DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims Status
Claims 1–20 are pending in this application.
Claims 1–20 are rejected.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/10/2020 and 2/8/2022 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1–5, 7–13, and 15–20 are rejected under 35 U.S.C. § 102 (a)(1) as being anticipated by Vejman et al. (2020/0236131).
Regarding claims 1, 9, and 16, Vejman anticipates A device comprising:
processing circuitry; a memory including instructions that when executed by the processing circuitry cause the processing circuitry to perform operations (Fig. 1B-2; ¶29, device 200 in a form of, for example, PE routers 120 or CE routers 110 or any other nodes as shown), the operations comprising:
receiving sampled network metadata of a packet transmitted via a computer network (Fig. 2; ¶35, the encrypted traffic analysis process 248 can receive training data including sample telemetry data that is "normal" or "malware-generated" regarding the encrypted traffic that is passing through the device; ¶38, encrypted traffic analysis process 248 can also assess "captured telemetry data" as part of its classification process);
providing the sampled network metadata to a neural network (NN) trained on labeled sampled network metadata (Fig. 2; ¶35, trained sample telemetry data can be used for machine learning classifications; Figs. 6A and 6B; ¶58, the learning techniques include feeding data using neural network methods; see also ¶¶59-64); and
providing, based on only the sampled network metadata, a classification for the sampled network metadata via the trained neural network (¶¶63-64, through neural network methods, parameters can be learned via training and classification of the gathered telemetry data for detecting particular anomalous behaviors can be conducted [see ¶¶33-34]; ¶35, though the system can use training data via the supervised learning models or semi-supervised learning models, unsupervised model usage within the system is also disclosed).

Regarding claims 2, 10, and 17, Vejman anticipates the limitations of claims 1, 9, and 16. Vejman further anticipates wherein the NN is trained further based on contents of the packet and the label is an actual classification associated with the contents of the packet and associated sampled network metadata (¶35, contents of the encrypted data can be gleaned into for packet classification purposes; particular labels can be applied such as "normal" or "malware-generated" or other labels disclosed throughout the reference).

Regarding claims 3, 11, and 18, Vejman anticipates the limitations of claims 2, 10, and 17. Vejman further anticipates wherein the actual classification is determined using deep packet inspection (¶41).

Regarding claims 4, 12, and 19, Vejman anticipates the limitations of claims 2, 10, and 17. Vejman further anticipates wherein the NN is a recurrent NN (¶58; ¶59).

Regarding claims 5, 13, and 20, Vejman anticipates the limitations of claims 4, 12, and 19 respectively. Vejman further anticipates wherein the NN includes a bi-directional long short term memory (LSTM) NN (¶64).

Regarding claims 7 and 15, Vejman anticipates the limitations of claims 1 and 9 respectively. Vejman further anticipates wherein the actual classification includes one of a user authentication, a device authentication, a database query, file transfer, data streaming, or a malicious action (¶35, "malware-generated").

Regarding claim 8, Vejman anticipates the limitations of claim 1. Vejman further anticipates wherein the device is a router, switch, firewall, or client device (Fig. 1B and 2; ¶29).
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6 and 14 are rejected under 35 U.S.C. § 103 as being unpatentable over Vejman et al. (2020/0236131) in view of Shah (8,065,721).
Regarding claims 6 and 14, Vejman anticipates the limitations of claims 1 and 9 respectively. However, Vejman does not anticipate wherein the sampled network metadata is of network traffic provided over layer three of the computer network.
Shah from the same field of endeavor teaches wherein the sampled network metadata is of network traffic provided over layer three of the computer network (col. 1 ll. 20-42, ability to apply deep packet inspection at OSI L3 and above is disclosed).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to improve upon Vejman using Shah to employ well-known method of deep packet inspection at layer 3 level of the OSI model so that previously constructed hardware can perform new functionalities without much modification of hardware specifically for inspection of encrypted data packets for machine learning purposes as disclosed in Vejman.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bachl et al. ("SparseIDS: Learning Packet Sampling with Reinforcement Learning", June 29, 2020) discloses general state of the art with respect to reinforcement learning using packet sampling methods for identification of packet purposes.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAE KIM whose telephone number is (571)270-0621. The examiner can normally be reached Monday-Friday 8AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kevin Bates can be reached on (571) 272-3980. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAE KIM/
Examiner, Art Unit 2458                                                                                                    
/KEVIN T BATES/             Supervisory Patent Examiner, Art Unit 2458