DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This communication is in response to the application filed on 12/03/2020. Claims 1-21 are currently pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/23/2020 was filed before the mailing date of the office action on 09/23/2022.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:  an “interface to obtain first telemetry data”, “a rules generator to using the first telemetry data”, generate and “a model manager to transmit” in claim 1. 

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. 
 If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. (FP 7.30.06) 

 The limitation an interface to obtain first telemetry data in claim 1 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 
However, the written description discloses the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function in paragraph 0066 and figure 2 (In operation, any of the interface 202, the telemetry collector 204, the rules generator 206, the model trainer 208, and/or the data store 210 may communicate via an example communication bus 212. The example communication bus 212 may be implemented using any suitable wired and/or wireless communication method and/or apparatus.
 Claim limitation in claim 1 “a rules generator to, using the first telemetry data, generate a global block list” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
	However, the written description discloses the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function in paragraph 0071 and figure 2 (“The example rules generator 206 of the illustrated example of FIG. 2 is implemented by a logic circuit such as, for example, a hardware processor…”).
Also, the limitation a model manager to transmit the global block list to a gateway in claim 1 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
However, applicant discloses corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function in paragraph 0077 and figure 3 (“the model manager 108 includes an example interface 302, an example controller 304, an example first data store 306, and an example second data store 308. In operation, any of the interface 302, the controller 304, the first data store 306, and/or the second data store 308 may communicate via an example communication bus 310…”)
	Examiner believes that these hardware structures are adequate to perform the claimed functions and as such 112(a) or 112(b) rejection are not invoked in claim 1and any other related claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1, 8, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. 20110083176 to MARTYNENKO et al. (hereinafter MARTYNENKO) in view of U.S. 20170343967 to Verma Amit (hereinafter Verma) and further in view of U.S. 20080244074 to Baccas et al. (hereinafter Baccas). 

Regarding claim 1, MARTYNENKO discloses an apparatus comprising: 
an interface to obtain first telemetry data (Stream scanner 230, FIG. 2, ¶0034, wherein System events is interpreted as telemetry data); 
a rules generator to (OS Driver 220, FIG. 2, ¶0034, “An OS driver 220 controls execution of application modules 250 via a stream scanner 230…”), see also ¶0016, these rules must have been generated by a rules generator), using the first telemetry data (“system events”, 210, ¶0034) 
MARTYNENKO discloses generation of global black list and white list from combination of the behavioral log and signature scanning in ¶0040-¶0044 (“…Combination of the behavior log 580 and signature scanning 520 allows generation of a white list 550 and a black list 560 AV records”, ¶0040) and (“…Then, the data is added to the global white and black lists respectively for further research of suspicious processes ¶0044).
Based on a device specific block list and a device specific allow list (MARTYNENKO discloses filters 240 in FIG. 2 that allow the system events to be forwarded to application modules 250 for processing or block the system events from being forwarded to modules 250 via stream scanner 230, ¶0034-¶0036, see also step 325 of figure 3- examiner equates this as meeting the limitation device specific allow list and device specific block list).
It is noted that MARTYNENKO does not specifically disclose how the GLOBAL BLOCK LIST was created.
Verma discloses automation of data analytics with different techniques including artificial intelligence, machine learning, or semi-automated/manual methods (“The analytics could be automated (e.g., with the help of artificial intelligence and machine learning methods) or semi-automated/manual (where a data scientist or a domain expert analyses the data, ¶0009).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to use an artificial intelligence or Machine -Learning methods disclosed by Verma to generate a global black list of MARTYNENKO based on rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I).   
However, MARTYNENKO in view of Verma does not explicitly disclose transmitting the global block list to a gateway by the model manager to facilitate on-path classification of second telemetry data. 
Baccas discloses a gateway that includes a protocol to determine if access should be allowed using a block list, a black list, an allow list etc. (“…The gateway may include at least one protocol to determine if the network 100 access request is to be allowed such as using a block list, a black list, an allow list, a white list, a rules data base, a policy database, or the like…”, ¶0037, Fig. 1, wherein client facility 102 act as the model manager and determination of allowance or blocking is based on on-path classification).
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of  MARTYNENKO and Verma to include transmitting of global block list to a gateway as disclosed by Baccas and be motivated in doing so because it enables the system to take a remedial action in the event that the attempted interaction may be the result of the automatically generated request-Baccas ¶0006 in part.

Regarding claim 8, MARTYNENKO discloses a non-transitory computer readable storage medium comprising instructions which, when executed, cause at least one processor to at least (¶0076):
 obtain first telemetry data (System events 210, FIG. 2, ¶0035), 
MARTYNENKO discloses generation of global black list and white list from combination of the behavioral log and signature scanning in ¶0040-¶0044 (“…Combination of the behavior log 580 and signature scanning 520 allows generation of a white list 550 and a black list 560 AV records”, ¶0040) and (“…Then, the data is added to the global white and black lists respectively for further research of suspicious processes ¶0044).
based on a device specific block list and a device specific allow list (MARTYNENKO discloses filters 240 in FIG. 2 that allow the system events to be forwarded to application modules 250 for processing or block the system events from being forwarded to modules 250 via stream scanner 230, ¶0034-¶0036, see also step 325 of figure 3- examiner equates this as meeting the limitation device specific allow list and device specific block list).
It is noted that MARTYNENKO does not specifically disclose how the GLOBAL BLOCK LIST was created.
Verma discloses automation of data analytics with different techniques including artificial intelligence, machine learning, or semi-automated/manual methods (“The analytics could be automated (e.g., with the help of artificial intelligence and machine learning methods) or semi-automated/manual (where a data scientist or a domain expert analyses the data, ¶0009).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to use an artificial intelligence or Machine -Learning methods disclosed by Verma to generate a global block list of MARTYNENKO based on rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I).   
However, MARTYNENKO in view of Verma does not explicitly disclose transmitting the global block list to a gateway by the model manager to facilitate on-path classification of second telemetry data. 
Baccas discloses a gateway that includes a protocol to determine if access should be allowed using a block list, a black list, an allow list etc. (“…The gateway may include at least one protocol to determine if the network 100 access request is to be allowed such as using a block list, a black list, an allow list, a white list, a rules data base, a policy database, or the like…”, ¶0037, Fig. 1, wherein client facility 102 act as the model manager and determination of allowance or blocking is based on on-path classification).
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of  MARTYNENKO and Verma to include transmitting of global block list to a gateway as disclosed by Baccas and be motivated in doing so because it enables the system to take a remedial action in the event that the attempted interaction may be the result of the automatically generated request-Baccas ¶0006 in part.

Regarding claim 15, MARTYNENKO discloses a method comprising: 
obtaining first telemetry data (System events 210, FIG. 2, ¶0035); 
MARTYNENKO discloses generation of global black list and white list from combination of the behavioral log and signature scanning in ¶0040-¶0044 (“…Combination of the behavior log 580 and signature scanning 520 allows generation of a white list 550 and a black list 560 AV records”, ¶0040) and (“…Then, the data is added to the global white and black lists respectively for further research of suspicious processes ¶0044).
based on a device specific block list and a device specific allow list (MARTYNENKO discloses filters 240 in FIG. 2 that allow the system events to be forwarded to application modules 250 for processing or block the system events from being forwarded to modules 250 via stream scanner 230, ¶0034-¶0036, see also step 325 of figure 3- examiner equates this as meeting the limitation device specific allow list and device specific block list).
It is noted that MARTYNENKO does not specifically disclose how the GLOBAL BLOCK LIST was created.
Verma discloses automation of data analytics with different techniques including artificial intelligence, machine learning, or semi-automated/manual methods (“The analytics could be automated (e.g., with the help of artificial intelligence and machine learning methods) or semi-automated/manual (where a data scientist or a domain expert analyses the data, ¶0009).
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to use an artificial intelligence or Machine -Learning methods disclosed by Verma to generate a global block list of MARTYNENKO based on rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I).   
However, MARTYNENKO in view of Verma does not explicitly disclose transmitting the global block list to a gateway by the model manager to facilitate on-path classification of second telemetry data. 
Baccas discloses a gateway that includes a protocol to determine if access should be allowed using a block list, a black list, an allow list etc. (“…The gateway may include at least one protocol to determine if the network 100 access request is to be allowed such as using a block list, a black list, an allow list, a white list, a rules data base, a policy database, or the like…”, ¶0037, Fig. 1, wherein client facility 102 act as the model manager and determination of allowance or blocking is based on on-path classification).
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of  MARTYNENKO and Verma to include transmitting of global block list to a gateway as disclosed by Baccas and be motivated in doing so because it enables the system to take a remedial action in the event that the attempted interaction may be the result of the automatically generated request-Baccas ¶0006 in part.






Claims 2, 4-7, 9, 11-14, 16, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. 20110083176 to MARTYNENKO et al. (hereinafter MARTYNENKO) in view of U.S. 20170343967 to Verma Amit (hereinafter Verma) and further in view of U.S. 20080244074 to Baccas et al. (hereinafter Baccas) and further in view of 20210234833 to Schneider et al. (hereinafter Schneider). 
 
Regarding claim 2, MARTYNENKO in view of Verma and further in view of Baccas discloses the apparatus of claim 1. 
MARTYNENKO further discloses 
	Wherein the rule generator (OS Driver 220, FIG. 2, ¶0034,) is to: 
generate the device specific allow list, and the device specific block list (filters 240 in FIG. 2. allow list and block list, ¶0034-¶0036)
However, the combination of MARTYNENKO, verma and Baccas does not explicitly disclose the underlined part of the claim limitation  
wherein the machine learning model is a first machine learning model, 
generate a second machine learning model using the first machine learning model, 
 
Schneider discloses wherein the machine learning model is a first machine learning model (“initial MLM…”, ¶0041) and
generate a second machine learning model using the first machine learning model (“… an updated version of the MLM…”, ¶0026, wherein the updated version of the Machine Learning Model is the second learning mode created from updating the initial MLM) 
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma and Baccas to include generation of the second machine learning model from the first learning model as disclosed by Schneider and be motivated in doing so in order to have an updated version of the MLM published to the front-end of a firewall system for use in the application firewall- Schneider ¶0026. 

Regarding claim 4, MARTYNENKO in view of verma and further in view of Baccas and further in view of Schneider discloses the apparatus of claim 2. 
Baccas further discloses wherein the interface (“client facility 102”, ¶0037) is to obtain third telemetry data (“data file”, ¶0037) from the gateway, 
the third telemetry data obtained when the gateway is unsuccessful in performing on-path classification (“When a request is blocked by the gateway facility 104”, ¶0037).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma, Baccas and Schneider in claim 2 to include obtaining the third telemetry data from the gateway as disclosed by Baccas and be motivated in doing so in order to control access of client computing facilities from one network to another network or within a network-Baccas ¶0037 in part.

Regarding claim 5, MARTYNENKO in view of Verma, and further in view of Baccas and further in view of Schneider discloses the apparatus of claim 4. 
Schneider further discloses further including a model trainer (“model trainer 312”, ¶0064) to use the second machine learning model (“MLM(s) (e.g., a model 314…”, ¶0064) to facilitate off-path classification (“validation process”, ¶0046) of the third telemetry data (service input that is blocked, ¶0064).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma, Baccas and Schneider in claim 4 to include a model trainer to use the second machine learning to facilitate off-path classification of the third telemetry data as disclosed by Schneider and be motivated in doing so in order to determine whether the prediction to block the third telemetry data was false positive-Schneider ¶0046 in part.

Regarding claim 6, MARTYNENKO in view of Verma and further in view of Baccas discloses the apparatus of claim 1. 
MARTYNENKO further discloses wherein the rules generator (OS Driver 220, FIG. 2, ¶0034) is to: 
generate the device specific block list (“block list of filters 240 in FIG. 2), the device specific block list including first parameters of the first telemetry data known to be malicious; (“A black list is a collection of known malware objects”, ¶0041);  
	generate the device specific allow list (“allow list of filters 240 in FIG. 2, ¶0034-¶0036, wherein the filters are the device), the device specific allow list including second parameters of the first telemetry data known to be benign (“The white lists are the lists of known "clean" software components, links, libraries and other clean objects, ¶0041);
Regarding generating the machine learning model based on the device specific block list and the device specific allow list, it would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to create/train the machine learning model of Verma in ¶0016 with the allow and block lists of  filter 240 in figure 2 of MARTYNENKO based on rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I).   
  
Regarding claim 7, MARTYNENKO in view of Verma and further in view of Baccas discloses the apparatus of claim 1. 
	MARTYNENKO further discloses storing the global block list (“global black list”, ¶0044), the device specific allow list (allow list of filters 240 in FIG. 2, and the device specific block list (block list of filters 240 in FIG. 2) for use in performing off-path classification (“The data from the white list 550 and the black list 560 is not normally shown to a user. Instead, it is sent, by the AV application installed on the user system, to an AV lab. Then, the data is added to the global white and black lists respectively for further research of suspicious processes”, ¶0044.
However, MARTYNENKO in view of Verma and further in view of Baccas does not explicitly disclose wherein the model manager is to store the machine learning model. 
Schneider discloses wherein the model manager (“communications manager 108”… , ¶0039) is to store the machine learning model (“…These log files may be used to refine/update aspects of the firewall system 106, such as the MLM(s) used to make predictions regarding service inputs through additional training” ¶0039, wherein being able to update the model means the model must have been stored).

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma, and Baccas in claim 1 to include the communication manager updating the machine learning model as disclosed by Schneider in order to identify and patch vulnerabilities in the firewall service (e.g., based on false positives or false negatives predicted using the trained model). 


Regarding claim 9, MARTYNENKO in view of Verma and further in view of Baccas discloses the non-transitory computer readable medium of claim 8. 
MARTYNENKO further discloses wherein the instructions, when executed, cause the at least one processor to:  
 generate the device specific block list (“block list of filters 240 in FIG. 2), the device specific block list including first parameters of the first telemetry data known to be malicious; (“A black list is a collection of known malware objects”, ¶0041);  
	generate the device specific allow list (“allow list of filters 240 in FIG. 2, ¶0034-¶0036, wherein the filters are the device), the device specific allow list including second parameters of the first telemetry data known to be benign (“The white lists are the lists of known "clean" software components, links, libraries and other clean objects, ¶0041); 
Regarding generating the machine learning model based the device specific block list and the device specific allow list, it would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to create/train the machine learning model of Verma in ¶0016 with the allow and block lists of  filters 240 in figure 2 of MARTYNENKO based on rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I).   
However, the combination of MARTYNENKO, Verma and Baccas does not explicitly disclose the following limitation: 
wherein the machine learning model is a first machine learning model,
generate a second machine learning model using the first machine learning model
Schneider discloses wherein the machine learning model is a first machine learning model (“initial MLM…”, ¶0041), and  
generate a second machine learning model using the first machine learning model (“… an updated version of the MLM…”, ¶0026, wherein the updated version of the Machine Learning Model is the second learning mode created from updating the initial MLM)
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the non-transitory computer readable medium of MARTYNENKO, Verma and Baccas to include generation of the second machine learning model from the first learning model as disclosed by Schneider and be motivated in doing so in order to have an updated version of the MLM published to the front-end of a firewall system for use in the application firewall- Schneider ¶0026.

Regarding claim 11, MARTYNENKO in view of Verma and further in view of Baccas and further in view of Schneider discloses the non-transitory computer readable medium of claim 9.  
Baccas further discloses wherein the instructions, when executed, cause the at least one processor to obtain third telemetry data Page 4 of 8Preliminary Amendment (“data file”, ¶0037) from the gateway, 
the third telemetry data obtained when the gateway is unsuccessful in performing on-path classification (“When a request is blocked by the gateway facility 104”, ¶0037).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the non-transitory computer readable medium of MARTYNENKO, Verma, Baccas and Schneider  in claim 9 to include obtaining the third telemetry data from the gateway as disclosed by Baccas and be motivated in doing so in order to control access of client computing facilities from one network to another network or within a network-Baccas ¶0037 in part.

Regarding claim 12, MARTYNENKO in view of Verma and further in view of Baccas and further in view of Schneider discloses the non-transitory computer readable medium of claim 11.  
Schneider further discloses wherein the instructions, when executed, cause the at least one processor to use the second machine learning model (“an MLM(s) (e.g., a model 314, ¶0064) to facilitate off-path classification (“…validation process…”, ¶0046) of the third telemetry data (service input that is blocked, ¶0064).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the non-transitory computer readable medium of MARTYNENKO, Verma, Baccas and Schneider  in claim 11 to include using the second machine learning to facilitate off-path classification of the third telemetry data as disclosed by Schneider and be motivated in doing so in order to determine whether the prediction to block the third telemetry data was false positive-Schneider ¶0046 in part.

Regarding claim 13, MARTYNENKO in view of Verma and further in view of Baccas and further in view of Schneider discloses the non-transitory computer readable medium of claim 12.  
Schneider further discloses wherein the instructions, when executed, cause the at least one processor to transmit a result of the off-path classification to the gateway (FIGURE 4, block B420, ¶0082, wherein the firewall plays the role of a gateway).  
Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the non-transitory computer readable medium of MARTYNENKO, Verma, Baccas and Schneider  in claim 12 to include transmitting a result of the off-path classification to the gateway (firewall) as disclosed by Schneider and be motivated in doing so in order to determine whether the prediction to block the third telemetry data was false positive-Schneider ¶0046 in part.

Regarding claim 14, MARTYNENKO in view of Verma, and further in view of Baccas discloses the non-transitory computer readable medium of claim 8.
MARTYNENKO further discloses wherein the instructions, when executed, cause the at least one processor to store the global block list (“global black list”, ¶0044), the device specific allow list, (allow list of filters 240 in FIG. 2) and the device specific block list (block list of filters 240 in FIG. 2) for use in performing off-path classification (“The data from the white list 550 and the black list 560 is not normally shown to a user. Instead, it is sent, by the AV application installed on the user system, to an AV lab. Then, the data is added to the global white and black lists respectively for further research of suspicious processes”, ¶0044.
However, MARTYNENKO in view of Verma and further in view of Baccas does not explicitly disclose storing the machine learning model. 
Schneider discloses storing the machine learning model (“…These log files may be used to refine/update aspects of the firewall system 106, such as the MLM(s) used to make predictions regarding service inputs through additional training” ¶0039, wherein being able to update the model means the model must have been stored). See also ¶0020 and ¶0026 about updating the machine learning model.

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the non-transitory computer readable medium of MARTYNENKO, Verma, and Baccas in claim 8 to include updating the machine learning model as disclosed by Schneider in order to identify and patch vulnerabilities in the firewall service (e.g., based on false positives or false negatives predicted using the trained model). 

Regarding claim 16, MARTYNENKO in view of Verma, and further in view of Baccas discloses the method of claim 15. 
MARTYNENKO further discloses the method further including: Page 5 of 8Preliminary Amendment 
generating the device specific allow list, and the device specific block list (filters 240 in FIG. 2. allow list and block list, ¶0034-¶0036) 
However, the combination of MARTYNENKO, Verma and Baccas does not explicitly disclose the following limitation:
 wherein the machine learning model is a first machine learning model
generating a second machine learning model using the first machine learning model,
Schneider discloses wherein the machine learning model is a first machine learning model (“initial MLM…”, ¶0041), and 
generate a second machine learning model using the first machine learning model (“… an updated version of the MLM…”, ¶0026, wherein the updated version of the Machine Learning Model is the second learning mode created from updating the initial MLM).
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of MARTYNENKO, Verma and Baccas to include generation of the second machine learning model from the first learning model as disclosed by Schneider and be motivated in doing so in order to have an updated version of the MLM published to the front-end of a firewall system for use in the application firewall- Schneider ¶0026. 

Regarding claim 18, MARTYNENKO in view of Verma, and further in view of Baccas and further in view of Schneider discloses the method of claim 16. 
Baccas further discloses further including obtaining third telemetry data (“data file”, ¶0037) from the gateway, 
the third telemetry data obtained when the gateway is unsuccessful in performing on-path classification (“When a request is blocked by the gateway facility 104”, ¶0037).  
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of MARTYNENKO, Verma and Baccas in claim 16 to include obtaining the third telemetry data from the gateway as disclosed by Baccas and be motivated in doing so in order to control access of client computing facilities from one network to another network or within a network-Baccas ¶0037 in part.

Regarding claim 19, MARTYNENKO in view of Verma, and further in view of Baccas and further in view of Schneider discloses the method of claim 18. 
Schneider further discloses further including using the second machine learning model (“an MLM(s) (e.g., a model 314, ¶0064) to facilitate off-path classification (“…validation process…”, ¶0046) of the third telemetry data (service input that is blocked, ¶0064). 
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of MARTYNENKO, Verma, Baccas and Schneider in claim 18 to include the use of second machine learning to facilitate off-path classification of the third telemetry data as disclosed by Schneider and be motivated in doing so in order to determine whether the prediction to block the third telemetry data was false positive-Schneider ¶0046 in part.

Regarding claim 20, MARTYNENKO in view of Verma, and further in view of Baccas and further in view of Schneider discloses the method of claim 19.  
MARTYNENKO further discloses 
generating the device specific block list (“block list of filters 240 in FIG. 2), the device specific block list including first parameters of the first telemetry data known to be malicious; (“A black list is a collection of known malware objects”, ¶0041);  
	generating the device specific allow list (“allow list of filters 240 in FIG. 2, ¶0034-¶0036, wherein the filters are the device), the device specific allow list including second parameters of the first telemetry data known to be benign (“The white lists are the lists of known "clean" software components, links, libraries and other clean objects, ¶0041);
Regarding generating the machine learning model based the device specific block list and the device specific allow list, it would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to create/train the machine learning model of Verma in ¶0016 with the allow and block lists of  filter 240 in figure 2 of MARTYNENKO based on rationale of using a known technique to improve similar devices (methods, or products) in the same way (MPEP 2143.I).    

Regarding claim 21, MARTYNENKO in view of Verma and further in view of Baccas discloses the method of claim 15. 
MARTYNENKO further discloses further including storing the global block list (“global black list”, ¶0044), the device specific allow list, (allow list of filters 240 in FIG. 2) and the device specific block list (block list of filters 240 in FIG. 2) for use in performing off-path classification (“The data from the white list 550 and the black list 560 is not normally shown to a user. Instead, it is sent, by the AV application installed on the user system, to an AV lab. Then, the data is added to the global white and black lists respectively for further research of suspicious processes”, ¶0044.
However, MARTYNENKO in view of Verma and further in view of Baccas does not explicitly disclose storing the machine learning model. 
Schneider discloses storing the machine learning model (“…These log files may be used to refine/update aspects of the firewall system 106, such as the MLM(s) used to make predictions regarding service inputs through additional training” ¶0039, wherein being able to update the model means the model must have been stored). See also ¶0020 and ¶0026 about updating the machine learning model.

Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the method of MARTYNENKO, Verma, and Baccas in claim 15 to include updating the machine learning model as disclosed by Schneider in order to identify and patch vulnerabilities in the firewall service (e.g., based on false positives or false negatives predicted using the trained model). 

 
	
Claims 7, 10, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. 20110083176 to MARTYNENKO et al. (hereinafter MARTYNENKO) in view of U.S. 20170343967 to Verma Amit (hereinafter Verma) and further in view of U.S. 20080244074 to Baccas et al. (hereinafter Baccas) and further in view of 20210234833 to Schneider et al. (hereinafter Schneider) and futher in view of U.S. 20210357648 to METAXAS et al. (hereinafter METAXAS).


Regarding claim 3, MARTYNENKO in view of Verma and further in view of Baccas and further in view of Schneider discloses the apparatus of claim 2.  
Schneider further discloses wherein the first machine learning model is a light-weight machine learning model (“…lightweight primitive…”, ¶0043),  
However, Schneider even though discloses a fully functional machine learning model (MLM), does not explicitly disclose a full neural network.
	METAXAS discloses integrating rich information report with Neural network model to improve performance of automated image analysis (“…For example, rich information from reports can be integrated with a neural network model to improve the performance of automated biomedical image analysis…”, ¶0061).
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma, Baccas and Schneider to include the concept of neural network model as disclosed by METAXAS and be motivated in doing so in order to improve medical image analysis such as chest x-ray analysis- METAXAS ¶0061 in part.
 
Regarding claim 10, MARTYNENKO in view of Verma and further in view of Baccas and further in view of Schneider discloses the non-transitory computer readable medium of claim 9.  
Schneider further discloses wherein the first machine learning model is a light-weight machine learning model (“…lightweight primitive…”, ¶0043),   
However, Schneider even though discloses a fully functional machine learning model (MLM), does not explicitly disclose a full neural network.
	METAXAS discloses integrating rich information report with Neural network model to improve performance of automated image analysis (“…For example, rich information from reports can be integrated with a neural network model to improve the performance of automated biomedical image analysis…”, ¶0061)
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma, Baccas and Schneider to include the concept of neural network model as disclosed by METAXAS and be motivated in doing so in order to improve medical image analysis such as chest x-ray analysis- METAXAS ¶0061 in part.

 Regarding claim 17, MARTYNENKO in view of Verma and further in view of Baccas and further in view of Schneider discloses the method of claim 16. 
Schneider further discloses wherein the first machine learning model is a light-weight machine learning model (“…lightweight primitive…”, ¶0043)  			 
However, Schneider even though discloses a fully functional machine learning model (MLM), does not explicitly disclose a full neural network.
	METAXAS discloses integrating rich information report with Neural network model to improve performance of automated image analysis (“…For example, rich information from reports can be integrated with a neural network model to improve the performance of automated biomedical image analysis…”, ¶0061)
	Thus, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify the apparatus of MARTYNENKO, Verma, Baccas and Schneider to include the concept of neural network model as disclosed by METAXAS and be motivated in doing so in order to improve medical image analysis such as chest x-ray analysis- METAXAS ¶0061 in part.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MUDASIRU K OLAEGBE whose telephone number is (571)272-2082. The examiner can normally be reached MON-FRI. 7.30AM-5.30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MUDASIRU K OLAEGBE/Examiner, Art Unit 2495                                                                                                                                                                                                        

/MAUNG T LWIN/Primary Examiner, Art Unit 2495