DETAILED ACTION
This office action is in response to the RCE filed on 09/12/2022.
Claim 4 is cancelled and claim 21 has been added.
Claims 1-3, 5-21 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/12/2022 has been entered.
 
Response to Arguments
Applicant's arguments filed 09/12/2022 regarding the 35 USC 103 rejections in Remarks pg. 8-32 have been fully considered but they are not persuasive. 
Applicant argues in essence:
[a] “In reply, it is submitted that the cited aspects of Savalle do not relate to the same embodiment. For instance, para. [0040] of Savalle describes that: “In some cases, device classification process 248 may assess the captured telemetry data on a per-flow basis. In other embodiments, device classification process 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions.” However, there is no further description of how device classification process 248 may “assess” on a “per-flow basis.” On the other hand, Savalle para. [0073] describes and FIG. 6 illustrates that “traffic features” may be represented “as feature vectors, in various embodiments. As shown, there may be any number of traffic feature representations that indicate whether or not a particular traffic feature was observed during a given observation time window. For example, one feature may indicate whether the device traffic used the HTTP protocol, another may indicate whether the traffic used the DHCPv6 protocol, another may indicate whether the traffic used the IPv4 protocol, etc. As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and
may change between °O0° and °1° in different time windows”
In response to [a], arguments are primarily based on the idea that Savalle does not show analysis of the traffic in a per flow basis because every instance where Savalle mentions a perflow basis analysis, it is talking about a different embodiment.
Savalle discloses that a single traffic flow can be analyzed in para.0035  “In one embodiment, device classification process 248 may assess captured telemetry data regarding one or more traffic flows involving the device, to determine the device type associated with the device.”
para.0040 “in some cases, device classification process 248 may assess the captured telemetry data on a per-flow basis.”
para.0041 “As shown in FIG. 3, various mechanisms can be leveraged to capture information about traffic in a network, such as telemetry data regarding a traffic flow. For example, consider the case in which client node 10 initiates a traffic flow with remote server 154 that includes any number of packets 302. Any number of networking devices along the path of the flow may analyze and assess packet 302, to capture telemetry data regarding the traffic flow. For example, as shown, consider the case of edge router CE-2 through which the traffic between node 10 and server 154 flows.”
para.0042 “In some embodiments, a networking device may analyze packet headers, to capture feature information about the traffic flow. For example, router CE-2 may capture the source address and/or port of host node 10, the destination address and/or port of server 154, the protocol(s) used by packet 302, the hostname of server 154, and/or other header information by analyzing the header of a packet 302. Example captured features may include, but are not limited to, Transport Layer Security (TLS) information (e.g., from a TLS handshake), such as the ciphersuite offered, User Agent information, destination hostname, TLS extensions, etc., HTTP information (e.g., URI, etc.), Domain Name System (DNS) information, ApplicationID, virtual LAN (VLAN) ID, or any other data features that can be extracted from the observed traffic flow(s). Further information, if available could also include process hash information from the process on host node 10 that participates in the traffic flow.”
para.0043 “In further embodiments, the device may also assess the payload of the packet to capture information about the traffic flow. For example, router CE-2 or another device may perform deep packet inspection (DPI) on one or more of packets 302, to assess the contents of the packet. Doing so may, for example, yield additional information that can be used to determine the application associated with the traffic flow (e.g., packets 302 were sent by a web browser of node 10, packets 302 were sent by a videoconferencing application, etc.).”
It can be seen above that the same process of packet analysis from traffic flow, can be performed for a single traffic flow.  Throughout the document it is described that a single traffic flow can be used for analysis, as seem above and it would not be reasonable to say the functionalities of Fig.6 requires 2 or more traffic flows, as all it does is analyze the traffic coming from that device.  
Secondly, a traffic flow has not been defined to be limited in any way in the claim and embodiment of Fig. 6 does not state in one way or another that the traffic analyzed is a plurality of flows. The entirety of the traffic from the device that is being analyzed in the embodiment of Fig. 6 can also be interpreted to be a single traffic flow, which would also meet the requirements of the claim.  

[b] “.” Notably, FIG. 6 illustrates feature vectors that comprise a large number of features for each time window. There is no description that a feature vector represents a single binary indicator over a plurality of time periods. While there may be other feature vectors in Savalle for successive time periods, these clearly include a large number of features. As such, it is submitted that the cited paragraph [0040] of Savalle does not relate to the description of the feature vectors of FIG. 6 and para. [0073]. In this regard, Savalle suffers from the same deficiencies as the previously cited reference Mermound.”
In response to [b], it seems this argument is directed that the “feature vector” of Fig. 6 and para.0073 “FIG. 6 illustrates an example 600 of representing traffic features as feature vectors, in various embodiments. As shown, there may be any number of traffic feature representations that indicate whether or not a particular traffic feature was observed during a given observation time window. For example, one feature may indicate whether the device traffic used the HTTP protocol, another may indicate whether the traffic used the DHCPv6 protocol, another may indicate whether the traffic used the IPv4 protocol, etc. As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”
However examiner mapped the binary traffic vector to the binary indicator 602 in the same paragraph and Figure 6.  It can be seen that it is a binary indicator over a plurality of time periods that indicate if a particular feature was detected over several time windows.  Therefore examiner disagrees with this assessment of Savalle.

[c] “In addition, the Examiner refers to Savalle FIG. 2 and para. [0031] and [0068] in connection with the claim features: applying a first traffic flow record comprising the binary traffic vector as an input to a deep learning classifier that is trained to classify traffic flow records into one of a plurality of traffic categories. (See Office Action p. 4-5). In reply, it is noted that Savalle only describes classification of device types: "(e.g., iOS, Android, etc.), manufacturer (e.g., Apple, Samsung, etc.), make Page 13 (e.g., iPhone, etc.), model (e.g., 5s, 6, 7, etc.)." (See, Savalle para. [0053]). 
Paragraphs [0031] and [0068] add nothing beyond this. As such, it is submitted that Savalle simply does not train or use a classifier to determine a traffic category from among a plurality of traffic cateqories”
In response to [c], Claims now define traffic categories to be “the plurality of traffic categories comprises at least two of: a streaming video category, a streaming audio category, a conversational video category, a conversational audio category, or a gaminq cateqory”
While Savalle still classifies traffic flow based on original device type, such as android, apply, Samsung, etc which are traffic categories, examiner now relies on new reference that shows classification of traffic into the above categories, explained in more detail below.

[d] “In addition, it is further noted that the "deep learning system" of Chen is not properly combined with Savalle insofar as Chen uses a "lightweight image conversion" in which "control flow packets (e.g., in an execution trace) may be converted to a stream of pixels, and a per-application deep-learning behavior model may be trained on segmented sequences of pixels to characterize benign and malicious executions." (See Chen para. [0032]). Chen simply does not use the same type of feature vector as Savalle (or the binary traffic vector of the present claims) and does not generate the same output as in Savalle (e.g., Chen categorizes benign and malicious executions of an application, Savalle determines a device type). Thus, for all of the foregoing reasons, independent claims 1, 19, and 20 are patentable over and not made obvious by the combination of Savalle and Chen.”
In response to [d], Examiner disagrees that these references are not combinable.  Arguments are that because Chen does not use the same binary traffic vector as Savalle, and does not produce the same classification result as Savalle they are not combinable.  This is not the baseline for a 35 USC 103 rejection to have completely identical inventions differing by a single variable.  Chen teaches the deep learning in the same field of endeavor, i.e. using neural networks to analyze traffic and determine classification of traffic, and shows the advantage of deep learning, such as in para.0026 “Machine learning algorithms have been used for some behavioral analysis of malware executions, based on system calls, Portable-Executable (PE) header analysis, etc. Deep learning is a type of machine learning that uses a layered structure of algorithms, known as artificial neural networks (or ANNs), to learn and recognize patterns from data representations. ANNs are generally presented as systems of interconnected “neurons” which can compute values from inputs. ANNs represent one of the most relevant and widespread techniques used to learn and recognize patterns. Consequently, ANNs have emerged as an effective solution for intuitive human/device interactions that improve user experience, a new computation paradigm known as “cognitive computing.” Among other usages, ANNs can be used for imaging processing, voice and object recognition or natural language processing. Convolution Neural Networks (CNNs) and Deep Belief Networks (DBNs) are just a few examples of computation paradigms that employ ANN algorithms.” As the invention is in a similar field of endeavor and shows the advantage of using this algorithm in that field, examiner believes that Savalle and Chen remain combinable in the 35 USC 103 rejection.

[e] Savalle and Chen do not disclose newly added limitations of the first traffic flow is encrypted and that the plurality of traffic categories comprises at least two of: a streaming video category, a streaming audio category, a conversational video category, a conversational audio category, or a Gaminq cateqory.
In response to [e], examiner relies upon new reference to show this idea, and therefore this argument does not apply.

[f] Zhang, Ferrell, Yadav, Kokkonen, Nguyen, Kerkes, references that are used in the rejection for the remaining dependent claims do not remedy the deficiencies of Savalle-Chen and further do not teach the newly added limitations.
In response to [f], Examiner does not rely upon these references for the limitations of the independent claims, and are not relied upon for the newly added limitations, therefore these arguments do not apply. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 1, 2, 5, 6, 8, 9, 11, 12, 14, 15, 19, 20, 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1) in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1).
Regarding Claim 1, Savalle discloses A method, comprising: 
generating, by a processing system including at least one processor (Savalle: Fig. 2 and para.0031), a binary traffic vector (Savalle: Fig.6 para.0073 “For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”) from a first traffic flow (Savalle: para.0040 “In some cases, device classification process 248 may assess the captured telemetry data on a per-flow basis.”) in a communication network (Savalle: Fig. 1B network 100), 
wherein the binary traffic vector comprises a plurality of elements, each of the plurality of elements associated with a respective time period of a plurality of sequential time periods (Savalle: Fig. 6 para.0073 “FIG. 6 illustrates an example 600 of representing traffic features as feature vectors, in various embodiments. As shown, there may be any number of traffic feature representations that indicate whether or not a particular traffic feature was observed during a given observation time window. For example, one feature may indicate whether the device traffic used the HTTP protocol, another may indicate whether the traffic used the DHCPv6 protocol, another may indicate whether the traffic used the IPv4 protocol, etc. As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.” binary indicator 602 as seen in Fig. 6 shows a plurality of binary elements in sequential time windows.  It can be seen that each bit on the binary indicator for a particular protocol is related to a single time window.), 
each of the plurality of elements comprising one of: a first value or a second value (Savalle: Fig.6 para.0073 “For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.” a one or a zero), 
wherein for each respective time period for which the first traffic flow comprises a transfer of at least one data unit, a corresponding element of the plurality of elements comprises the first value (Savalle: Fig. 6 para.0073 “FIG. 6 illustrates an example 600 of representing traffic features as feature vectors, in various embodiments. As shown, there may be any number of traffic feature representations that indicate whether or not a particular traffic feature was observed during a given observation time window. For example, one feature may indicate whether the device traffic used the HTTP protocol, another may indicate whether the traffic used the DHCPv6 protocol, another may indicate whether the traffic used the IPv4 protocol, etc. As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.” if a particular protocol was used in a time window, therefore transferred in the form of a packet, then a 1 is presented in the binary indicator), and 
wherein for each respective time period for which the first traffic flow does not comprise a transfer of at least one data unit, a corresponding element of the plurality of elements comprises the second value (Savalle: Fig. 6 para.0073 “FIG. 6 illustrates an example 600 of representing traffic features as feature vectors, in various embodiments. As shown, there may be any number of traffic feature representations that indicate whether or not a particular traffic feature was observed during a given observation time window. For example, one feature may indicate whether the device traffic used the HTTP protocol, another may indicate whether the traffic used the DHCPv6 protocol, another may indicate whether the traffic used the IPv4 protocol, etc. As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.” if the feature is not present in the packets, then a zero is passed instead.); 
applying, by the processing system (Savalle: Fig. 2 and para.0031), a first traffic flow record comprising the binary traffic vector as an input to a learning classifier that is trained to classify traffic flow records into one of a plurality of traffic categories (Savalle: para.0036 “Device classification process 248 may employ any number of machine learning techniques, to classify the gathered telemetry data and apply a device type label to a device associated with the traffic. In general, machine learning is concerned with the design and the development of techniques that receive empirical data as input (e.g., telemetry data regarding traffic in the network) and recognize complex patterns in the input data.” all of the gathered telemetry data generated in para.0068 by the feature representation generator 510 “feature representation generator 502 may be configured to build feature representations from the input traffic telemetry data 510 captured from the network and associated with traffic for the device undergoing classification.” are input into the machine learning algorithm to classify the data into device type, the traffic category); and 
determining, by the processing system (Savalle: Fig. 2 and para.0031), a traffic category of the first traffic flow, from among the plurality of traffic categories, from an output of the learning classifier in accordance with the first traffic flow record as the input to the learning classifier (Savalle” Fig.5 and para.0087-para.0088 “As part of the training of the cascade of classifiers 506, classifier trainer 504 could also enforce additional constraints. For example, classifier trainer 504 may employ sparsity-enforcing penalties or sparsity constraints, to prevent overfitting. In the context is of device classification with very large numbers of device types, it may be especially important to keep each classifier compact…. In various embodiments, another component of architecture 500 may be device labeler 508 that receives the feature vector(s) from feature representation generator 502 for a particular device under scrutiny and uses the trained cascade of classifiers 506 to label the device with a resulting device label 512. In turn, device labeler 508 may provide the determined device label 512 to any interested service in the network for purposes of policy enforcement, auditing, or for any other purpose. For example, a network security policy may prevent the device under scrutiny from accessing certain resources, based on its determined device type.” it can be seen that the 504 trains classifier 506 which output a label 512, in a algorithm using the classifier flow chart of Fig. 7 and para.0083-para.0085.  This is used to determine the traffic category of the traffic flow record entered into the classifier.).
While Savalle discloses neural networks for the learning technique in para.0038:“neural networks (e.g., reservoir networks, artificial neural networks, etc.)” Savalle does not explicitly disclose wherein the first traffic flow is encrypted, wherein the plurality of traffic categories comprises at least two of: a streaming video category, a streaming audio category, a conversational video category, a conversational audio category, or a gaminq cateqory, and the Deep learning classifier.
Famolari discloses wherein the first traffic flow is encrypted (Famolari: para.0030 “The deep packet inspection 204 may include examining or evaluating the data packet in the message flow, e.g., the message/protocol header, payload, and/or others. Deep packet inspection 204, for instance, can determine the type of the message, e.g., whether it is streaming video, audio, chat, text, Voice over Internet Protocol (VoIP) and/or other data, the size of the message, and other information pertaining to the data packet. The deep packet inspection can also give information, such as whether they are encrypted, going through VPN tunnel and others.” the traffic flow can be encrypted.), 
wherein the plurality of traffic categories comprises at least two of: a streaming video category, a streaming audio category, a conversational video category, a conversational audio category, or a gaminq cateqory (Famolari: para.0030 “The deep packet inspection 204 may include examining or evaluating the data packet in the message flow, e.g., the message/protocol header, payload, and/or others. Deep packet inspection 204, for instance, can determine the type of the message, e.g., whether it is streaming video, audio, chat, text, Voice over Internet Protocol (VoIP) and/or other data, the size of the message, and other information pertaining to the data packet. The deep packet inspection can also give information, such as whether they are encrypted, going through VPN tunnel and others. The deep packet inspection can examine data at different levels, e.g., a network level, Medium Access Control (MAC) level and others.” para.0031 “Using the output from the deep packet inspection, the filter module 104 may perform flow classification 206. For instance, flows may be classified or categorized as streaming videos, audios, chat, VoIP, and/or others. Flow may be also classified according to similar traffic, which user, which protocol, as being from the same or similar source, web site, content site, as having normal content or high definition content (e.g., HD video)..” using various types of information from a deep packet inspection, flows can be classified into categories such as streaming videos, voip, which is a conversation audio category or a streaming audio category).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle with Famolari in order to incorporate wherein the first traffic flow is encrypted, wherein the plurality of traffic categories comprises at least two of: a streaming video category, a streaming audio category, a conversational video category, a conversational audio category, or a gaminq cateqory.
While Savalle discloses neural networks for the learning technique in para.0038:“neural networks (e.g., reservoir networks, artificial neural networks, etc.)” Savalle-Famolari does not explicitly disclose the Deep learning classifier.
Chen discloses deep learning classifier (Chen: Fig.3 160 para.0032 “The control flow packets (e.g., in an execution trace) may be converted to a stream of pixels, and a per-application deep-learning behavior model may be trained on segmented sequences of pixels to characterize benign and malicious executions. “ para.0045 “The dynamic ensemble classification process may include an ensemble and hierarchical stage 220 to produce classification results on whether the selected trace data packets indicate an attack.” para.0065 “In at least some embodiments, machine learning module 162 may function as a deep neural network (DNN) such as a convolutional neural network (CNN). Generally, a CNN includes input and output layers, in addition to many hidden layers. The hidden layers can include convolutional layers, pooling layers, and fully connected layers.” packets are converted into pixels in an image, and used to detect attacks in the network.  it can be seen in Fig.3 and para.0046, how the deep learning system, the DNN classifier is trained.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari and Chen in order to incorporate a deep learning classifier.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved pattern detection that comes with deep learning (Chen: para.0026-para.0027).

Regarding Claim 2, Savalle-Famolari-Chen discloses claim 1 as set forth above.
Savalle further discloses further discloses providing, to at least one recipient computing system, the traffic category of the first traffic flow that is determined (Savalle: para.0054 “For example, device classification service 408 may determine, with a high degree of confidence, that endpoint device 402 is an Apple iPhone, but may or may not be able to determine whether device 402 is an iPhone 5s or an iPhone 6. Accordingly, in some embodiments, service 408 may also return the confidence values for the classification label(s) in device type 412 to networking device 406.” once it is determined the category of the network traffic to be a particular type, in this case iphone, device type 412 is returned to networking entities 406).

Regarding Claim 5, Savalle-Famolari-Chen discloses claim 1 as set forth above.
Savalle further discloses wherein the generating the binary traffic vector comprises: obtaining a copy of the first traffic flow (Savalle: para.0042 “In some embodiments, a networking device may analyze packet headers, to capture feature information about the traffic flow. For example, router CE-2 may capture the source address and/or port of host node 10, the destination address and/or port of server 154, the protocol(s) used by packet 302, the hostname of server 154, and/or other header information by analyzing the header of a packet 302” network entities, such as CE-2 can obtain a copy of the packets, and obtain feature data from each packet.); or copying packets of the first traffic flow into at least one storage record for the first traffic flow.

Regarding Claim 6, Savalle-Famolari-Chen discloses claim 1 as set forth above.
Savalle further discloses wherein the binary traffic vector is generated as packets of the first traffic flow are processed via: a network firewall; or an ingress/egress node of the communication network (Savalle: fig. 3 para.0042 “In some embodiments, a networking device may analyze packet headers, to capture feature information about the traffic flow. For example, router CE-2 may capture the source address and/or port of host node 10, the destination address and/or port of server 154, the protocol(s) used by packet 302, the hostname of server 154, and/or other header information by analyzing the header of a packet 302.” using data captured by a node in the network, for example the edge router CE-2 for the local network 160 in Fig. 3, traffic information is captured to generate traffic features such as in Fig. 6.).

Regarding Claim 8, Savalle-Famolari-Chen discloses claim 1 as set forth above.
Savalle further discloses determining a transport layer protocol utilized by the first traffic flow (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis), 
wherein the first traffic flow record further comprises the transport layer protocol (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis )

Regarding Claim 9, Savalle-Famolari-Chen discloses claim 8 as set forth above.
Savalle further discloses wherein the transport layer protocol is determined from among a transport control protocol and a uniform data protocol (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis).

Regarding Claim 11, Savalle-Famolari-Chen discloses claim 1 as set forth above.
Savelle further discloses obtaining labeled traffic flow records for the plurality of traffic categories (Savelle: para.0037 “Generally, supervised learning entails the use of a training set of data, as noted above, that is used to train the model to apply labels to the input data. For example, the training data may include sample telemetry data that is labeled as “iPhone 6,” or “iOS 10.2.””); and 
training the learning classifier with the labeled traffic flow records (Savelle: para.0037 “Generally, supervised learning entails the use of a training set of data, as noted above, that is used to train the model to apply labels to the input data. For example, the training data may include sample telemetry data that is labeled as “iPhone 6,” or “iOS 10.2.”” para.0050 “The service trains, using a training dataset based on the feature vectors, a cascade of machine learning classifiers to label devices in the network with device types.”).
While Savalle discloses neural networks for the learning technique of the device classification in para.0038“neural networks (e.g., reservoir networks, artificial neural networks, etc.)” Savalle does not explicitly disclose the Deep learning classifier.
Chen discloses deep learning classifier (Chen: Fig.3 160 para.0032 “The control flow packets (e.g., in an execution trace) may be converted to a stream of pixels, and a per-application deep-learning behavior model may be trained on segmented sequences of pixels to characterize benign and malicious executions. “ para.0045 “The dynamic ensemble classification process may include an ensemble and hierarchical stage 220 to produce classification results on whether the selected trace data packets indicate an attack.” para.0065 “In at least some embodiments, machine learning module 162 may function as a deep neural network (DNN) such as a convolutional neural network (CNN). Generally, a CNN includes input and output layers, in addition to many hidden layers. The hidden layers can include convolutional layers, pooling layers, and fully connected layers.” packets are converted into pixels in an image, and used to detect attacks in the network.  it can be seen in Fig.3 and para.0046, how the deep learning system, the DNN classifier is trained.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari and Chen in order to incorporate a deep learning classifier.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved pattern detection that comes with deep learning (Chen: para.0026-para.0027).

Regarding Claim 12 Savalle-Famolari-Chen discloses claim 1 as set forth above.
However Savalle does not explicitly disclose 12. The method of claim 1, wherein the deep learning classifier comprises: a convolutional neural network.
Chen discloses wherein the deep learning classifier comprises: a convolutional neural network (Chen: Fig. 3 and para.0043 “DNN classifier module 160 is a user space component that receives image frames 155 generated by image conversion module 150. DNN classifier 160 applies convolutional neural network (CNN) on the embedded data for classification.” ).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle and Chen in order to incorporate wherein the deep learning classifier comprises: a convolutional neural network.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved pattern detection that comes with deep learning (Chen: para.0026-para.0027).

Regarding Claim 14, Savalle-Famolari-Chen discloses claim 12 as set forth above.
Savalle further discloses a neural network to process the binary traffic vector (Savalle: para.0038 “Example machine learning techniques that device classification process 248 can employ may include, but are not limited to, nearest neighbor (NN) techniques (e.g., k-NN models, replicator NN models, etc.), statistical techniques (e.g., Bayesian networks, etc.), clustering techniques (e.g., k-means, mean-shift, etc.), neural networks (e.g., reservoir networks, artificial neural networks, etc.),” Savalle: para.0036 “Device classification process 248 may employ any number of machine learning techniques, to classify the gathered telemetry data and apply a device type label to a device associated with the traffic. In general, machine learning is concerned with the design and the development of techniques that receive empirical data as input (e.g., telemetry data regarding traffic in the network) and recognize complex patterns in the input data.”).
However Savalle does not explicitly disclose wherein the convolutional neural network comprises a deep neural network to process the binary traffic vector.
Chen discloses wherein the convolutional neural network comprises a deep neural network (Chen: para.0043 “DNN classifier module 160 is a user space component that receives image frames 155 generated by image conversion module 150. DNN classifier 160 applies convolutional neural network (CNN) on the embedded data for classification. In a training flow, DNN classifier module 160 conducts transfer learning on the time series of images to train the benign/malicious behavior model. The time series of images and benign/malicious labels of the images can be used as input for the CNN. A low-level behavior model that characterizes benign or malicious behaviors on each trace segment (i.e., each image) can be generated. In a detection (or runtime) flow, the DNN classifier module uses the trained behavior model to detect an exploit based on an anomaly in the execution.” the DNN classifier is a deep neural network classifier that uses convolutional neural network techniques.)
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen in order to incorporate wherein the convolutional neural network comprises a deep neural network.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved pattern detection that comes with deep neural network (Chen: para.0026-para.0027).

Regarding Claim 15, Savalle-Famolari-Chen discloses claim 14 as set forth above.
Savalle further discloses further comprising at least one of: determining a transport layer protocol utilized by the first traffic flow (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis); or obtaining a throughput of the first traffic flow.

Regarding Claim 19, it lists all of the same elements as claim 1, but in a A non-transitory computer-readable medium storing instructions which, when executed by a processing system including at least one processor, cause the processing system to perform operations, the operations (Savalle: para.0098 para.0031) Therefore the supporting rationale of the rejection to claim 1 applies equally as well to claim 19.

Regarding Claim 20, it lists all of the same elements as claim 1, but in a An apparatus comprising: a processing system including at least one processor; and 322020-0461 PATENT a non-transitory computer-readable medium storing instructions which, when executed by the processing system, cause the processing system to perform operations (Savalle: para.0098 para.0031) Therefore the supporting rationale of the rejection to claim 1 applies equally as well to claim 20.

Regarding Claim 21, it does not teach nor further define over the limitations of claim 2, therefore claim 21 is rejected under the same rationale as claim 2.

Claim 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1) in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1) further in view of Zhang et al. (hereinafter Zhang, US 2015/0146675 A1).
Regarding Claim 3, Savalle-Famolari-Chen discloses claim 1 as set forth above.
However Savalle-Famolari-Chen does not explicitly disclose at least one of: allocating at least one additional resource of the communication network based upon the traffic category of the first traffic flow that is determined; or removing at least one existing resource of the communication network based upon the traffic category of the first traffic flow that is determined.
Zhang discloses at least one of: allocating at least one additional resource of the communication network based upon the traffic category of the first traffic flow that is determined (Zhang: para.0015 “The QoS class 108 may be determined based on an application or service associated with the traffic 110 (e.g., voice calling, network browsing, etc.), based on different service categories (e.g., a brand associated with a service contract of a user of a mobile device), or based on a data type of the traffic 110. The scheduler may determine the application, data type, or service category associated with traffic 110 with each mobile device, associate QoS classes 108 with the traffic 110 based on those determinations, and utilize the QoS classes in determining which network resources to allocate to which mobile devices.” the data type of traffic 110 is determined, and based on the data type, additional network resources are allocated for that traffic of that device); or 
removing at least one existing resource of the communication network based upon the traffic category of the first traffic flow that is determined
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen and Zhang in order to incorporate at least one of: allocating at least one additional resource of the communication network based upon the traffic category of the first traffic flow that is determined; or removing at least one existing resource of the communication network based upon the traffic category of the first traffic flow that is determined.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving data transmission systems by dynamically allocated resources based on data types (Zhang: para.0002).

Claim 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1) in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1) further in view of Ferrell (US 2017/0063695 A1).
Regarding Claim 7, Savalle-Famolari-Chen discloses claim 1 as set forth above.
However Savalle-Famolari-Chen does not explicitly disclose wherein packets processed via the communication network are assigned to the first traffic flow based upon a 5-tuple comprising a source internet protocol address, a destination internet protocol address, a source port, a destination port, and a transport layer protocol.
Ferrell discloses wherein packets processed via the communication network are assigned to the first traffic flow based upon a 5-tuple (Ferrell: para.0033 “Otherwise, at 315, when the bucket is full of packets, a new bucket for incoming packets is started, and at 320, the full bucket is indexed. During the indexing, each packet may be sorted in the bucket by flow ( 5-tuple), and each flow may be sub-indexed by individual components of the 5-tuple, such as the source IP address.” based on the 5 tuple, packets are organized by flow.)
comprising a source internet protocol address, a destination internet protocol address, a source port, a destination port, and a transport layer protocol (Ferrell: para.0025 “Embodiments of the present invention generally pertain to packet capture using a network flow. A network flow may include a set of packets with certain 5-tuples of the source Internet Protocol (IP), destination IP, source port, destination port, and transport protocol.”).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen and Ferrell in order to incorporate wherein packets processed via the communication network are assigned to the first traffic flow based upon a 5-tuple comprising a source internet protocol address, a destination internet protocol address, a source port, a destination port, and a transport layer protocol.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of more accurately sorting packets into flows using more parameters such as 5 tuple information, than simply device type (Ferrell: para.0033, para.0025).

Claim 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1) in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1) further in view of Yadav (US 2018/0359172 A1).
Regarding Claim 10, Savalle-Famolari-Chen discloses claim 1 as set forth above.
Savalle further discloses obtaining a transport layer protocol utilized by the first traffic flow (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis), 
wherein the first traffic flow record further comprises at least one of the throughput or the transport layer protocol (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis).
However Savalle-Famolari-Chen does not explicitly disclose obtaining a throughput of the first traffic flow.
Yadav discloses obtaining a throughput of the first traffic flow (Yadav: para.0022 “As shown by reference number 112, the flow information may identify SLAs associated with a traffic flow, a flow identifier (e.g., based on a class of the traffic flow, a source and/or destination of the traffic flow, a traffic type of the traffic flow, and/or the like), one or more flow attributes (e.g., a throughput, a type of link required to carry the traffic, a pattern associated with the traffic flow, a flow duration, and/or the like), and/or the like.” throughput of network flows can be determined. para.0071 describes neural network and machine learning for these techniques.)
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen and Yadav in order to incorporate obtaining a throughput of the first traffic flow.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving traffic flow throughput (Yadav: para.0081).

Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1) in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1) further in view of Kokkonen et al. (hereinafter Kokkonen, “Network Anomaly Detection Based on WaveNet” NPL 2019).
Regarding Claim 13, Savalle-Famolari-Chen discloses claim 12 as set forth above.
However Savalle-Famolari-Chen does not explicitly disclose wherein the convolutional neural network comprises: a wavenet neural network; or an alexnet neural network.
Kokkonen discloses wherein the convolutional neural network comprises: a wavenet neural network; (Kokkonen: pg.5/14 section 2.3 “The network traffic was analyzed with a deep neural network model based on the WaveNet [15] architecture, illustrated in the Fig.2. WaveNet was chosen as a basis for our model for its capability to directly interface with variable length sequential data. This enables us to feed complete and unreduced sequences to the model. We utilized this trait to predict network traffic connections of varying length packet by packet.” here it can be seen that Kokkonen used the Wavenet type of convolutional neural networks to model network traffic data.) or an alexnet neural network.
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen and Kokkonen in order to incorporate wherein the convolutional neural network comprises: a wavenet neural network; or an alexnet neural network.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved network traffic analysis (Kokkonen: pg.5/14 section 2.3).

Claim 16-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1) in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1) further in view of Nguyen et al. (hereinafter Nguyen, “Deep CNNs for microscopic image classification by exploiting transfer learning and feature concatenation” NPL 2018).
Regarding Claim 16, Savalle-Famolari-Chen discloses claim 15 as set forth above.
Savalle further discloses the one additional input comprising at least one of: the throughput of the first traffic flow; or the transport layer protocol of the first flow (Savalle: para.0073 “As would be appreciated, the values of any given traffic feature may also change over time. For example, the binary indicator 602 may indicate the use of the NTP protocol by the device over time, and may change between ‘0’ and ‘1’ in different time windows.”.  para.0070 “Extract traffic features from traffic telemetry data 510 for a given time window. For instance, these traffic features could include a list of protocols or TCP/UDP ports used by the traffic of the device, the user agent from the HTTP header of HTTP traffic, DNS query information, etc” the particular protocol used by the flow can be determined, which includes tcp “, that features can include TCP information. it can also be seen in Fig. 6 that protocol_tcp and protocol_udp are present in the y axis).
However Savalle-Famolari-Chen does not explicitly disclose wherein the deep learning classifier further comprises a concatenate layer to concatenate an output vector of the deep neural network with at least one additional input.
Nguyen discloses wherein the deep learning classifier further comprises a concatenate layer to concatenate an output vector of the deep neural network with at least one additional input (Nguyen: pg. 1 right column “In [21], the features from various CNN layers are combined to incorporate both low and high-level information. Also, in [22], CNN features from images of multiple resolutions are used. Motivated by the success of exploiting multiple features for classification in [21][22], we propose to concatenate the features from these pretrained networks. The classification part of our network is inspired by [18][23], where the softmax layer is used as the classifier. We modify the classifier by adding one hidden layer for better learning capability.” on pg. 3 Fig.5, it can be seen that a feature concatenation layer is provided prior to the hidden layer, using pretrained data.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen and Nguyen in order to incorporate wherein the deep learning classifier further comprises a concatenate layer to concatenate an output vector of the deep neural network with at least one additional input, and apply this technique to network flow parameters such as transport protocol that is used as a feature to categorize traffic flow in Savalle.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved classification accuracy by incorporating an additional layer to the neural network (Nguyen: pg.1 right column last paragraph.).

Regarding Claim 17, Savalle-Famolari-Chen -Nguyen discloses claim 16 as set forth above.
However Savalle does not explicitly disclose wherein the deep learning classifier further comprises a plurality of fully-connected layers fed by the concatenate layer, and an output layer fed by the plurality of fully-connected layers.
Chen further discloses wherein the deep learning classifier further comprises a plurality of fully-connected layers (Chen: para.0065 “The hidden layers can include convolutional layers, pooling layers, and fully connected layers.” Fig.8 para.0066 “FIG. 8 illustrates a CNN system 800 that includes a convolution layer 802, a pooling layer 804, a fully-connected layer 806, and output predictions 808 in accordance with embodiments of the present disclosure.” fig.8 shows the fully connected layer 806, and it is clear that the hidden layers of the CNN can input a plurality of fully connected layers.), and 
an output layer fed by the plurality of fully-connected layers (Chen: Fig.8 808, it can be seen that output predictions layer 808 is fed by the fully connected layer 806, but as can be seen in para.0065, the CNNs can comprise of a plurality of fully connected layers.)
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Chen in order to incorporate wherein the deep learning classifier further comprises a plurality of fully-connected layers, and an output layer fed by the plurality of fully-connected layers.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved pattern detection that comes with deep neural network (Chen: para.0026-para.0027).
However Savalle-Famolari-Chen does not explicitly disclose wherein the deep learning classifier further comprises a plurality of fully-connected layers fed by the concatenate layer.
Nguyen discloses wherein the deep learning classifier further comprises a plurality of fully-connected layers fed by the concatenate layer (Nguyen: pg1 last paragraph to pg 2 first paragraph: “The contributions in this research are summarized as follows: i) The use of transfer learning on small microscopic datasets; ii) The concatenation of features extracted from different networks to improve classification accuracy; iii) The proposal of the last two fully-connected layers to adopt the generic features extracted from the pretrained CNNs to biomedical data.” the feature concatenation layer is fed to two fully connected layers, this is further seen in the figures on pg.3, such as fig.5 and 4, which shows that concatenation layers are prior to the fully connected layers.)
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen and Nguyen in order to incorporate wherein the deep learning classifier further comprises a plurality of fully-connected layers fed by the concatenate layer.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved classification accuracy by incorporating an additional layer to the neural network (Nguyen: pg.1 right column last paragraph.).

Claim 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Savalle et al (hereinafter Savalle, US 2020/0127892 A1) in view of Famolari et al. (hereinafter Famolari, US 2012/0069749 A1)in view of Chen et al. (hereinafter Chen, US 2019/0042745 A1) further in view of Nguyen et al. (hereinafter Nguyen, “Deep CNNs for microscopic image classification by exploiting transfer learning and feature concatenation” NPL 2018) further in view of Kerkes (US 2020/0177966 A1).

Regarding Claim 18, Savalle-Famolari-Chen -Nguyen discloses claim 17 as set forth above.
While Savalle discloses using confidence values to determines classification, Savalle does not explicitly disclose wherein the output layer provides a plurality of output scores, each of the plurality of output scores associated with one of the plurality of traffic categories, wherein the traffic category of the first traffic flow is determined from a highest output score from among the plurality of output scores.
Kerkes discloses wherein the output layer provides a plurality of output scores, each of the plurality of output scores associated with one of the plurality of traffic categories (Kerkes: para.0095 “FIG. 10 is a block diagram of an example processor platform 1000 structured to execute the instructions of FIGS. 7, 8, and 9 to implement the apparatus of FIG. 3. The processor platform 1000 can be, for example, a server, a personal computer, a workstation, a self-learning machine (e.g., a neural network)” neural network can be the platform that performs steps of fig. 9, para.0089 “At block 906, the example network traffic analyzer 318 compares the network traffic data to the data profiles. At block 908 the example network traffic analyzer 318 generates a score for each traffic profile that corresponds to the similarity between the network traffic data and the traffic profile. At block 910 the example network traffic analyzer 318 ranks the scores.” a score is generated for each of the traffic profiles that are similar to the network traffic data.), 
wherein the traffic category of the first traffic flow is determined from a highest output score from among the plurality of output scores (Kerkes: para.0064 “The example network traffic data analyzer 318 ranks the scores from highest to lowest. In other examples, the network traffic analyzer 318 ranks the scores according to other parameters. If the highest score meets a threshold level of similarity, the network traffic data is categorized as relating to the traffic profile that corresponds to the highest score” para.0090-para.0091 “At block 912, the example network traffic analyzer 318 determines if the highest ranked score meets a threshold value for similarity. …, if the highest ranked score has met the threshold value of similarity before, the example network traffic analyzer 318 transmits, at block 922, the network traffic data to the traffic profiler 308 for further analysis. The network traffic analyzer 318 proceeds to block 916.” the highest score is selected from amongst the output scores.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Savalle-Famolari-Chen -Nguyen with Kerkes in order to incorporate wherein the output layer provides a plurality of output scores, each of the plurality of output scores associated with one of the plurality of traffic categories, wherein the traffic category of the first traffic flow is determined from a highest output score from among the plurality of output scores.
One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved accuracy by selecting the highest score output of possibly network traffic matches (Kerkes: para.0090-para.0091).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Peinador et al. US 2020/0076840 A1 see para.0124 and 0141 fig.3, shows network packet feature vectors fed into a neural network encoder for evaluation.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EUI H KIM whose telephone number is (571)272-8133. The examiner can normally be reached 7:30-5 M-R, M-F alternating.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 5712725863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EUI H KIM/             Examiner, Art Unit 2453                                                                                                                                                                                           

/KAMAL B DIVECHA/             Supervisory Patent Examiner, Art Unit 2453