DETAILED ACTION
Response to Amendment
This action is in response to amendment filed October 04, 2022 for the application # 16/498,009 filed on September 26, 2019. By preliminary amendment Claims 1-8 are pending and are directed toward INITIALIZATION VECTOR IDENTIFICATION FOR ENCRYPTED MALWARE TRAFFIC DETECTION.
Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Response to Arguments
Applicant’s arguments with regards to claims 1-8 have been fully considered, but they are not persuasive.
“reflected in claim 1” argument – Applicant argues that regarding enablement under 35 U.S.C. § 112(a), Applicant respectfully submits that the "connection setup portion" identified by the Office Action is reflected in claim 1 as previously presented. (Office Action, p. 2.) The application as filed teaches the "exact nature and extent of an application protocol connection setup will vary for different application protocols and the identification of a part of an application network communication constituting a connection setup will be apparent to those skilled in the art. The connection setup will substantially correspond to a portion of a communication that is consistently required for the setup of communications using the application protocol." (Application as filed, para. [0064].) In the next paragraph, the application as filed identifies that the offset and contents of the connection setup portion of a communication can depend on the protocol for the transmission of multimedia data and provides one an example of the H.323 protocol for reference (REMARKS, page 7).
Response: As preliminary subject matter there is no para. [0064] in Specification. Further Applicant admitted that the exact nature and extent of an application protocol connection setup will vary for different application protocols and the identification of a part of an application network communication constituting a connection setup will be apparent to those skilled in the art. Examiner is not convinced that this would be apparent because different application protocols could be used for different purposes, or should not be used in specific situation. Applicant put burden on those skilled in the art to provide additional experimentation to decide which protocol is appropriate. Finally, Examiner considers that “reflected in claim 1” has a different meaning than “explicitly claimed”.
“plainly identifies” argument – Applicant argues that the application as filed plainly identifies the current claim language correlates to the term connection setup portion: "a portion of network traffic for encrypted malicious network traffic is defined as a connection setup portion and includes a plurality of contiguous bytes occurring at a predefined offset in a network communication of malware generating such traffic." (Emphasis added; application as filed, para. [0152].) Thus, applicant respectfully submits that one of ordinary skill in the art when considering the claims in light of the specification would appreciate that the "connection setup portion" is reflected in claim 1 as previously presented (REMARKS, page 7).
Response: As preliminary subject matter there is no para. [0152] in Specification. Further meaning of “defined” used by Applicant is the same as “identified”, not as providing a definition. See “Figure 23 is a flowchart of a method for identifying malicious encrypted network traffic  associated with a malware software component according to an embodiment of the present disclosure. Initially, at 2302, a portion of network traffic for encrypted malicious network traffic is defined as a connection setup portion and includes a plurality of contiguous bytes occurring at a predefined offset in a network communication of malware generating such traffic.” (Specification, page 68, lines 9-13). Thus, based on disclosure a connection setup portion has to be found during initial step of the method. Provided by Applicant disclosure is considered by Examiner of a circular nature. Compare “The traffic portion definitions 526 are predefined and can be based on definitions of application protocols or observation of application protocols in use.” (Specification, page 27, lines 3-5) with a portion of network traffic for encrypted malicious network traffic is defined as a connection setup portion and includes a plurality of contiguous bytes occurring at a predefined offset in a network communication of malware generating such traffic. At least it is not clear what happens first a predefined offset, or identifying a connection setup portion.
“predefined offset” argument – Applicant argues that Due the connection setup portion's reliance on the transmission protocol (which vary structure and organization of network traffic), the predefined offset will vary but is ultimately selected based on the transmission protocol. (See e.g., application as filed, para. [0064].) "The application protocol setup may constitute part or all of the exploitation process of the malware 948 in exploiting a vulnerability at a target system 932a, and accordingly the nature of such connection setup may be atypical. Consequently, the starting point, ending point and extent of the application protocol connection setup 1004 may not be precisely known." (Application as filed, para. [0096].) This can additionally be seen in Fig. 10 where some start points 1010 begin prior to the estimated size of the application protocol connection setup part 1004. When presented with the teachings of the application as filed, one of ordinary skill in the art would appreciate the claimed "predefined offset" should be selected to best capture the estimated connection setup portion based on the applied transmission protocol. (REMARKS, pages 7-8).
Response: As preliminary subject matter there is no para. [0064] and/or [0096] in Specification. Further Applicant admitted that the predefined offset will vary but is ultimately selected based on the transmission protocol. This is exactly the source of Examiner’s concern. How one can define offset for unknown protocol, which could be identified if offset is known. And finally, Examiner is requesting Applicant to explain what should be considered the best in “selected to best capture the estimated connection setup portion based on the applied transmission protocol”
Conclusion: Examiner maintains rejections.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-8 are rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, as based on a disclosure which is not enabling.  The disclosure does not enable one of ordinary skill in the art to practice the invention without limitation “connection setup portion”, which is/are critical or essential to the practice of the invention but not included in the claim(s). See In re Mayhew, 527 F.2d 1229, 188 USPQ 356 (CCPA 1976). See Specification page 67, lines 9-13, and FIGURE 18.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being incomplete for omitting essential elements, such omission amounting to a gap between the elements.  See MPEP § 2172.01.  The omitted elements are: connection setup portion. If currently claimed “a predefined offset in a network communication” is located beyond a connection setup portion of network traffic then the claimed method fails.

Allowable Subject Matter
Claims 1-8 are indicated as allowable over prior art.
The following is a statement of reasons for the indication of allowable subject matter:  
US Patent Publication 2006/0117386 by Gupta et al. teaches a method of detecting intrusions on a computer includes the step of identifying an internet protocol field range describing fields within internet protocol packets received by a computer.
US Patent Publication 2011/0302656 by El-Moussa teaches a malicious behaviour detector for detecting malicious behaviour on a network.
US Patent Publication 2015/0058992 by El-Moussa teaches detecting and identifying malicious code injected into other legitimate web pages.
US Patent Publication 2015/0128263 by Raugas et al. teaches that machine learning models may be applied to the feature vectors producing a score. The score may indicate the presence of malware or the presence of a particular type of malware.
NPL " Application Identification from Encrypted Traffic based on Characteristic Changes by Encryption, IEEE 2011, 6 pages", by Okada et al. discloses to identify traffic using statistical information regarding the traffic. The traffic features are determined by collecting traffic statistics derived from analyzing monitored packets. The use of machine learning (ML) with this approach initially resulted in high identification accuracy for major applications.
NPL " A Survey on Encrypted Traffic Classification, ATIS 2014, CCIS 490, pp. 73–81, 2014", by Cao et al. discloses the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, summarize the challenges and recent advances in encrypted traffic classification research.
None of the cited references teaches limitation “a set of hidden units smaller in number than the set of input units and each interconnecting all input units and all output units with weighted interconnections, such that the autoencoder is trainable to provide an approximated reconstruction of values of the input units at the output units” as currently claimed in combination with other limitations.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/OLEG KORSAK/Primary Examiner, Art Unit 2492