DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the communication dated on 09/09/2022.
Claims 1-20 are previously presented.
Claims 1-20 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority
This application filed on January 06, 2021 claims priority of continuing application 15/364,933 filed on November 30, 2016.
Response to Arguments
Applicant’s amendment, filed on September 09, 2022 has claims 1-20 previously presented.
The prior rejection of Double patenting rejections over claims 1-15 of US PAT. # 10,94,275 has been withdrawn in view of the filed terminal disclaimer. 
Applicant’s remark, filed on September 09, 2022 on bottom of page 7 and top of page 8 regarding, “Vu and Hill, either alone or in combination, fail to disclose and would not have rendered obvious: "A method comprising: receiving, at a device in a network, traffic data regarding a plurality of observed traffic flows; determining, by the device, one or more environment parameters associated with a targeted deployment environment in which a machine learning-based traffic classifier is to be deployed, wherein the targeted deployment environment is different than the network in which the traffic data was received; modifying, by the device, one or more samples of the plurality of observed traffic flows from the traffic data in accordance with the one or more environment parameters associated with the targeted deployment environment; creating, by the device, synthetic traffic data that resembles actual traffic data expected in the targeted deployment environment based on the one or more modified samples, wherein the synthetic traffic data is not actually observed in the network; and training, by the device, the machine learning-based traffic classifier using the synthetic traffic data for deployment in the targeted deployment environment," as recited in claim 1, and similarly recited in claims 10 and 19”, has been considered. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Furthermore, it is noted that merely quoting claim language verbatim and summarily indicating the art of record teaches away from the claim language is not considered a separate argument of patentability as it does not refer to the art of record to establish such alleged distinctions.
Applicant’s remark, filed on September 09, 2022 on middle of page 9 regarding, “In other words, the machine learning model of Vu is deployed to a targeted deployment environment that is the same as-not different than, as presently claimed-the network in which the traffic data ("behavior traces of the malware object") was received” has been considered but is not found persuasive. Vu, teaches, “detecting an infection by malware on a number of endpoint systems with different operating systems and software versions may include, for example, detecting the same application specific data dropped in different directories between Windows XP and Windows 7, e.g. "C:\Documents and Settings\Administrator\Application Data\hidn\hidn2.exe" versus "C:\Users\&lt;current_user&gt;\AppData\Roaming\hidn\hidn2.exe", respectively. By identifying and providing the correct mapping of the application data paths, the same artifact discovered by the IVP system in the behavior analysis is used to detect infection on multiple endpoint systems with different operating systems and software versions”. (¶15). Vu further discloses, “Systems and methods embodied in the network environment 100 may implement one or more of including, but not limited to, behavior detonation; apply machine-learning based classification models to identify a malware object; apply one or more algorithms to behavior traces of the malware object to select one or more persistent artifacts from the infection of this malware on the target system; transform the one or more persistent artifacts into a form that can be used to verify and detect infection by this malware of a number of endpoint systems with different operating systems and software versions”. (¶57). A data collector, which may include a tap or span port (e.g., span port IDS collector at switch 120) for example, is configured to intercept network data from a network. The data collector may be configured to identify suspicious data. Suspicious data is any data collected by the data collector that has been flagged as suspicious by the data collector and/or any data that is to be processed within the virtualization environment. (¶59). The data collectors may be implemented in any web or web proxy server and is not limited to only the servers that implement ICAP and/or WCCP. Similarly, collectors may be implemented in any mail server and is not limited to mail servers that implement milter. Data collectors may be implemented at any point in one or more networks. (¶65). Thus contrary to applicant’s belief Vu teaches, traffic data is collected from various points/systems/devices of a network and the collected traffic is analyze for the targeted environment having different operating systems and software versions, which indicates that target environment is different than the environment where the traffic was observed. Thus Vu clearly teaches the limitation(s), “receiving, at a device in a network, traffic data regarding a plurality of observed traffic flows," and (2) "determining, by the device, one or more environment parameters associated with a targeted deployment environment in which a machine learning-based traffic classifier is to be deployed, wherein the targeted deployment environment is different than the network in which the traffic data was received,".
Applicant’s remark, filed on September 09, 2022 on bottom of page 9 regarding, “Vu and Hill fail to disclose and would not have rendered obvious: "receiving, at a device in a network, traffic data regarding a plurality of observed traffic flows," and "determining, by the device, one or more environment parameters associated with a targeted deployment environment in which a machine learning-based traffic classifier is to be deployed, wherein the targeted deployment environment is different than the network in which the traffic data was received," as recited in claim 1, and similarly recited in claims 10 and 19” has been considered and address in above paragraph 10.
Applicant further recites similar remarks as listed above for dependent claims, 3 and 12. Please see response for remarks in above paragraph 10 that clearly shows how the cited prior arts Vu, Hill and Sen clearly teaches the claimed limitations.

Applicant further recites similar remarks as listed above for dependent claims, 7 and 16. Please see response for remarks in above paragraph 10 that clearly shows how the cited prior arts Vu, Hill and Gupta clearly teaches the claimed limitations.

Applicant further recites similar remarks as listed above for dependent claims, 8 and 17. Please see response for remarks in above paragraph 10 that clearly shows how the cited prior arts Vu, Hill and Langton clearly teaches the claimed limitations.

 Applicant further recites similar remarks as listed above for dependent claims, 9 and 18. Please see response for remarks in above paragraph 10 that clearly shows how the cited prior arts Vu, Hill and Drabeck clearly teaches the claimed limitations.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-6, 10-11, 13-15  and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vu et al. (US PGPUB. # US 2015/0244730, hereinafter “Vu”), and further in view of Hill et al. (US PAT. # US 6,088,804, hereinafter “Hill”).

Referring to Claims 1, 10 and 19:
Regarding Claim 1, Vu teaches,
A method comprising: 
receiving, at a device in a network (Fig. 1(108)), traffic data regarding a plurality of observed traffic flows (¶58-¶59, “the security server 108 receives suspicious data from one or more data collectors”, i.e. various sensors observes and collects data from the network to provide to the security server); 
determining, by the device, one or more environment parameters associated with a targeted deployment environment in which a machine learning-based traffic classifier is to be deployed, wherein the targeted deployment environment is different than the network in which the traffic data was received; (¶15, “the same artifact discovered by the IVP system in the behavior analysis is used to detect infection on multiple endpoint systems with different operating systems and software versions”, ¶30, ¶34, ¶36, ¶57, “apply machine-learning based classification models to identify a malware object; apply one or more algorithms to behavior traces of the malware object to select one or more persistent artifacts from the infection of this malware on the target system; transform the one or more persistent artifacts into a form that can be used to verify and detect infection by this malware of a number of endpoint systems with different operating systems and software versions”, ¶59, “A data collector, which may include a tap or span port (e.g., span port IDS collector at switch 120) for example, is configured to intercept network data from a network”, ¶61, “one or more agents or other modules may monitor network traffic for common behaviors and may configure a data collector to collect data when data is directed in a manner that falls outside normal parameters”, ¶62, ¶65, “Data collectors may be implemented at any point in one or more networks”, i.e. Examiner submits that paragraphs 30,34 and 36 describes parameters collection, associated with a target deployment environment.  The targeted environment has different operating systems and versions of client devices indicates that target deployment environment is different than the network traffic received (from mail servers, web servers, proxy servers)) 
modifying, by the device, one or more samples of the plurality of observed traffic flows from the traffic data in accordance with the one or more environment parameters associated with the targeted deployment environment; (Fig. 2(408), ¶67, “In addition, the method transforms the one or more persistent artifacts into a form that can be used to verify and detect infection by this malware of a number of endpoint systems with different operating systems and software versions (408)”, i.e. Examiner submits that observed traffic flow is transformed (modified) to match the traffic flow according to number of endpoints with different operating system and software versions (targeted systems having different environment).
Vu does not teach explicitly, 
creating, by the device, synthetic traffic data that resembles actual traffic data expected in the targeted deployment environment based on the one or more modified samples, wherein the synthetic traffic data is not actually observed in the network; and
training, by the device, the machine learning-based traffic classifier using the synthetic traffic data for deployment in the targeted deployment environment.
However, Hill teaches,
creating, by the device, synthetic traffic data that resembles actual traffic data expected in the targeted deployment environment based on the one or more modified samples, wherein the synthetic traffic data is not actually observed in the network; (CL(2), LN(63-67), CL(3), LN(1-15)), CL(5), LN(39-45), Fig. 2(62), CL(6), LN(23-32),  i.e. simulated (synthetic) traffic is created where the simulated traffic is not actually observed in the network) and
training, by the device, the machine learning-based traffic classifier using the synthetic traffic data for deployment in the targeted deployment environment. (CL(2), LN(18-36), Fig. 2(44), CL(5), LN(46-64), i.e. attack signatures (classifier) are generated based on simulated (synthetic) traffic data). 
Vu and Hill are considered to be analogous art as they both pertain to provide network security by detecting malicious data. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the network security attack detection system of Vu to include generating simulated traffic data and train a machine learning-based traffic classifier system of Hill. 
	The motivation/suggestion for doing so would be to provide a system that has the ability to evolve with evolving threats to effectively.  (Hill – CL(2), LN(57-60)).

Regarding Claim 10, it is an apparatus claim of above method Claim 1 and therefore Claim 10 is rejected with the same rationale as applied against Claim 1 above. 
In addition Vu teaches, network interface (Fig. 4(806), ¶75, “one or more communication interface 806”), a processor (Fig. 4(804)), ¶75, “includes one or more processing units (CPUs) 804”) and a memory (Fig. 4(808), ¶75, “The memory 808”).

Regarding Claim 19, it is non-transitory computer-readable medium claim of above method Claim 1 and therefore Claim 10 is rejected with the same rationale as applied against Claim 1 above. 

Referring to Claims 2, 11 and 20:
Regarding Claim 2, rejection of Claim 1 is included and for the same motivation, Vu does not teach explicitly,
The method as in claim 1, wherein the machine learning-based traffic classifier is configured to classify a particular traffic flow as benign or malware-related.
However, Hill teaches,
The method as in claim 1, wherein the machine learning-based traffic classifier is configured to classify a particular traffic flow as benign or malware-related. (CL(5), LN(46-64), i.e. traffic is classified as malware).

Regarding Claim 11, rejection of Claim 10 is included and Claim 11 is rejected with same rationale as applied against Claim 2 above.

Regarding Claim 20, rejection of Claim 19 is included and Claim 20 is rejected with same rationale as applied against Claim 2 above.

Referring to Claims 4 and 13:
Regarding Claim 4, rejection of Claim 1 is included and for the same motivation Vu teaches,
The method as in claim 1, further comprising: [after training the machine learning-based traffic classifier using the synthetic traffic data], deploying, by the device, the machine learning-based traffic classifier to the targeted deployment environment (Fig. 2(410), ¶67, “The method also incorporates into a program one or more algorithms, which when run on any endpoint system along with the transformed artifacts (IVP input), will produce a "confirmed" or "unconfirmed" output (410)”, i.e. trained classifier is deployed on the target deployment environment).
Vu does not teach explicitly
The method as in claim 1, further comprising: after training the machine learning-based traffic classifier using the synthetic traffic data, [deploying, by the device, the machine learning-based traffic classifier to the targeted deployment environment].
However, Hill teaches,
The method as in claim 1, further comprising: after training the machine learning-based traffic classifier using the synthetic traffic data, (CL(2), LN(18-36), Fig. 2(44), CL(5), LN(46-64), i.e. attack signatures (classifier) are generated based on simulated (synthetic) traffic data) [deploying, by the device, the machine learning-based traffic classifier to the targeted deployment environment].

Regarding Claim 13, rejection of Claim 10 is included and Claim 13 is rejected with same rationale as applied against Claim 4 above.

Referring to Claims 5 and 14:
Regarding Claim 5, rejection of Claim 1 is included and for the same motivation, Vu does not teach explicitly,
The method as in claim 1, wherein the machine learning-based traffic classifier is further trained using one or more characteristics of the plurality of observed traffic flows.
However, Hill teaches,
The method as in claim 1, wherein the machine learning-based traffic classifier is further trained using one or more characteristics of the plurality of observed traffic flows. (CL(2), LN(63-67), CL(3), LN(1-16), i.e. traffic classifier is further trained).
Regarding Claim 14, rejection of Claim 10 is included and Claim 14 is rejected with same rationale as applied against Claim 5 above.

Referring to Claims 6 and 15:
Regarding Claim 6, rejection of Claim 1 is included and for the same motivation Vu teaches,
The method as in claim 1, further comprising: determining, by the device, a configuration of at least one device used in the targeted deployment environment based on the one or more environment parameters associated with the targeted deployment environment; (¶15, “ detecting the same application specific data dropped in different directories between Windows XP and Windows 7, e.g. "C:\Documents and Settings\Administrator\Application Data\hidn\hidn2.exe" versus "C:\Users\&lt;current_user&gt;\AppData\Roaming\hidn\hidn2.exe", respectively”, i.e. configuration of at least one device in the targeted deployment is determined) and 
modifying, by the device, the one or more samples of the plurality of observed traffic flows from the traffic data in accordance with the configuration of the at least one device used in the targeted deployment environment. (Fig. 2(408), ¶67, “In addition, the method transforms the one or more persistent artifacts into a form that can be used to verify and detect infection by this malware of a number of endpoint systems with different operating systems and software versions (408)”, i.e. Examiner submits that observed traffic flow is transformed (modified) to match (according with the configuration) the traffic flow according to number of endpoints with different operating system and software versions (targeted systems having different environment).

Regarding Claim 15, rejection of Claim 10 is included and Claim 15 is rejected with same rationale as applied against Claim 6 above.


Claims 3 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Vu et al. (US PGPUB. # US 2015/0244730, hereinafter “Vu”), and further in view of Hill et al. (US PAT. # US 6,088,804, hereinafter “Hill”), and further in view of Sen et al. (US PGPUB. # US 2011/0040706, hereinafter “Sen”).

Referring to Claims 3 and 12:
Regarding Claim 5, rejection of Claim 1 is included and combination of Vu and Hill does not teach explicitly,
The method as in claim 1, wherein the machine learning-based traffic classifier is configured to determine an application associated with a particular traffic flow.
However, Sen teaches,
The method as in claim 1, wherein the machine learning-based traffic classifier is configured to determine an application associated with a particular traffic flow. (¶25, The traffic classifier 100 is coupled with a flow record collector 112 and a network 102. The network 102 carries traffic flows that are generated by applications (not shown). The traffic classifier 100 is configured to classify traffic flows in the network 100 as belonging to one of a plurality of classes. Each class represents a type of application that may generate traffic”, ¶47, Table 2).
Vu, Hill and Sen are considered to be analogous art as they all pertain to provide network security by detecting malicious data. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the network security attack detection system of Vu to include generating simulated traffic data and train a machine learning-based traffic classifier system of Hill and determine an application associated with a traffic system of Sen.
	The motivation/suggestion for doing so would be to provide anomaly detection and particularly determining an application that is targeted for the attack.

Regarding Claim 12, rejection of Claim 10 is included and Claim 12 is rejected with same rationale as applied against Claim 3 above.

Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Vu et al. (US PGPUB. # US 2015/0244730, hereinafter “Vu”), and further in view of Hill et al. (US PAT. # US 6,088,804, hereinafter “Hill”), and further in view of Gupta et al. (US PGPUB. # 2003/009699, hereinafter “Gupta”).

Referring to Claims 7 and 16:
Regarding Claim 7, rejection of Claim 1 is included and combination of Vu and Hill does not teach explicitly,
The method as in claim 1, wherein at least one of the one or more modified samples corresponds to at least one of: an advertised security extension, a proxy-related header field, packet length information, inter-packet timing information, or a Hypertext Transfer Protocol (HTTP) header field.
However, Gupta teaches,
The method as in claim 1, wherein at least one of the one or more modified samples corresponds to at least one of: an advertised security extension, a proxy-related header field, packet length information (¶61), inter-packet timing information, or a Hypertext Transfer Protocol (HTTP) header field. (¶110, “the state machine of FIG. 10 can detect attack signatures in any request method, detecting situations where a signature may be obscured by quoting and requesting further processing in that case. The same state machine can calculate the length of the entire request URI and compare it to a threshold. It can also calculate the length of each URI query parameter name and value and compare it to a threshold. The state machine can detect attack signatures in any HTTP header field. It can also calculate the length of each HTTP header field and compare it to a threshold”, i.e. modified the http header field). (Examiner submits that claim requires at least one of).
Vu, Hill and Gupta are considered to be analogous art as they all pertain to provide network security by detecting malicious data. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the network security attack detection system of Vu to include generating simulated traffic data and train a machine learning-based traffic classifier system of Hill and include modifying hypertext transfer protocol header system of Gupta.
	The motivation/suggestion for doing so would be to provide a system having high performance, including the capacity to efficiently detect and protect against known and unknown computer attacks.  (Gupta - ¶8).

Regarding Claim 16, rejection of Claim 10 is included and Claim 16 is rejected with same rationale as applied against Claim 7 above.

Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Vu et al. (US PGPUB. # US 2015/0244730, hereinafter “Vu”), and further in view of Hill et al. (US PAT. # US 6,088,804, hereinafter “Hill”), and further in view of Langton et al. (US PGPUB. # US 2016/0292420, hereinafter “Langton”).

Referring to Claims 8 and 17:
Regarding Claim 8, rejection of Claim 1 is included and combination of Vu and Hill does not teach explicitly,
The method as in claim 1, wherein the plurality of observed traffic flows were generated in a sandbox testing environment.
However, Langton teaches,
The method as in claim 1, wherein the plurality of observed traffic flows were generated in a sandbox testing environment. (Fig. 1, ¶13, “the security device may analyze the file to determine file information for configuring a sandbox environment for a malware analysis”, Fig. 4(430), ¶48, i.e. observed traffic flows is generated in a sandbox testing environment).
Vu, Hill and Langton are considered to be analogous art as they all pertain to provide network security by detecting malicious data. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the network security attack detection system of Vu to include generating simulated traffic data and train a machine learning-based traffic classifier system of Hill and include modifying sandbox environment (observed traffic flow) to match the ciphersuit used in an endpoint device system of Langton.  
	The motivation/suggestion for doing so would be to configure a custom sandbox environment to increase the effectiveness of malware detection based on a file being analyzed, based on a client device that requested the file, or the like to improve information security (Langton - ¶68).

Regarding Claim 17, rejection of Claim 10 is included and Claim 17 is rejected with same rationale as applied against Claim 8 above.

Claims 9 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Vu et al. (US PGPUB. # US 2015/0244730, hereinafter “Vu”), and further in view of Hill et al. (US PAT. # US 6,088,804, hereinafter “Hill”), and further in view of Drabeck et al. (US PGPUB. # US 2018/0007578, hereinafter “Drabeck”).

Referring to Claims 9 and 18:
Regarding Claim 9, rejection of Claim 1 is included and combination of Vu and Hill does not teach explicitly,
The method as in claim 1, wherein the received traffic data is labeled according to a desired set of output labels for the machine learning-based traffic classifier, and wherein the creating of the synthetic traffic data comprises: 
labeling, by the device, the synthetic traffic data using the desired set of output labels.
However, Drabeck teaches,
The method as in claim 1, wherein the received traffic data is labeled according to a desired set of output labels for the machine learning-based traffic classifier, (Fig. 3(320, 330), ¶45, “at step 320, feature vectors are computed for each user/host/time window combination (as noted above, the flow data records are aggregated by the user, host and time window to which they belong to), and then labels are determined and assigned”, i.e. received traffic data is labeled according to a desired set of output labels (anomalous or non-anomalous)) and wherein the creating of the synthetic traffic data comprises: 
labeling, by the device, the synthetic traffic data using the desired set of output labels. (Fig. 3(330,340), ¶45).
Vu, Hill and Drabeck are considered to be analogous art as they all pertain to provide network security by detecting malicious data. Therefore it would have been obvious to one of ordinary skill in the art, before the invention was filed, to modify the network security attack detection system of Vu to include generating simulated traffic data and train a machine learning-based traffic classifier system of Hill and labeling input data for classification according to desired output system of Drabeck.  
	The motivation/suggestion for doing so would be for an improved technique for providing anomaly detection in M2M network traffic environment that will address the inherent challenges associated with M2M systems, M2M devices, M2M traffic and anomaly characteristics and classification. (Drabeck - ¶7).

Regarding Claim 18, rejection of Claim 10 is included and Claim 18 is rejected with same rationale as applied against Claim 9 above.


Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
MAHKONEN et al. (US PGPUB. # US 2017/0364794) discloses, a method is implemented by a network device to classify encrypted data traffic. The method identifies characteristics of the encrypted data traffic that have been modeled where network anomalies have been injected into the encrypted data traffic to provide additional traffic characteristics that enable categorization. The method receives the encrypted data traffic, applies an encrypted traffic categorization model to the received encrypted data traffic to determine a first categorization identification, injects an anomaly into the encrypted data traffic where the first categorization identification is not within a precision threshold, applies the encrypted traffic categorization model to monitored encrypted traffic after injection of the anomaly to determine a second categorization identification, and applies the second categorization identification where the second categorization identification is within the precision threshold.
Faigon et al. (US PGPUB. # US 2017/0353477) discloses, a machine learning based anomaly detection. In particular, it relates to constructing activity models on per-tenant and per-user basis using an online streaming machine learner that transforms an unsupervised learning problem into a supervised learning problem by fixing a target label and learning a regressor without a constant or intercept. Further, it relates to detecting anomalies in near real-time streams of security-related events of one or more tenants by transforming the events in categorized features and requiring a loss function analyzer to correlate, essentially through an origin, the categorized features with a target feature artificially labeled as a constant. It further includes determining an anomaly score for a production event based on calculated likelihood coefficients of categorized feature-value pairs and a prevalencist probability value of the production event comprising the coded features-value pairs.
Wallace et al. (US PGPUB. # US 2017/0237773) discloses, a first node of a networked computing environment initiates each of a plurality of different types of man-in-the middle (MITM) detection tests to determine whether communications between first and second nodes of a computing network are likely to have been subject to an interception or an attempted interception by a third node. Thereafter, it is determined, by the first node, that at least one of the tests indicate that the communications are likely to have been intercepted by a third node. Data is then provided, by the first node, data that characterizes the determination. In some cases, one or more of the MITM detection tests utilizes a machine learning model. Related apparatus, systems, techniques and articles are also described.
Ahmed et al. (US PGPUB. # US 2017/0230407) discloses, a first collection including a first feature vector and a Q&A feature vector is constructed. A second collection is constructed from the first collection by inserting noise in at least one of the vectors. A third collection is constructed by crossing over at least one of vectors of the second collection with a corresponding vector of a fourth collection. The second and the fourth collections have a property similar to one another. Using a forecasting configuration, a vector of the third collection is aged to generate a changed feature vector, the changed feature vector containing feature values expected at a future time. The changed feature vector is input into a trained neural network to predict a probability of the cyber-attack occurring at the future time.
Ashar Aziz (US PAT. # US 9,591,020) discloses, a method comprises receiving a first portion of network traffic by a virtual machine that is configured to simulate operations of a destination device. Thereafter, one or more anomalous behaviors are observed as the virtual machine processing the first portion of the network traffic. The one or more anomalous behaviors include an unexpected behavior of the virtual machine while the first portion of the network traffic is being processed. As a result, a signature that is associated with the one or more anomalous behaviors is generated for detection of a presence of malicious code within the network traffic.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/DARSHAN I DHRUV/          Primary Examiner, Art Unit 2498