khurshudov teaches the method of claim 5, Khurshudov further teaches wherein the model of the communication behavior is a robust model derived from training communication metadata of communications in a regularly working network (Khurshudov, Paragraph 0058 recites “n addition to statistical anomaly detection techniques including statistical process control (SPC), other analytical techniques may be used to evaluate sensor data for anomalies. For any time scale, other statistical techniques including single variable 3*sigma outliers, use of Mahalanobis metricsdistance, Z-score/weighted Z-score, and other techniques may be used. Model-based approaches (when some sort of assumption about the data is made) include Robust covariance estimation, Subspace-based anomaly detection, Kernel-based density estimation, and other model-based techniques. Unsupervised machine learning approaches may also be used, including K-means-based approaches, dbscan (finds contiguous regions of common density), Isolation forest, One-class support vector machines, and other techniques.”  Khurshudov teaches a robust covariance to determine estimations).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Khurshudov’s Blended IoT Device Health Index with Abdel-Aziz’s method and apparatus for detecting malware because the use of a estimation models helps to determine proper values.
	
	As per claim 12, Abdel-Aziz in view of Kozlov, Segev and Khurshudov teaches the method of claim 5, Abdel-Aziz further teaches wherein the model of the communication behavior is derived from training communication metadata of communications in an actually existing network, a currently operating network, or an actually existing and currently operating network (Abdel-Aziz, Paragraph 0036 recites “The malware detection logic 20 establishes and maintains a set of counters 25 and corresponding thresholds in the limits table 41 for each client device 30 associated with the access switch 14. In operation, the counters 25 are reset periodically, with the thresholds being set so as to discern suspected malware activity, and the reset period and thresholds may be user adjustable for tailoring by network operators. If any threshold is exceeded, the corresponding client device 30 may be advantageously isolated for further analysis or other remedial action via the attack containment logic 46.” Malware logic is in use with an open network to prevent malware.).


Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abdel-Aziz et al. (US 2009/0044276), Kozlov et al. (US 2009/0037363) and Segev et al. (US 10,148,680) and in further view of Zibushka et al. (US 2018/0124076).

	As per claim 7, Abdel-Aziz in view of Kozlov and Segev teaches the method of claim 1, but fails to teach wherein the model of the communication behavior is based on an artificial neuronal network (ANN) trained with training communication metadata for deriving at most three security values describing a communication over the switch only considering security relevant data of communication metadata.
	However, in an analogous art Zibuscka teaches wherein the model of the communication behavior is based on an artificial neuronal network (ANN) trained with training communication metadata for deriving at most three security values describing a communication over the switch only considering security relevant data of communication metadata (Zibuschka, Paragraph 0037 recites “For this purpose, unit 11 may make an association of the information attack or attacks with a predefined class, for example via an unattended or an attended automatic learner such as an artificial neuronal network, a so-called K-means algorithm, or a so-called expectation maximization algorithm. It is provided in particular that the unit jointly evaluates characteristic data that have been transmitted from various devices 3, and correspondingly generates an overview of a security situation, for example in a geographical area or for a certain manufacturer or a certain product line.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Zibuschka’s Method for transmitting data with Abdel-Aziz’s method and apparatus for detecting malware because the use of a estimation models helps to determine proper values.	

Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abdel-Aziz et al. (US 2009/0044276), Kozlov et al. (US 2009/0037363), Segev et al. (US 10,148,680) and Khurshudov et al. (US 2018/0211176) and in further view of Di Pietro et al. (US 2016/0028750).

	As per claim 11, Abdel-Aziz in view of Kozlov, Segev and Khurshudov teaches the method of claim 5, but fails to teach wherein the model of the communication behavior is derived from training communication metadata of communications in a network related to known attacks on the network.
	However, in an analogous art Di Pietro teaches wherein the model of the communication behavior is derived from training communication metadata of communications in a network related to known attacks on the network (Di Pietro, Paragraph 0052 recites “The techniques herein allow identification of unrecognized behaviors that were not described and/or known in the training data set used to train a machine learning classifier (e.g., an ANN, etc.). In some aspects a machine learning model describing the overall set of behaviors for which an attack detection classifier has been trained may be generated and used to ensure that any observed behavior in the network is expected by the attack detector. If the model detects that an unexpected behavior is being observed, the associated data may be redirected to a central entity which recomputes the classifier by accounting for the new observed behavior. In some aspects, the update to the classifier may leverage the recommendation of an external expert, such as a network administrator, etc. On one hand, the techniques herein may improve the reliability of a learning machine-based attack detection mechanism, such as when an ANN is used. On the other hand, the techniques may also allow the automatic generation of signatures for unknown attacks, thereby allowing the attack detection mechanism to adapt to previously unknown situations.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Di Pietro’s signature creation for unknown attacks with Abdel-Aziz’s method and apparatus for detecting malware because the use of using known attacks helps to build better classifiers to determine malicious attacks.


Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Abdel-Aziz et al. (US 2009/0044276), Kozlov et al. (US 2009/0037363), Segev et al. (US 10,148,680) and Khurshudov et al. (US 2018/0211176) and in further view of Hazar  (US 2019/0310592).

	As per claim 13, Abdel-Aziz in view of Kozlov, Segev and Khurshudov teaches the method of claim 5, but fails to teach wherein the model of the communication behavior is derived from training communication metadata of communications in a digital twin of the network.
	However, in an analogous art Hazard teaches wherein the model of the communication behavior is derived from training communication metadata of communications in a digital twin of the network (Hazard, Paragraph 0118 recites “ach of training and analysis system 210 and control system 220 may run on a single computing device, multiple computing devices, in a distributed manner across a network, on one or more virtual machines, which themselves run on one or more computing devices. In some embodiments, training and analysis system 210 and control system 220 are distinct sets of processes running on distinct sets of computing devices. In other embodiments, training and analysis system 210 and control system 220 are intertwined or share processes or functions and/or run on the same computing devices. In some embodiments, storage 230 and 240 are communicatively coupled to training and analysis system 210 and control system 220 via a network 290 or other connection. Storage 230 and 240 may also be part of or integrated with training and analysis system 210 and/or control system 220 via a network 290 or other connection.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Hazard’s computer based reasoning and artificial intelligence systems with Abdel-Aziz’s method and apparatus for detecting malware because the use of using virtual environment helps to build better classifiers to determine malicious attacks.




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661. The examiner can normally be reached Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

RODERICK . TOLENTINO
Examiner
Art Unit 2439

/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439