The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the communication filed on 06/27/2022. Claims 1-22 were pending in the application.  Claims 1-7, 9-16 and 18-19 have been allowed. Claim 1, 10 and 19 are independent claims. Claim 8, 17 and 20-22 are cancelled.
Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. Authorization for this examiner’s amendment was given in a telephone conversation with Seema Mehta on July 27th, 2022 followed by an e-mail.
The application has been amended as follows: 
(Currently Amended) A method for detecting Command and Control (C&C) toward a web application in a network, comprising:
obtaining, using a Web Application Firewall (WAF) of the network, network traffic between the web application and a server, where the server is outside the network, and wherein the network traffic is decrypted and reformatted by the WAF;
transmitting the network traffic from the WAF to a machine learning model;
determining, using the machine learning model, whether the network traffic comprises a command signature;
in response to determining that the network traffic comprises a command signature, generating a notification; and
determining, upon receiving the notification, whether the server is a C&C by analyzing, by a security personnel, the network traffic,
wherein the decrypted and reformatted network traffic, as determined by the WAF, comprises the features: whether the port scanning activity is suspicious; whether the network traffic includes a data exfiltration command; whether the network traffic includes a memory manipulation command; whether the network traffic includes a crypto vulnerability exploit command; whether the network traffic includes a command shell command; and whether the network traffic includes a reverse HTTP shell command.
(Previously Presented) The method according to claim 1, 
wherein the machine learning model comprises a Random Forest (RF) classifier, and 
wherein the RF classifier comprises a plurality of decision trees.
(Previously Presented) The method according to claim 2, further comprising training the machine learning model, wherein training the machine learning model comprises:
obtaining, an original dataset that comprises a plurality of network traffic samples; and
generating, from the original dataset, a plurality of bootstrapped datasets,
wherein each of the plurality of decision trees corresponds to one of the plurality of bootstrapped datasets, and
wherein each of the plurality of decision trees is trained using its corresponding bootstrapped dataset.
(Previously Presented) The method according to claim 3, wherein the plurality of network traffic samples comprises a normal network traffic sample that does not have any command signature.
(Previously Presented) The method according to claim 2, wherein whether the network traffic comprises a command signature is determined based on the votes of the plurality of decision trees.
(Previously Presented) The method according to claim 1, further comprising:
in response to determining that the network traffic comprises a command signature, assigning an identifier to the network traffic.
(Previously Presented) The method according to claim 6, wherein the notification comprises the identifier.
(Cancelled) 
(Previously Presented) The method according to claim 1, wherein the network is a local area network.
(Currently Amended) A computer system storing instructions executable by a computer processor, the instructions comprising functionality for:
receiving network traffic from a Web Application Firewall (WAF) which intercepts communications between a web application in a network and a server, where the server is outside the network, and wherein the network traffic comprises intercepted communications which have been decrypted and reformatted by the WAF; and
determining, with a machine learning model that receives the network traffic from the WAF, whether the network traffic comprises a command signature; 
wherein, in response to determining that the network traffic comprises a command signature, the machine learning model generates a notification, 
wherein, the notification and associated network traffic are received and analyzed by a security personnel to determine whether the server is a C&C,
wherein the decrypted and reformatted network traffic, as determined by the WAF, comprises the features: whether the port scanning activity is suspicious; whether the network traffic includes a data exfiltration command; whether the network traffic includes a memory manipulation command; whether the network traffic includes a crypto vulnerability exploit command; whether the network traffic includes a command shell command; and whether the network traffic includes a reverse HTTP shell command.
(Previously Presented) The computer system according to claim 10, 
wherein the machine learning model comprises a Random Forest (RF) classifier, and 
wherein the RF classifier comprises a plurality of decision trees.
(Previously Presented) The computer system according to claim 11, further comprising training the machine learning model, wherein training the machine learning model comprises: 
obtaining an original dataset that comprises a plurality of network traffic samples,
generating, from the original dataset, a plurality of bootstrapped datasets,
wherein each of the plurality of decision trees corresponds to one of the plurality of bootstrapped datasets, and
wherein each of the plurality of decision trees is trained using its corresponding bootstrapped dataset.
(Previously Presented) The computer system according to claim 12, wherein the plurality of network traffic samples comprises a normal network traffic sample that does not have any command signature.
(Previously Presented) The computer system according to claim 11, wherein whether the network traffic comprises a command signature is determined based on the votes of the plurality of decision trees.
(Previously Presented) The computer system according to claim 10,
wherein, in response to determining that the network traffic comprises a command signature, the machine learning model assigns an identifier to the network traffic.
(Previously Presented) The computer system according to claim 15, wherein the notification comprises the identifier.
(Cancelled) 
(Previously Presented) The computer system according to claim 10, wherein the network is a local area network.
(Currently Amended) A system, comprising:
a web application in a network, 
a Web Application Firewall (WAF), wherein the WAF obtains network traffic between the web application and a server, where the server is outside the network, and wherein the network traffic is decrypted and reformatted by the WAF, 
a machine learning model, 
a security personnel, and
a computer comprising:
	one or more computer processors, and 
a computer readable medium storing instructions executable by a computer processor, the instructions comprising functionality for:
receiving the network traffic from the WAF,
determining, with the machine learning model, whether the network traffic comprises a command signature, and 
generating, in response to determining that the network traffic comprises a command signature, a notification,
wherein, upon receiving the notification, the security personnel analyzes the associated network traffic to determine if the server is a C&C,
wherein the decrypted and reformatted network traffic, as determined by the WAF, comprises the features: whether the port scanning activity is suspicious; whether the network traffic includes a data exfiltration command; whether the network traffic includes a memory manipulation command; whether the network traffic includes a crypto vulnerability exploit command; whether the network traffic includes a command shell command; and whether the network traffic includes a reverse HTTP shell command.

(Cancelled) 
(Cancelled).
(Cancelled).



EXAMINER’S REASONS FOR ALLOWANCE
Claims 1-7, 9-16 and 18-19 are allowed. The following is an examiner’s statement of reasons for allowances:   
The Applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). The grounds of claim rejection was reconsidered and withdrawn based on the substance of applicant’s amendments, remarks/arguments and proposed amendment (see remarks, filed 06/27/2022, page no. 9-12), as such the reasons for allowance are in all probability evident from the record and no statement is deemed necessary (see MPEP 1302.14).
The prior art of record Overcash (US Patent No 7,934,253 B2) teaches a computer network within an enterprise that includes a security module that is adapted to monitor network traffic and to identify security events. The network also includes an output configured to communicate security events to a central security manager, and an input configured to receive instructions from the central security manager, wherein the security module responds in accordance with the instructions.
The prior art of record Mizrahi (US Patent Application Publication No 8,429,751 B2) teaches receiving a request to access content at an application security system, identifying a source of the request and a local host to which the request is directed using the application security system, determining whether the source of the request is an external Source, and performing a responsive action if the source of the request is received from an external source.
But none of the reference mentioned above teaches “wherein the decrypted and reformatted network traffic, as determined by the WAF, comprises the features: whether the port scanning activity is suspicious; whether the network traffic includes a data exfiltration command; whether the network traffic includes a memory manipulation command; whether the network traffic includes a crypto vulnerability exploit command; whether the network traffic includes a command shell command; and whether the network traffic includes a reverse HTTP shell command”.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WASIKA NIPA whose telephone number is (571)272-8923.  The examiner can normally be reached on M-F, 8 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/WASIKA NIPA/           Primary Examiner, Art Unit 2433