DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with LAWRENCE BARATTA (Reg. No. 59553) on August 8, 2022.

The application has been amended as follows:
Please amend the Claims as follows, without prejudice or disclaimer to continued examination on the merits:

1. (Currently Amended)	A method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising:
(A)	for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications, wherein the observed communications data includes, for each of the plurality of observed communications: data representing a source application of the observed communication, data representing a destination application of the observed communication, data representing a local Internet Protocol (IP) address of the observed communication, and data representing a remote IP address of the observed communication;
(B)	training a network communication model based on the observed communications data including flow matches between applications and hosts over a time period;
(C)	generating the network communication model based on the training, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network by adding new policies to the network communication model or adding a new host segment to an existing host segment based on the other hosts;
(D)	generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and
(E)	predicting via the trained network communication model allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model;
(F)	identifying positive data representing a plurality of network communications that should be allowed by the network communication model;
(G)	calculating an accuracy of the network communication model based on the allowed data and the positive data; and
(H)	alerting a user to update policies of the network communication model based on the accuracy and provide the network communication model to any of plurality of hosts on the network for communication thereon.

2. (Original)	The method of claim 1, wherein the plurality of observed communications does not include any of the plurality of hypothetical communications.

3. (Canceled)

4. (Previously Presented)	The method of claim 1, wherein (G) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model.

5. (Previously Presented)	 The method of claim 1, wherein (G) comprises:
(G)(1)	calculating a precision value P based on the allowed data and the positive data;
(G)(2)	calculating a recall value R based on the allowed data and the positive data; and
(G)(3)	calculating the accuracy F based on the precision value and the recall value.

6. (Previously Presented)	The method of claim 5, wherein (G)(3) comprises calculating F as (2XPXR)/(P+R).

7. (Previously Presented)	The method of claim 6, wherein (G)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model.

8. (Previously Presented)	The method of claim 7, wherein (G)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model.

9. (Original)	The method of claim 1, wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network.

10. (Original)	The method of claim 1, wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model.

11. (Currently Amended)	A system comprising at least one non-transitory computer-readable medium storing computer program instructions executable by at least one computer processor to perform a method, the method comprising:
(A)	for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications, wherein the observed communications data includes, for each of the plurality of observed communications: data representing a source application of the observed communication, data representing a destination application of the observed communication, data representing a local Internet Protocol (IP) address of the observed communication, and data representing a remote IP address of the observed communication;
(B)	training a network communication model based on the observed communications data including flow matches between applications and hosts over a time period;
(C)	generating the network communication model based on the training, wherein the network communication model defines whether an application and host can communicate on the network to other hosts in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network by adding new policies to the network communication model or adding a new host segment to an existing host segment based on the other hosts;
(D)	generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and
(E)	predicting via the trained network communication model allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model;
(F)	identifying positive data representing a plurality of network communications that should be allowed by the network communication model;
(G)	calculating an accuracy of the network communication model based on the allowed data and the positive data; and
(H)	alerting a user to update policies of the network communication model based on the accuracy and provide the network communication model to any of plurality of hosts on the network for communication thereon.

12. (Original)	The system of claim 11, wherein the plurality of observed communications does not include any of the plurality of hypothetical communications.

13. (Canceled)

14. (Previously Presented)	The system of claim 11, wherein (G) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model.

15. (Previously Presented)	The system of claim 11, wherein (G) comprises:
(G)(1)	calculating a precision value P based on the allowed data and the positive data;
(G)(2)	calculating a recall value R based on the allowed data and the positive data; and
(G)(3)	calculating the accuracy F based on the precision value and the recall value.

16. (Previously Presented)	The system of claim 15, wherein (G)(3) comprises calculating F as (2XPXR)/(P+R).

17. (Previously Presented)	The system of claim 16, wherein (G)(1) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the hypothetical data which are allowed by the network communication model.

18. (Previously Presented)	The system of claim 17, wherein (G)(2) comprises dividing: (1) a size of an intersection of the allowed data and the positive data by (2) the size of the intersection of the allowed data and the positive data plus a size of a subset of the positive data which are not allowed by the network communication model.

19. (Original)	The system of claim 11, wherein calculating the accuracy comprises calculating the accuracy before applying the network communication model to any communications on the network.

20. (Original)	The system of claim 11, wherein identifying the positive data comprises receiving input indicating that the plurality of network communications should be allowed by the network communication model and storing data representing the input indicating that the plurality of network communications should be allowed by the network communication model.

Allowable Subject Matter
Claims 1-2, 4-12, and 14-20 are allowed.
The following is an examiner’s statement of reasons for allowance:
Independent claims 1 and 11, among other things, teach a method performed by at least one computer processor executing computer program instructions stored in at least one non-transitory computer-readable medium, the method comprising: (A)	for each of a plurality of observed communications over a network between applications executing on a plurality of computer systems, collecting and storing observed communications data representing the plurality of observed communications, wherein the observed communications data includes, for each of the plurality of observed communications: data representing a source application of the observed communication, data representing a destination application of the observed communication, data representing a local Internet Protocol (IP) address of the observed communication, and data representing a remote IP address of the observed communication; (B)	training a network communication model based on the observed communications data including flow matches between applications and hosts over a time period; (C) generating the network communication model based on the training, wherein the network communication model defines whether an application and host can communicate to other hosts on the network in a particular host segment of a plurality of hosts segments each including a plurality of hosts in the network by adding new policies to the network communication model or adding a new host segment to an existing host segment based on the other hosts; (D) generating, based on the observed communications data, hypothetical communications data representing a plurality of hypothetical communications that is distinct from the plurality of observed communications, wherein the hypothetical communications include new flow matches which do not exist in the observed data in the network communication model; and (E) predicting via the trained network communication model allowed data representing a plurality of allowed network communications, including at least some of the plurality of observed communications and at least some of the plurality of hypothetical communications, that are allowed by the network communication model; (F) identifying positive data representing a plurality of network communications that should be allowed by the network communication model; (G) calculating an accuracy of the network communication model based on the allowed data and the positive data; and (H) alerting a user to update policies of the network communication model based on the accuracy and provide the network communication model to any of plurality of hosts on the network for communication thereon. All of the steps recited in each of the claims are required to be executed and all of the limitations in each of the claims are given patentable weight. The present invention distinguishes over the art of record in that none of the art of record discloses, individually or in reasonable combination, the recited limitations in the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUHAMMAD RAZA whose telephone number is (571)272-7734. The examiner can normally be reached Monday-Friday, 7:00 A.M.-5:00 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUHAMMAD RAZA/Primary Examiner, Art Unit 2449