DETAILED ACTION
The office action is a response to an application filed on  November 30,  2020, wherein claims 1-20 are pending and ready for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 11 is objected to because of the following informalities: Claim 20 is a repetition of claim 10  where claim 10 is dependent  on claim 1.  Appropriate correction is required for claim 20 where it should be a dependent on claim 11 instead of claim 1. 

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “feature extraction engine, inspection engine and inference engine” in claims 1 and 11.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
Claim limitations in this application that use the word “feature extraction engine, inspection engine and inference engine” are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.
Since the claim limitation(s) invokes 35 U.S.C. 112(f) or pre-AlA 35 U.S.C. 112, sixth paragraph, claim(s) 1-20 has/have been interpreted to cover the corresponding structure described in the specification that achieves the claimed function, and equivalents thereof.
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AlA 35 U.S.C. 112, sixth paragraph limitation:
“feature extraction engine” appears to be corresponding to 810 in Figure 8, [0083] 
“inspection engine” appears to be corresponding to 910 in Figure 9 used in step 815 and
“inference engine” appears to be corresponding to 920 in Figure 9 used in step 820.
If applicant wishes to provide further explanation or dispute the examiner’s interpretation of the corresponding structure, applicant must identify the corresponding structure with reference to the specification by page and line number, and to the drawing, if any, by reference characters in response to this Office action.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
For more information, see MPEP § 2173 et seq. and Supplementary Examination Guidelines for Determining Compliance With 35 U.S.C. 112 and for Treatment of Related Issues in Patent Applications, 76 FR 7162, 7167 (Feb. 9, 2011).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims1, 3, 4, 11, 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton et al. (Clifton hereafter) (US 20150101043 A1) in view of  Reed et al.  (Reed hereafter) (US 20050192992 A1)

Regarding Claim 1,  Clifton teaches, A system for inferring an application name for a data flow at a network appliance, the system comprising:
a feature extraction engine at the network appliance configured to execute instructions by a processor to extract information from a first packet of a data flow received at the network appliance (Clifton; [0041] the session packet analyzer 333 unpacks known transport protocols (e.g., HTTP) for monitored packets and collects application level information. This application level information 335 is used by the application signature detector 340 to detect applications based on application signatures stored in the signature database 342.);
an inspection engine at the network appliance configured to execute instructions by a processor to determine whether the extracted information is indicative of a known application name associated with the data flow (Clifton; [0038] ... any other application level information or identifiers that can be collected from packet flows between communicating network entities, the user can be displayed more meaningful and user-friendly information, such as "[DEVICE TYPE]::[OS TYPE]::[APPLICATION NAME]"); and
an inference engine at the network appliance configured to execute instructions by a processor to infer an application name for the first packet based on the extracted information (Clifton; [0035] The application detector 340 compares the extracted information 360, including the application level information 35, with signatures stored in a signature database 342 to detect known applications)
Clifton fails to explicitly teach, the inference engine further configured to communicate with a plurality of data structures comprising key strings  and associated predicted application names, the plurality of data structures further including information extracted from data packets of another flow commencing before the data flow, wherein the plurality of data structures is built or updated to influence a learning algorithm for future inferences.
However, in the same field of endeavor Reed teaches, the inference engine further configured to communicate with a plurality of data structures (data such as email, messages, documents, audio, graphics) comprising key strings (binary indicator, a gray scale value, a percentage, confidence level) and associated predicted application names (The intent-determining component 210 can employ various techniques to determine an associated intent of the data) (Reed; [0032] The intent-determining component 210 can employ various techniques to determine an associated intent of the data), the plurality of data structures further including information extracted from data packets of another flow commencing before the data flow, wherein the plurality of data structures is built or updated to influence a learning algorithm (can categorize the data based on... inferences, rules, demarcations) for future inferences (Reed; [0030-0031] ... The intent determining component 210 can receive data such as email, messages, documents, audio, graphics, etc. Such data can be provided as one or more data bursts, a data stream, and a plurality of data packets, [0032] The intent-determining component 210 can employ various techniques to determine an associated intent of the data... can categorize the data based on metadata, location within the data, content, context, keywords, history, heuristics, inferences, rules, demarcations, etc. [0033] ...the intent can be provided as a binary indicator, a gray scale value, a percentage, confidence level, and/or a probability,... the decision-making component 230 can utilize a threshold to compare with the intent. The threshold can be user defined, default and/or automatically set based on past user responses. In addition, the threshold can be manually and/or automatically adjusted in real-time (dynamically) to adapt to various users and/or circumstances. Moreover, the threshold can be set based on inferences, predictions, probabilities, etc. [0034] ... the data, the intent and/or any associated information can be conveyed to the action-engine 240).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton to include the above recited limitations as taught by Reed in order to perform some action (Reed; [0032]).

Regarding Claim 11,  Clifton teaches, A system for inferring an application tag for a first packet  flow at a network appliance, the system comprising:
a feature extraction engine at the network appliance configured to execute instructions by a processor to extract information from a first packet of a data flow received at the network appliance (Clifton; [0041] the session packet analyzer 333 unpacks known transport protocols (e.g., HTTP) for monitored packets and collects application level information. This application level information 335 is used by the application signature detector 340 to detect applications based on application signatures stored in the signature database 342.);
an inspection engine at the network appliance configured to execute instructions by a processor to determine whether the extracted information is indicative of a known application tag associated with the data flow (Clifton; [0038] ... any other application level information or identifiers that can be collected from packet flows between communicating network entities, the user can be displayed more meaningful and user-friendly information, such as "[DEVICE TYPE]::[OS TYPE]::[APPLICATION NAME]"); and infer
an inference engine at the network appliance configured to execute instructions by a processor to infer an application tag for the first packet based on the extracted information (Clifton; [0035] The application detector 340 compares the extracted information 360, including the application level information 35, with signatures stored in a signature database 342 to detect known applications)
Clifton fails to explicitly teach, the inference engine further configured to communicate with a plurality of data structures comprising key strings  and associated predicted application tags, the plurality of data structures further including information extracted from data packets of another flow commencing before the data flow, wherein the plurality of data structures is built or updated to influence a learning algorithm for future inferences.
However, in the same field of endeavor Reed teaches, the inference engine further configured to communicate with a plurality of data structures (data such as email, messages, documents, audio, graphics) comprising key strings (binary indicator, a gray scale value, a percentage, confidence level) and associated predicted application names ([0032] The intent-determining component 210 can employ various techniques to determine an associated intent of the data), the plurality of data structures further including information extracted from data packets of another flow commencing before the data flow, wherein the plurality of data structures is built or updated to influence a learning algorithm (. can categorize the data based on metadata, location within the data, content, context, keywords, history, heuristics, inferences, rules, demarcations) for future inferences (Reed; [0030-0031] ... The intent determining component 210 can receive data such as email, messages, documents, audio, graphics, etc. Such data can be provided as one or more data bursts, a data stream, and a plurality of data packets, [0032] The intent-determining component 210 can employ various techniques to determine an associated intent of the data... can categorize the data based on metadata, location within the data, content, context, keywords, history, heuristics, inferences, rules, demarcations, etc. [0033] ...the intent can be provided as a binary indicator, a gray scale value, a percentage, confidence level, and/or a probability,... the decision-making component 230 can utilize a threshold to compare with the intent. The threshold can be user defined, default and/or automatically set based on past user responses. In addition, the threshold can be manually and/or automatically adjusted in real-time (dynamically) to adapt to various users and/or circumstances. Moreover, the threshold can be set based on inferences, predictions, probabilities, etc. [0034] ... the data, the intent and/or any associated information can be conveyed to the action-engine 240).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton to include the above recited limitations as taught by Reed in order to perform some action (Reed; [0032]).

Regarding Claim 3 and 13,  Clifton-Reed teaches, The claim 1 and 11, 
Clifton teaches, wherein the extracted information from the first packet comprises at least one of a source IP address, a destination IP address, source port, destination port, and a protocol (Clifton; [0034] ... the extracted application level information 335 includes application level information that is obtained by unpacking encapsulations for protocols and tunneled protocols ...[0038] ...a combination of extracted information such as port(s), domain names).

Regarding Claim 4 and 14,  Clifton-Reed teaches, The claim 1 and 11, 
Clifton teaches, wherein at least one of the plurality of data structures further comprises one or more application tags associated with the predicted application name and key string (Clifton; [0042] ... In block 408, a determination is then made whether or not the extracted information matches an application signature already stored in the signature database 342 as a known application 341 or a previously generated dynamic signature 343. If a match is found and the determination is "YES" in block 408, flow passes to block 420 where policy settings for the detected application are applied to control the communication session).

Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton-Reed in view of  Tusch (Tusch hereafter) (US 20180018508 A1).

Regarding Claim 2 and 12,  Clifton-Reed teaches,  The claim 1 and 11, 
Clifton-Reed fails to explicitly teach, wherein the inference engine is further configured to infer the application name for the first packet by using a learning algorithm of a neural network.
However, in the same field of endeavor Tusch teaches, wherein the inference engine is further configured to infer the application name for the first packet by using a learning algorithm of a neural network. (Tusch; [0134] The engine can infer or describe a person's behaviour or intent by analyzing one or more of the trajectory, pose, gesture, identity of that person. [0135] The engine performs real-time Virtualisation of the scene, extracting objects from the scene and grouping their virtualized representations together. [0136] The engine applies feature extraction and classification to find objects of known characteristics in each video frame or applies a convolutional or recurrent neural network or another object detection algorithm to do so ).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed to include the above recited limitations as taught by Tusch in order to find objects of known characteristics in each video frame (Tusch; [0136]).

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton-Reed in view of  Arini et al. (Arini hereafter) (US 20160050456 A1).

Regarding Claim 5 and 15,  Clifton-Reed teaches, The claim 1 and 11, 
Clifton-Reed fails to explicitly teach, wherein a node of a data structure of the plurality of data structure comprises a total count for a key string, associated application name, and success count for the inferred application name for the key string.
However, in the same field of endeavor Arini teaches, wherein a node of a data structure of the plurality of data structure comprises a total count for a key string, associated application name, and success count for the inferred application name for the key string (Arini; [0029] ...the inference engine 110 may compare signatures by identifying an intersection of regions or distance between points. In one implementation, region intersection size may be compared to a threshold to determine a match, such that an intersection region above a predetermined volume represents a match between signatures. In another implementation, the distance between points may be compared to a threshold to determine a match, such that a distance of less than a predetermined threshold represents a match. In other implementations, each signature may comprise a binary string with each digit representing a parameter, and the signatures may be compared via a logical biconditional).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed to include the above recited limitations as taught by Arini in order to determine a degree of matching (Arini; [0029]).

Claims 6, 7, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton-Reed in view of  Engel et al. (Engel hereafter) (US 20160234167 A1).

Regarding Claim 6 and 16,  Clifton-Reed teaches,  The claim 1 and 11, 
Clifton-Reed fails to explicitly teach, wherein the inspection engine is further configured to determine whether the extracted information is indicative of a known application name with a predetermined level of confidence.
However, in the same field of endeavor Engel teaches, wherein the inspection engine is further configured to determine whether the extracted information is indicative of a known application name with a predetermined level of confidence (Engel; [0127] ...CPU 810 applies deep packet inspection (DPI) to the DHCP request in order to parse the DHCP payload and thus extract the MAC address and hostname, at an identifier extraction step 905. Server can use these parameters in creating a record in table 850 that associates the MAC address with the hostname, as well as listing the method (DHCP) and time of acquisition and a confidence value).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed to include the above recited limitations as taught by Engel in order to detect anomaly action (Engel; [0098]).

Regarding Claim 7 and 17,  Clifton-Reed-Engel teaches, The claim 6 and 16, 
Clifton-Reed fails to explicitly teach, wherein the predetermined level of confidence is variable, based on at least one of: source IP address, destination IP address, source port, destination port, protocol, application name.
However, in the same field of endeavor Engel teaches, wherein the predetermined level of confidence is variable, based on at least one of: source IP address, destination IP address, source port, destination port, protocol, application name (Engel; [0137] CPU 810 evaluates the confidence level of the new record, at a confidence assessment step 925. The confidence level depends, inter alia, on the method of acquisition of the information, such as the protocol from which the identity information was derived. For example: [0138] Protocols managed centrally by a server, such as DHCP, receive a higher confidence score than peer-to-peer protocols).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed to include the above recited limitations as taught by Engel in order to detect Anomaly action (Engel; [0098]).

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton-Reed in view of  Mayya et. al. (Mayya hereafter) (US 20170126564 A1).

Regarding Claim 8 and 18,  Clifton-Reed teaches, The claim 1 and 11, 
Clifton-Reed fails to explicitly teach, wherein the inspection engine is further configured to track information regarding an application name and at least one of an associated source IP address, destination IP address, IP source port, and IP destination port.
However, in the same field of endeavor Mayya teaches wherein the inspection engine is further configured to track information regarding an application name and at least one of an associated source IP address, destination IP address, IP source port, and IP destination port (Mayya; [0068] ... When the DPI engine fails to identify the application, the network stack can utilize statistical parameters (e.g. packet arrival rate, throughput) and heuristics (e.g. User Datagram Protocol (UDP) can be used by real-time applications) to identify the right set of technologies to provide the best performance).
{ UDP uses a simple connectionless communication model with a minimum of protocol mechanisms. UDP provides checksums for data integrity, and port numbers for addressing different functions at the source and destination of the datagram.}
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed to include the above recited limitations as taught by Mayya in order to  enable determination of an application (Mayya; [0069]).

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton-Reed in view of  Perkins (Perkins hereafter) (US 20110182183 A1).

Regarding Claim 9 and 19,  Clifton-Reed-Mayya teaches, The claim 8 and 18, 
Clifton-Reed fails to explicitly teach, wherein the tracked information is utilized to determine a confidence level for an inferred application name associated with the at least one source IP address, destination IP address, IP source port, and IP destination port.
However, in the same field of endeavor Perkins teaches wherein the tracked information is utilized to determine a confidence level for an inferred application name associated with the at least one source IP address, destination IP address, IP source port, and IP destination port (Perkins; [0025] ...network-based applications exchange data, which can in some way be used to characterize or identify the recipient. For instance, applications often negotiate a unique resource identifier,... the association between the resource identifier and the destination may be far less transparent than the association between the destination and the IP address assigned to the destination.).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed-Mayya to include the above recited limitations as taught by Perkins in order to characterize or identify the recipient (Perkins; [0025]).

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Clifton-Reed in view of  Liu et al. (Liu hereafter) (US 20190036908 A1).

Regarding Claim 10 and 20,  Clifton-Reed teaches, The claim 1, 
Clifton-Reed fails to explicitly teach, wherein the first packet is a TCP SYN packet
However, in the same field of endeavor Liu teaches wherein the first packet is a TCP SYN packet (Liu; [0149] ... the client 1415 and edge node device 310-d may perform a TCP
 synchronization procedure in which the client 1415 transmits a synchronization (SYNC) signal to the edge node device 310-d (at 1420), and the edge node device 310-d transmits a SYNC signal to the client).
It would have been obvious to one of ordinary skilled in the art before the effective filing date to create the invention of Clifton-Reed to include the above recited limitations as taught by Liu in order to perform a TLS handshake (Liu; [0150]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILFRED THOMAS whose telephone number is (571)270-0353. The examiner can normally be reached Mon -Thurs 9:00 am-4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Noel R Beharry can be reached on 571-270-5630. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/W.T/             Examiner, Art Unit 2416                  

/NOEL R BEHARRY/             Supervisory Patent Examiner, Art Unit 2416