Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/26/22 has been entered.
 
Response to Amendment
Applicant’s arguments with respect to claim(s) 1-18 have been considered but are moot because the new ground of rejection.  Applied art was used but in a new grounds of rejection.  All arguments have been addressed below or in body of rejection.
 In re pg. 11-12 applicant argues Papamartzivanos fails to remedy these deficiencies. For example, Papamartzivanos describes an “intrusion detection” system with “[a]lgorithms [] used in order to create a decision tree based on training instances and then their classification ability is measured during a testing period on previously unseen data” at paragraph 33. However, the process does not appear to include the recited features in claim 1, because the single training instance attempts to account for each of the intrusions the “network traffic data.”
In response, a new grounds of rejection has been applied and outlines how Papamartzivanos discloses the claimed invention.
Claim Objections
Claims 1-3, 5-7 are objected to because of the following informalities:  Claim 1, specifies wherein unseen data comprises data having an attribute not seen by the initial data. It is not clear how data is not seen by data.  Applicant may mean data not seen by classifiers.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-12, 14-22 are rejected under 35 U.S.C. 103 as being unpatentable over Papamartzivanos (US 2017/0339187) in view of Patel (US 2018/0082172).
Papamartzivanos discloses:
1. (Currently Amended) A method, comprising: 
initiating a training phase of a plurality of classifiers (trees, “a decision tree classification model is shown which is used to meet the premise of the interpretability of the generated rules, in combination with evolutionary techniques in an effort to increase the accuracy of the detection rules generated upon the classification model. More specifically, a genetic evolutionary approach is applied on a population of decision trees aiming to result to an accurate classification model”, 0032) on an initial data set (reads on initiating decision trees or decision tree classifiers, “detection rules generation engine includes an initial population creation subsystem configured to receive filtered network traffic instances from a network tap and to build an initial population of decision trees having nodes which are sorted”, abstract; “the initial decision trees can be of one class only.”, 0055) comprising data portions, wherein the training phase trains the plurality of classifiers in classifying the initial data set comprising the data portions into categories (“Algorithms are used in order to create a decision tree based on training instances and then their classification ability is measured during a testing period on previously unseen data”, 0033); 
initially classifying, by a controller, a second data set comprising the data portions based on the plurality of classifiers generated by inputting the second data set into a supervised machine learning (“Decision trees are a classification model supporting decision making in the context of machine learning.”, 0033) mechanism that maps the second data set to the plurality of classifiers during the initial classification (new and/or unseen data is input; “Algorithms are used in order to create a decision tree based on training instances and then their classification ability is measured during a testing period on previously unseen data”, 0033); 
based on the initial classification, determining, by the controller, a portion of the second data set comprises unseen data that fails to correspond with at least one of the plurality of classifiers (new/unseen previously data are input to classify and determine if network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024), 
wherein unseen data comprises data having an attribute not seen by the initial data set prior to inputting the second data set into the supervised machine learning mechanism (new/unseen previously data are input to classify and determine if network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024-0026); 
using a decision tree associated with the supervised (see Patel) machine learning (“Decision trees are a classification model supporting decision making in the context of machine learning”, 0033) mechanism, creating an unknown classification rule that is not included with the plurality of classifiers (creating new rules, rules to classify new data reads on classification decision trees evolving, “a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database”, 0024-0026;
“the decision trees can only be able to classify instances of one class and their node's conditions are always true (see FIG. 4 showing that the decision trees of the initial population are not branched at all). The decision trees will gradually evolve”, 0034); 
classifying the unseen data using the unknown classification rule that is not included in the plurality of classifiers (creating new rules, rules to classify new data reads on classification decision trees evolving, “ the decision trees can only be able to classify instances of one class and their node's conditions are always true (see FIG. 4 showing that the decision trees of the initial population are not branched at all). The decision trees will gradually evolve”, 0034); 
adding, by the controller, the unknown classification rule to the plurality of classifiers (Rules are generated and added as decision trees are evolved, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic.”, 0024;
“the present invention uses decision trees in order to create classification rules capable of accurately categorizing the network traffic flowing through the IDPS 10. To build the optimal decision trees for a given network traffic dataset, an embodiment of the present invention utilizes evolutionary techniques. A combination of decision trees and genetic algorithms are applied in a novel and inventive manner to achieve an optimal solution for generating and constantly updating and evolving detection rules.”, 0026;
“A detection rules generation engine includes an initial population creation subsystem configured to receive filtered network traffic instances from a network tap and to build an initial population of decision trees having nodes which are sorted ”, abstract); and 
when a new piece of data is received, subsequently classifying, by the controller, the new received piece of data with the second classification based on the additional plurality of classifiers including the unknown classification rule (new/unseen previously data are input to classify and determine if new/unseen network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024).
Papamartzivanos discloses machine learning but fails to indicate that ML involves training or whether it is supervised, so Papamartzivanos fails to disclose supervised and training.
Patel teaches supervised learning is well-known (“the theory presented here makes a clear prediction that for a DCN, supervised learning of task targets will lead inevitably to unsupervised learning of latent task nuisance variables”, 0148) and training (“This Mutual Information-based Classifier (MIC) plays the same role as the Softmax regression layer in DCNs, predicting the class labels c given a good disentangled representation τ.sup.l* of the input I. In order to train the MIC classifier, we update the classifier parameters θ.sub.MIC in each M-step as the solution to the optimization”, 0169).
It would have been obvious to combine the references before the effective filing date because they are in the same field of endeavor and machine learning that allows training and being supervised and include allowing human interaction to increase the accuracy (0037) and or ability of the classifiers.

2. (Currently Amended) The method of claim 1, further comprising classifying the new piece of data as a known piece of data based on the plurality of classifiers including the additional unknown classification rule (new/unseen previously data are input into the plurality of decision tree classifiers to classify and determine if new/unseen network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024).

3. (Currently Amended) The method of claim 1, further comprising classifying the new piece of data as an unknown piece of data based on the plurality of classifiers including the unknown classification rule (new/unseen previously data are input into the plurality of decision tree classifiers to classify and determine if new/unseen network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024).

5. (Currently Amended) The method of claim 1, wherein classifying the second data set comprises classifying network traffic data sets generated by applications (not further defined, reads on an traffic generator) in the network. (network data as first, second or continuous can be generated by application on the Internet Fig. 1 or internal networks, new/unseen previously data are input into the plurality of decision tree classifiers to classify and determine if new/unseen network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024).

6. (Currently Amended) The method of claim 1, wherein generating the additional
unknown classification rule comprises separating attributes of the data set into seen and unseen data subsequent to classification of the second data set (rules are constantly being generated as needed; known data is classified by existing rules, unknown data is classified by generating new rules, “capable of accurately classifying network traffic which is 1) multi-classed, 2) multi-featured”, 0031; network traffic can be classified as safe or unsafe, 0004 known or unknown, data that warrants an alert/countermeasure or not, Fig. 1).

7. (Currently Amended) The method of claim 1, further comprising determining the
portion of the classified data set comprises unseen data, generating the unknown classification rule, adding the unknown classification rule, and classifying the new received piece of data subsequent to classifying the data set (rules are constantly being generated so new data can be classified; known data is classified by existing rules, unknown data is classified by generating new rules, “capable of accurately classifying network traffic which is 1) multi-classed, 2) multi-featured”, 0031; network traffic can be classified as safe or unsafe, known or unknown, data that warrants an alert/countermeasure or not, Fig. 1;
“Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic.”, 0024-0026).

8, 15. (Currently Amended) A network device comprising a processor in communication with a memory resource including instructions executable by the processor to:
initiate a training phase of a plurality of classifiers on an initial data set comprising data portions, wherein the training phase trains the plurality of classifiers in classifying the initial data set comprising the data portions into categories (using machine learning decision tree classifiers, “a decision tree classification model is shown which is used to meet the premise of the interpretability of the generated rules, in combination with evolutionary techniques in an effort to increase the accuracy of the detection rules generated upon the classification model. More specifically, a genetic evolutionary approach is applied on a population of decision trees aiming to result to an accurate classification model”, 0032);
receive a network traffic data set having a plurality of attributes and the network traffic data set being different than the initial data set (0024);
initially classify the network traffic data set based on a plurality of classifiers generated by inputting the network traffic data set into a supervised (see Patel) machine learning mechanism (new and/or unseen data is input; “Algorithms are used in order to create a decision tree based on training instances and then their classification ability is measured during a testing period on previously unseen data”, 0033);
subsequent to and based on the initial classification, determine a portion of the network traffic data set having unseen network traffic data that fails to correspond with at least one of the plurality of classifiers(new/unseen previously data are input to classify and determine if network data is e.g., malicious, “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024);
using a decision tree associated with the supervised machine learning (“Decision trees are a classification model supporting decision making in the context of machine learning.”, 0033) mechanism, create an unknown classification rule that is not included with the plurality of classifiers; (creating new rules, rules to classify new data reads on classification decision trees evolving, “a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database”, 0024-0026;
“the decision trees can only be able to classify instances of one class and their node's conditions are always true (see FIG. 4 showing that the decision trees of the initial population are not branched at all). The decision trees will gradually evolve”, 0034)
classify the unseen network traffic data using the unknown classification rule that is not included in the plurality of classifiers; (creating new rules, rules to classify new data reads on classification decision trees evolving, “a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database”, 0024-0026;
“the decision trees can only be able to classify instances of one class and their node's conditions are always true (see FIG. 4 showing that the decision trees of the initial population are not branched at all). The decision trees will gradually evolve”, 0034)
generate an updated supervised machine learning mechanism using the plurality of classifiers and the additional unknown classification rule (creating new rules, rules to update the decision tree classifiers and classify new data reads on classification decision trees evolving, “a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database”, 0024-0026;
“the decision trees can only be able to classify instances of one class and their node's conditions are always true (see FIG. 4 showing that the decision trees of the initial population are not branched at all). The decision trees will gradually evolve”, 0034); and
when a new piece of network traffic data is received, subsequently classify the new piece of network traffic data of the unseen network traffic data as unknown based on the updated supervised machine learning mechanism including the unknown classification rule. (new/unseen previously data are input to classify and determine if new/unseen network data is e.g., malicious, Fig. 1; “Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024).
Papamartzivanos discloses machine learning (0033) but fails to indicate that ML involves training or whether it is supervised, so Papamartzivanos fails to disclose supervised and training.
Patel teaches supervised learning is well-known (“the theory presented here makes a clear prediction that for a DCN, supervised learning of task targets will lead inevitably to unsupervised learning of latent task nuisance variables”, 0148) and training (“This Mutual Information-based Classifier (MIC) plays the same role as the Softmax regression layer in DCNs, predicting the class labels c given a good disentangled representation τ.sup.l* of the input I. In order to train the MIC classifier, we update the classifier parameters θ.sub.MIC in each M-step as the solution to the optimization”, 0169).
It would have been obvious to combine the references before the effective filing date because they are in the same field of endeavor and machine learning that allows training and being supervised and include allowing human interaction to increase the accuracy (0037) and or ability of the classifiers.

9. (Currently Amended) The network device of claim 8, wherein the instructions are further executable to:
determine the portion of the network traffic data set having unseen network traffic data that fails to correspond with at least one of the plurality of classifiers; and are further executable to determine a range of unseen values (range reads on using multiclass classification techniques, 0031 and thresholds to determine if network traffic is unsafe, 0004; requires an alarm or countermeasures, Fig. 1 or using range of metrics, “ Aspirant classification metrics could be the Accuracy, Mean F-Measure, Average Accuracy, Attack Accuracy, Attack Detection Rate or the False Alarm Rate etc.”, 0037) in the network traffic data set (determining traffic that requires a new rule, an alarm or countermeasures Fig. 1).

10. (Currently Amended) The network device of 9, further comprising wherein the instructions are further executable to:
create a second unknown classification rule based on the range of unseen values (“The evolutionary procedure evolves individuals toward maximizing their fitness. In this way, embodiments of the present invention utilize the combination of decision trees and genetic algorithms to lead to a set of accurate detection rules.”, 0027).

11. (Currently Amended) The network device of claim 8, wherein:
the supervised (Patel: 0148) machine learning (Fig. 1) mechanism is based on the training phase using the initial network traffic data set; and
the unseen network traffic data comprises network traffic not seen during the training phase using the initial network traffic data set (“a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database”, 0024-0026).

12. (Currently Amended) The network device of claim 8, wherein:
the supervised machine learning mechanism (“Decision trees are a classification model supporting decision making in the context of machine learning.”, 0033) is based on the training (evolving genetic algorithms or Patel: 0169) phase using the initial network traffic data set; and
the instructions are further executable to provide an alert (Fig. 1 and respective disclosure) to retrain (GA evolving) the supervised machine learning mechanism responsive to classification of a threshold number (undefined reads on zero and see using multiclass classification techniques, 0031 and thresholds to determine if network traffic is unsafe, 0004; requires an alarm or countermeasures, Fig. 1 or using range of metrics, “ Aspirant classification metrics could be the Accuracy, Mean F-Measure, Average Accuracy, Attack Accuracy, Attack Detection Rate or the False Alarm Rate etc.”, 0037) of pieces of data as unknown that were classified in association with the unknown classification rule. (rules are constantly being generated as needed; known data is classified by existing rules, unknown data is classified by generating new rules, “capable of accurately classifying network traffic which is 1) multi-classed, 2) multi-featured”, 0031; network traffic can be classified as safe or unsafe, 0004 known or unknown, data that warrants an alert/countermeasure or not, Fig. 1; unseen data, “Algorithms are used in order to create a decision tree based on training instances and then their classification ability is measured during a testing period on previously unseen data”, 0033).

14. (Currently Amended) The network device of claim 8, wherein the instructions are further executable to:
receive a new network traffic data set (receiving data, Fig. 1);
classify a first portion of the new network traffic data set as known responsive to the first portion corresponding to one of the plurality of classifiers (labeling it as safe, known or not requiring an alarm or new rules, Fig. 1 and respective disclosure); and 
classify a second portion of the new network traffic data set as unknown responsive to the second portion corresponding to the unknown classification rule (“Algorithms are used in order to create a decision tree based on training instances and then their classification ability is measured during a testing period on previously unseen data”, 0033; creating new rules, alarms as needed, Fig. 1; 0024-0026).

16. (Currently Amended) The medium of claim 15, wherein the instructions are further executable to:
generate the unknown classification rule are further executable to add the unknown classification rule to the plurality of classifiers such that the plurality of classifiers remains unchanged (reads on evolving/fitting of GA) subsequent to generating the unknown classification rule (“Using the filtered traffic 19 as output from the network filter engine 18, a detection rules generation engine 22 generates and/or modifies detection rules and stores the rules in a detection rules database 24. The detection rules are used by a detection engine 20 on the network traffic. ”, 0024).

17. (Currently Amended) The medium of claim 15, wherein the instructions are further executable to:
provide the alert (Fig. 1) responsive to a threshold amount of the new data set being classified as unknown in association with the unknown classification rule ( “using multiclass classification techniques, 0031 and thresholds to determine if network traffic is unsafe, 0004; requires an alarm or countermeasures, Fig. 1 or using range of metrics, “ Aspirant classification metrics could be the Accuracy, Mean F-Measure, Average Accuracy, Attack Accuracy, Attack Detection Rate or the False Alarm Rate etc.”, 0037).

18. (Previously Presented) The medium of claim 15, wherein the network traffic data set comprises network application protocol data. (inherent Internet protocols, e.g., TCP/IP or LAN protocols, Fig. 1; network data can be generated by applications on the Internet Fig. 1; “the present invention uses decision trees in order to create classification rules capable of accurately categorizing the network traffic”, 0026).

19. (Previously Presented) The medium of claim 15, wherein the network traffic data set comprises network transport protocol data (inherent Internet protocols, e.g., TCP/IP or LAN protocols, Fig. 1; network data can be generated by applications on the Internet Fig. 1; “the present invention uses decision trees in order to create classification rules capable of accurately categorizing the network traffic”, 0026).

20. (Previously Presented) The medium of claim 15, wherein the network traffic data set comprises network user activity data (not further defined, reads on inherent network data from networks such as the Internet, Fig. 1; “the present invention uses decision trees in order to create classification rules capable of accurately categorizing the network traffic”, 0026).

21. (New) The method of claim 1, wherein output of the decision tree associated with the supervised machine learning mechanism comprises the unknown classification rule and a classifier that assigns a classification of the new piece of data as unknown (known and unknown data, Fig. 1 “the present invention uses decision trees in order to create classification rules capable of accurately categorizing the network traffic flowing through the IDPS 10. To build the optimal decision trees for a given network traffic dataset, an embodiment of the present invention utilizes evolutionary techniques. A combination of decision trees and genetic algorithms are applied in a novel and inventive manner to achieve an optimal solution for generating and constantly updating and evolving detection rules.”, 0026).

22. (New) The method of claim 1, wherein output of the decision tree associated with the supervised machine learning mechanism is a binary determination of whether data is classified in a particular group or not (“using multiclass classification techniques, 0031 and thresholds to determine if network traffic is unsafe, 0004; requires an alarm or countermeasures, Fig. 1 or using range of metrics, “ Aspirant classification metrics could be the Accuracy, Mean F-Measure, Average Accuracy, Attack Accuracy, Attack Detection Rate or the False Alarm Rate etc.”, 0037, Fig. 1 “the present invention uses decision trees in order to create classification rules capable of accurately categorizing the network traffic flowing through the IDPS 10. To build the optimal decision trees for a given network traffic dataset, an embodiment of the present invention utilizes evolutionary techniques. A combination of decision trees and genetic algorithms are applied in a novel and inventive manner to achieve an optimal solution for generating and constantly updating and evolving detection rules.”, 0026). 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID R VINCENT whose telephone number is (571)272-3080. The examiner can normally be reached ~Mon-Fri 12-8:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexey Shmatov can be reached on 5712703428. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DAVID R VINCENT/Primary Examiner, Art Unit 2123