Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Arguments
Applicant's arguments filed 7/26/2022 have been fully considered, and are persuasive. The previous combination of Parandehgheibi in view of Sanghvi failed to show the newly amended language. In response, a new combination of Parandehgheibi in view of Sanghvi is provided, made further in view of Sharoff (US-20090313625-A1).	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 7, 9 – 15, and 17 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Parandehgheibi (US-20160359740-A1) in view of Sanghvi (US-20210144159-A1) and
Sharoff (US-20090313625-A1).
 Regarding claim 1, Parandehgheibi shows a method of network state labeling, comprising: 		determining a plurality of sets of features comprising a respective set of features ([104-105] listing multiple exemplary features) for each respective network state ([13,21] showing, e.g., flow data represented by feature vectors) of a first subset of a plurality of network states ([108], where network flows are intercepted and processed to create feature vectors that represent the network state, the network state including both active flow and endpoint (node) information);	identifying a group of network states based on similarities among the plurality of sets of features ([110-111] where feature vectors are compared to determine applicable cluster membership); 	receiving label data from a user comprising an input label for the group of network states ([89] discussing where a “administrator or user can manually label nodes” and [98], where a user can edit clusters, and node can be moved between clusters or its membership in a cluster be changed utilizing); 	associating the input label with each network state of the group of network state to produce a training data set ([89], where the manually labeling is done to “create the training data” and Fig. 4, where previous clustering information is used an input each iteration of the classification algorithm; note [74-75] describe “flow vectors” and “feature vectors” being used as input into the training and refinement process of Fig. 4);	training a model using the training data set ([80,89] where developed models/training data are used to make predictions using input feature vectors and labels); and 		determining a label for a given network state of the plurality of network state by inputting features of the given network state to the model ([45,80,111]), wherein the given network state is not a member of the subset of the plurality of network states ([111] where “future flows” and “subsequent similar flows” are classified based on the “machine learning” process discussed in [89] and shown in Fig. 4).	Parandehgheibi, while showing labeling and management of network states network states, does not show the above functionality applied to workloads, 	wherein each given workload of a plurality of workloads comprises a virtual computing instance (VCU), and wherein the respective set of features for each respective workload of the subset of the plurality of workloads comprises one or more of:	a number of connections between the respective workload and a particular port (), or 	a number of local or remote processes for the respective workload.	Sanghvi shows labeling and management of workloads ([32,34]; note [38] provides additional disclosure regarding the utility of administrators being able manually input the workload labels),	wherein each given workload of a plurality of workloads comprises a virtual computing instance (VCU) running a process ([14] discussing virtual machine running multiple workloads, each workload comprising an application or process), and wherein the respective set of features for each respective workload of the subset of the plurality of workloads comprises one or more of:	a number of connections between the respective workload and a particular port ([36] discussing detection of “if a workload 138 receives an abnormal number of UDP flows one a particular port” that such traffic may be labelled “with an indicator associated with an attack pattern”), or 	a number of local or remote processes for the respective workload.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the network security and analysis teachings of Parandehgheibi with the application analysis and workload labelling and grouping of Sanghvi in order to enable associating network states with the applications associated with those states, enabling a clearer picture of the source of particular network states as well as preemptive policy application when a particular application is encountered.  	Parandehgheibi in view of Sanghvi do not show where the workload comprises running a plurality of processes.	Sharoff shows where the workload comprises running a plurality of processes ([19-23,33] discussing workloads, such as computer programs, which comprise multiple processes [19-23]).	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the network security and analysis teachings of Parandehgheibi in view of Sharoff with the workload monitoring and management techniques of Sharoff in order to improve the capabilities and granularity of the management and monitoring operations (Sharoff, [33]).
	Regarding claim 2, Parandehgheibi in view of Sanghvi and Sharoff further show wherein the respective set of features for each respective workload of the subset of the plurality of workloads comprises one or more of:	the respective workload does or does not listen on a given port; the respective workload does or does not connect to a given port (Parandehgheibi, [41], see “destination port”); 	the respective workload does or does not run a given local process; the respective workload does or does not connect to a given remote process (Parandehgheibi, [43,104] discussing process attributes); 
	Regarding claim 3, Parandehgheibi in view of Sanghvi and Sharoff further show wherein identifying the group of workloads based on similarities among the plurality of sets of features comprises calculating cosine similarity among the plurality of sets of features (Parandehgheibi, [110]).
	Regarding claim 4, Parandehgheibi in view of Sanghvi and Sharoff further show wherein the label data from the user is received via a user interface in response to displaying a subset of features of workloads in the group of workloads in the user interface (Parandehgheibi, [98,111]).
	Regarding claim 5, Parandehgheibi in view of Sanghvi and Sharoff further show receiving input from the user indicating that a certain workload should be removed (Parandehgheibi, [98] and Sanghvi, [41]) from the group of workloads (Sanghvi, [21], Table 2).
	Regarding claim 6, Parandehgheibi in view of Sanghvi and Sharoff further show wherein the model comprises a classification model, a tree-based model (Parandehgheibi, [81,84]), or a linear regression model.
	Regarding claim 7, Parandehgheibi in view of Sanghvi and Sharoff further show performing an action with respect to the given workload based on the label for the given workload, wherein the action comprises one or more of: 	adding the given workload to a security group; 	applying a security policy to the given workload (Parandehgheibi, [73] and Sanghvi, [16,19]);	performing network segregation involving the given workload;	performing intrusion detection or prevention for the given workload; or 	 generating a visualization including the given workload (Sanghvi, [23,42]).
	Regarding claims 9 and 17, the limitations of said claims are addressed in the analysis of claim 1.
	Regarding claims 10 and 18, the limitations of said claims are addressed in the analysis of claim 2.
	Regarding claim 11 and 19, the limitations of said claims are addressed in the analysis of claim 3.
	Regarding claim 12 and 20, the limitations of said claims are addressed in the analysis of claim 4.
	Regarding claim 13, the limitations of said claim are addressed in the analysis of claim 5.
	Regarding claim 14, the limitations of said claim are addressed in the analysis of claim 6.
	Regarding claim 15, the limitations of said claim are addressed in the analysis of claim 7.

Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Parandehgheibi in view of and Sanghvi and Sharoff as applied to claim 1 above, and further in view of Kirner (US-20210084074-A1).	Regarding claim 8¸ Parandehgheibi in view of Sanghvi and Sharoff show claim 1, including discussion of the utility of dynamically updating the classification model utilized (Parandehgheibi, Fig. 4 and Sanghvi, [39-40]).	Parandehgheibi in view of Sanghvi and Sharoff, however, do not explicitly show where this updating corresponds to  re-training the model based on the label for the given workload.	Kirner shows re-training the model based on the label for the given workload ([54]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the network security and analysis teachings of Parandehgheibi in view of Sanghvi and Sharoff with the re-training of Kirner in order to maintain accurate classifications (Kirner, [54]).
	Regarding claim 16, the limitations of said claim are addressed in the analysis of claim 8.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. This includes:	Watts (English translation of ES-2700535-A1. (Year: 2019)) and	Yang (YANG JIAN. English translation of CN 209491843 A. (Year: 2019)). 




Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WILLIAM TROST can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JOHN MACILWINEN
Primary Examiner
Art Unit 2442



/JOHN M MACILWINEN/Primary Examiner, Art Unit 2442