DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

                                                    Response to Amendment
The Amendment filed on September 07, 2022 has been entered. Claims 1- 5, 9-17, 19, and 20 were amended. As a result, claims 1-20 are pending, of which claims 1, 12 and 17 are in independent form.
Applicant’s amendment regarding claim 17 obviates the claim rejection, therefore the claim rejection under 35 USC § 112 is withdrawn.

                                                   Response to Arguments
Applicant’s argument filed 9/07/2022 have been fully considered but they are not persuasive.
Regarding applicant’s arguments for the newly amended claims (see Remarks: Pages 9-10), the applicant argues that the references Tulasi and Kolbitsch do not teach or suggest the claim elements “generating, by one or more processors, a raw machine learning model configured to label inputs with a first action or a second action, the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall, wherein the raw machine learning model comprises a set of initial hyperparameter values.”. 
The applicant argues that “Tulasi further explains that when a new firewall is created it may not have a rank (e.g., because it has not been applied to any packet traffic) and proposes a technique for using machine learning to predict a ranking of new firewall rules".

The examiner disagrees, however the reference Tulasi does not explicitly teach the claim elements “generating, by one or more processors, a raw machine learning model configured to label inputs with a first action or a second action, the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall, wherein the raw machine learning model comprises a set of initial hyperparameter values.”, but the examiner is relying on Kolbitsch and AMAD-UD-DIN references to teach the newly amended limitations. Moreover, in view of broadest interpretation of the term “a raw machine learning model configured to label inputs with a first action or a second action”, Kolbitsch teaches a traffic model may be generated for traffic known to be malicious network activity by identifying characteristics of the network traffic, note malicious network activity which can be interpret as a first or second action and a traffic model which can be interpret as a raw model. 
Regarding applicant’s arguments for the newly amended claims (see Remarks: Pages 9-10), the applicant argues that the references Tulasi and Kolbitsch do not teach or suggest the claim elements “wherein the raw machine learning model comprises a set of initial hyperparameter values.”. The examiner disagrees, however the references Tulasi and Kolbitsch do not explicitly teach the claim elements “wherein the raw machine learning model comprises a set of initial hyperparameter values.”. A new ground(s) of rejection is made in view of AMAD-UD-DIN (WO2020192896A1) for the newly amended claim element.
Regarding the combination of Tulasi with respect to claims 1, 8, and 15, it is applicant’s opinion that adding the Kolbitsch reference provides no reasonable combination. However, a person of ordinary skill is also a person of ordinary creativity, not an automaton, and in many cases will be able to fit teaching of multiple patents together like pieces of a puzzle. Furthermore, “The test for obviousness is not whether the feature of secondary reference may be bodily incorporated into the structure of the primary reference…Rather, the test is what the combined teachings of those references would have suggested to those of ordinary skill in the art”. In the instant case Kolbitsch provides additional information that would suggest a modification of Tulasi.
Regarding applicant’s arguments for the newly amended claims (see Remarks: Page 11), the applicant argues that the references Tulasi and Kolbitsch do not teach or suggest the claim elements “transmitting, by the one or more processors, the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner, the plurality of remote computing devices including computing devices belonging to different organizations.”. The examiner disagrees, however the references Tulasi and Kolbitsch do not explicitly teach the claim elements “transmitting, by the one or more processors, the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner, the plurality of remote computing devices including computing devices belonging to different organizations.”.  A new ground(s) of rejection is made in view of AMAD-UD-DIN (WO2020192896A1) for the newly amended claim element. The AMAD-UD-DIN reference teaches transmitting the machine learning model to the devices for training and the Federated Learning Server master model 202 collects and stores the current configuration and performance metrics as part of model updates sent by clients.
Regarding applicant’s arguments for the newly amended claims (see Remarks: Page 11), the applicant argues that the references Tulasi and Kolbitsch do not teach or suggest the claim elements “federated training of a machine learning model, providing feedback in the form of hyperparameters based on training of a machine learning model, and modifying the machine learning model based on hyperparameters obtained by training performed by, and received from, remote devices/organizations prior to transmitting a machine learning model that is updated based on the feedback back to the remote devices/organizations”. The examiner disagrees, however the references Tulasi and Kolbitsch do not explicitly teach the applicant argument “federated training of a machine learning model, providing feedback in the form of hyperparameters based on training of a machine learning model, and modifying the machine learning model based on hyperparameters obtained by training performed by, and received from, remote devices/organizations prior to transmitting a machine learning model that is updated based on the feedback back to the remote devices/organizations.”.  The examiner is relying on the new ground(s) of rejection made in view of AMAD-UD-DIN (WO2020192896A1) for the newly amended claim element. The AMAD-UD-DIN reference teaches the training of the optimization model can be used to generate the new set of hyper-parameters that will be used to update the master model of the server 202 (AMAD-UD-DIN, Para. 0057).
As to the dependent claims 2-11, 13-16 and 18-20, these claims remain rejected by virtue of dependency to their independent claims (see Remarks: Page 12).
Therefore, the examiner maintains the rejection under 35 USC § 103.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 20 are rejected under 35 U.S.C. 103 as being unpatentable over Tulasi (US 2018/0091474 A1) in view of Kolbitsch et al. (2014/0317735 A1), hereinafter Kolbitsch, and further in view of AMAD-UD-DIN (WO2020192896A1).

In regards to claim 1, Tulasi discloses a method for training machine learning models configured to label firewall rules, the method comprising:
receiving, by the one or more processors, first feedback from a first remote computing device of the plurality of remote computing devices (Tulasi, Para. 0004, the ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device and Para. 0021, Firewall device 210 may include one or more devices (e.g., one or more traffic transfer devices) capable of processing and/or transferring traffic between endpoint devices), the first remote computing device associated with a first organization of the different organizations, the training data comprising firewall rules of the first organization (Tulasi, Para. 0054, The model may be trained on this training set to predict a ranking value (e.g., R) of a firewall rule associated with match condition values corresponding to the match conditions); and
Tulasi fails to discloses generating, by one or more processors, a raw machine learning model configured to label inputs with a first action or a second, the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall; 
the plurality of remote computing devices including computing devices belonging to different organizations;
transmitting, by the one or more processors, the updated machine learning model to the plurality of remote computing devices.
However, Kolbitsch teaches generating, by one or more processors, a raw machine learning model configured to label inputs with a first action or a second action (Kolbitsch, Para. 0037, a traffic model 350 may be generated for traffic known to be malicious network activity by identifying characteristics of the network traffic; note malicious network activity which can interpret as a first action or a second action and a traffic model which can interpret as a raw model), the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall (Kolbitsch, Para. 0055, a monitor 140 adds a traffic model to a catalog of traffic models responsive to a determination that a set of network packets comprise suspected malicious network activity; note monitor 140 which can interpret as a Firewall);
the plurality of remote computing devices including computing devices belonging to different organizations (Kolbitsch, Para. 0026, the monitor 140 may compare the contents or routing behavior of communications between the host 120 and a remote endpoint 130 n with the traffic models in the catalog);
transmitting, by the one or more processors, the updated machine learning model to the plurality of remote computing devices (Kolbitsch, Para. 0054, the monitor 140 adds a model generated based on packet data in the collected set of data packets to the catalog of traffic models characterizing malicious network activity responsive to the determination in step 434 based on comparing routing data to the watch-list of endpoints associated with malicious network activity; note routing data to the watch-list of endpoints which can interpret as transmitting the updated model).
Tulasi and Kolbitsch are both considered to be analogous to the claim invention because they are in the same field of generating by a firewall device an updated model based on the feedback and distribute the updated model to the other endpoints. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi to incorporate the teachings of Kolbitsch to include generating, by one or more processors, a raw machine learning model configured to label inputs with a first action or a second (Kolbitsch, Para. 0037), the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall (Kolbitsch, Para. 0055): the plurality of remote computing devices including computing devices belonging to different organizations (Kolbitsch, Para. 0026); transmitting, by the one or more processors, the updated machine learning model to the plurality of remote computing devices (Kolbitsch, Para. 0054). Doing so would aid monitoring network traffic comprising one or more data packets, collecting a set of data packets from the network traffic, comparing a destination endpoint for at least one data packet in the collected set of data packets to one or more network endpoints in a watch-list of network endpoints, and determining, responsive to the comparing, that the collected set of data packets comprise malicious network activity (Kolbitsch, Para. 0006).
Tulasi and Kolbitsch fail to teach wherein the raw machine learning model comprises a set of initial hyperparameter values;
transmitting, by the one or more processors, the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner,
wherein the first feedback comprises hyperparameter values generated via training of the raw machine learning model by the first remote computing device based on training data of the firstorganization, 
modifying, by the one or more processors, the set of initial hyperparameter values based on the first feedback to produce an updated machine learning model having an update set of hyperparameter values; and
However, AMAD-UD-DIN teaches wherein the raw machine learning model comprises a set of initial hyperparameter values (AMAD-UD-DIN, Para. 0044, The optimizers 204 suggest preliminary hyper-parameter values for the master models on the server side 302);
transmitting, by the one or more processors, the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner (AMAD-UD-DIN, Para. 0037, the Federated Learning Server master model 202 collects and stores the current configuration and performance metrics as part of model updates sent by clients. The hyper-parameter optimizer 204 is configured to update the configuration history and learn the optimization model),
 wherein the first feedback comprises hyperparameter values generated via training of the raw machine learning model by the first remote computing device based on training data of the first organization (AMAD-UD-DIN, Para. 0057, The training of the optimization model can be used to generate the new set of hyper-parameters that will be used to update the master model of the server 202), 
modifying, by the one or more processors, the set of initial hyperparameter values based on the first feedback to produce an updated machine learning model having an update set of hyperparameter values (AMAD-UD-DIN, Para. 0006, receive an updated set of hyper-parameter values from the hyper-parameter optimization model; update the master machine learning model with the updated set of hyper parameter values; and redistribute the updated master machine learning model with the updated set of hyper-parameter values); and
Tulasi, Kolbitsch and AMAD-UD-DIN are all considered to be analogous to the claim invention because they are in the same field of generating by a firewall device an updated model based on the feedback and distribute the updated model to the other endpoints. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi and Kolbitsch to incorporate the teachings of AMAD-UD-DIN to include wherein the raw machine learning model comprises a set of initial hyperparameter values (AMAD-UD-DIN, Para. 0044);
transmitting, by the one or more processors, the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner (AMAD-UD-DIN, Para. 0037), wherein the first feedback comprises hyperparameter values generated via training of the raw machine learning model by the first remote computing device based on training data of the first organization (AMAD-UD-DIN, Para. 0057), 
modifying, by the one or more processors, the set of initial hyperparameter values based on the first feedback to produce an updated machine learning model having an update set of hyperparameter values (AMAD-UD-DIN, Para. 0006). Doing so would aid to minimize the overhead cost for data transfer, storage and security for the optimization of a machine learning model that is trained on big data inherently distributed across millions of clients for example mobile phones or hand held devices (AMAD-UD-DIN, Para. 0012).

In regards to claim 2, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 1, further comprising: receiving, by the one or more processors, second feedback from a second remote computing device of the plurality of remote computing devices (Tulasi, Para. 0004, the ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device and Para. 0021, Firewall device 210 may include one or more devices (e.g., one or more traffic transfer devices) capable of processing and/or transferring traffic between endpoint devices), the second remote computing device associated with a second organization of the different organizations, wherein the second feedback is generated via training of the raw machine learning model by the second remote computing device based on second training data associated with a firewall of the second organization; and modifying (Tulasi, Para. 0048, Firewall device 210 may train the model using a first training set of match condition values and ranking values, or using a second training set of match condition values and training values and Para. 0016, a source Internet Protocol (IP) address, a destination IP address, a source network port, a destination network port, a protocol, etc.), matches a match condition value of a firewall rule), by the one or more processors, the set of initial hyperparameters based on the second feedback to produce the updated machine learning model (Tulasi, Para. 0054, parameters (e.g., RO, MO, M1, etc.) may be determined and/or modified (e.g., refined) by performing a linear regression analysis based on match counts associated with the match condition values, and based on the ranking values of the set of implemented firewall rules).

In regards to claim 3, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 2, further comprising: aggregating the first feedback and the second feedback; and calculating modified hyperparameter values based on the aggregating, wherein the set of initial hyperparameter values are modified based on the aggregating of the first feedback and the second feedback (Tulasi, Para. 0068, assume that the model is represented by a formula for determining ranking values of unimplemented (new) firewall rules. Here, the formula is shown as: (S/P packet count) *-0.25+(D/P packet count) *-0.25+(S/P packet count) *(D/P packet count) *0.025+12.5=Predicted firewall rule ranking value).

In regards to claim 4, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 2, further comprising applying weights to the first feedback and the second feedback, wherein the set of initial hyperparameter values are modified based on the weights applied to the first feedback and the second feedback (Tulasi, Para. 0037, A ranking value, of a particular firewall rule, may be determined based on a quantity of times that the particular firewall rule has been applied to a packet, based on a length of time in between occasions on which the particular firewall rule is applied to a packet, based on a relative importance of network traffic to which the particular firewall rule is configured to be applied, or the like).

In regards to claim 5, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 1, wherein the inputs to the raw machine learning model comprise one or more firewall rules of a firewall of the first organization, the one or more firewall rules associated with connections to one or more network resources, and wherein the first action and the second action correspond to labels applied to the firewall rules received as inputs to the model (Tulasi, Para. 0048, Firewall device 210 may train the model using a first training set of match condition values and ranking values, or using a second training
set of match condition values and training values, where the first set is smaller in size than the second set).

In regards to claim 6, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim5, wherein the first action is an allow action configured to allow a connection to one or more network resources associated with a particular firewall rule (Tulasi, Para. 0022, server device 220 may include a communication interface that allows server device 220 to receive information from and/or t information to other devices in environment 200).

In regards to claim 7, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim5, wherein the second action is a deny action configured to prevent a connection to one or more network resources associated with a particular firewall rule (Tulasi, Para. 0022, as further shown, firewall device 210 may enforce a set of firewall rules (e.g., Rule 1, Rule 2, Rule 3, and Rule 4) to filter the packets 605).

In regards to claim 8, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim5, wherein the first feedback does not include the one or more firewall rules (Tulasi, Para. 0072, firewall device 210 ranks Unimplemented Firewall Rule 5 based on the predicted ranking value).

In regards to claim 9, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 1, wherein the raw machine learning model comprises a plurality of scores, each score indicating a confidence level associated with a label applied to an input by the model (Tulasi, Para. 0047, training a model based on the match counts and the ranking values of the one or more implemented firewall rules (block 520) and Para. 0068,
the model is represented by a formula for determining ranking values of unimplemented (new) firewall rules).

In regards to claim 10, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 1, wherein the inputs to the raw machine learning model comprise one or more data sources selected from the list consisting of: live network traffic flows, web traffic proxy logs, net flow data, application logs, e-commerce logging data, distributed denial of service (DDoS) attack data, anti-virus alerts, security incident tickets, or snort alerts or logs (Kolbitsch, Para. 0017, participate in a distributed denial-of-service attack, “D-DOS”).
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi to incorporate the teachings of Kolbitsch to include wherein the inputs to the raw machine learning model comprise one or more data sources selected from the list consisting of: live network traffic flows, web traffic proxy logs, net flow data, application logs, e- commerce logging data, distributed denial of service (DDoS) attack data, anti-virus alerts, security incident tickets, or snort alerts or logs (Kolbitsch, Para. 0017). Doing so would aid monitoring network traffic comprising one or more data packets, collecting a set of data packets from the network traffic, comparing a destination endpoint for at least one data packet in the collected set of data packets to one or more network endpoints in a watch-list of network endpoints, and determining, responsive to the comparing, that the collected set of data packets comprise malicious network activity (Kolbitsch, Para. 0006).

In regards to claim 11, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the method of claim 1, further comprising receiving a dataset comprising features of an address space, wherein the raw machine learning model is generated based, at least in part, on the dataset (Kolbitsch, Para. 0003, a traffic model generated based on packet data from the collected set of data packets to the catalog of traffic models for malicious network activity when the determining is based on comparing endpoint data). Therefore, it would have
been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi to incorporate the teachings of Kolbitsch to include comprising receiving a dataset comprising features of an address space, wherein the model is generated based, at least in part, on the dataset (Kolbitsch, Para. 0003). Doing so would aid monitoring network traffic comprising one or more data packets, collecting a set of data packets from the network traffic, comparing a destination endpoint for at least one data packet in the collected set of data packets to one or more network endpoints in a watch-list of network endpoints, and determining, responsive to the comparing, that the collected set of data packets comprise malicious network activity (Kolbitsch, Para. 0006).

In regards to claim 12, Tulasi discloses a non-transitory computer-readable storage medium storing instruction that, when executed by one or more processors, cause the one or more processors to perform operations for training machine learning models configured to label firewall rules, the operations comprising (Tulasi, Para. 0025):
receiving first feedback from a first remote computing device of the plurality of remote computing devices (Tulasi, Para. 0004, the ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device and Para. 0021, Firewall device 210 may include one or more devices (e.g., one or more traffic transfer devices) capable of processing and/or transferring traffic between endpoint devices), the first remote computing device associated with a first organization of the different organizations (Tulasi, Para. 0048), wherein the first feedback does not include firewall rules of the first organization (Tulasi, Para. 0061, firewall device 210 may not implement a new firewall rule based on a predicted ranking value), wherein the training data comprises firewall rules of the first organization (Tulasi, Para. 0022, and Para. 0054, The model may be trained on this training set to predict a ranking value (e.g., R) of a firewall rule associated with match condition values corresponding to the match conditions); and
Tulasi fails to disclose generating a raw machine learning model having one or more parameter values configured to label inputs with a first action or a second action, the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall; 
the plurality of remote computing devices including computing devices belonging to different organizations; and 
transmitting the updated machine learning model to the plurality of remote computing devices. 
However, Kolbitsch teaches generating a raw machine learning model having one or more parameter values configured to label inputs with a first action or a second action (Kolbitsch, Para. 0037, a traffic model 350 maybe generated for traffic known to be malicious network activity by identifying characteristics of the network traffic; note malicious network activity which can interpret as a first action or a second action and a traffic model which can interpret as a raw model), the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall (Kolbitsch, Para. 0055, a monitor 140 adds a traffic model to a catalog of traffic models responsive to a determination that a set of network packets comprise suspected malicious network activity; note monitor 140 which can interpret as a Firewall); 
the plurality of remote computing devices including computing devices belonging to different organizations (Kolbitsch, Para. 0026, the monitor 140 may compare the contents or routing behavior of communications between the host 120 and a remote endpoint 130 n with the traffic models in the catalog); and 
transmitting the updated machine learning model to the plurality of remote computing devices (Kolbitsch, Para. 0054, the monitor 140 adds a model generated based on packet data in the collected set of data packets to the catalog of traffic models characterizing malicious network activity responsive to the determination in step 434 based on comparing routing data to the watch-list of endpoints associated with malicious network activity; note routing data to the watch-list of endpoints which can interpret as transmitting the updated model). 
Tulasi and Kolbitsch are both considered to be analogous to the claim invention because they are in the same field of generating by a firewall device an updated model based on the feedback and distribute the updated model to the other endpoints. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi to incorporate the teachings of Kolbitsch to include generating a raw machine learning model having one or more parameter values configured to label inputs with a first action or a second action (Kolbitsch, Para. 0037), the first action and the second action corresponding to actions to be taken when a particular input is detected by a firewall (Kolbitsch, Para. 0055);
 the plurality of remote computing devices including computing devices belonging to different organizations (Kolbitsch, Para. 0026); and 
transmitting the updated machine learning model to the plurality of remote computing devices (Kolbitsch, Para. 0054). Doing so would aid monitoring network traffic comprising one or more data packets, collecting a set of data packets from the network traffic, comparing a destination endpoint for at least one data packet in the collected set of data packets to one or more network endpoints in a watch-list of network endpoints, and determining, responsive to the comparing, that the collected set of data packets comprise malicious network activity (Kolbitsch, Para. 0006). 
Tulasi and Kolbitsch fail to teach wherein the raw machine learning model comprises a set of initial hyperparameter values; 
transmitting the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner,
wherein the first feedback comprises hyperparameter values generated via training of the raw machine learning model by the first remote computing device based on training data associated with a firewall of the first organization, wherein the first feedback does not include firewall rules of the first organization, 
modifying the set of initial hyperparameter values based on the first feedback to produce an updated machine learning model;
However, AMAD-UD-DIN teaches wherein the raw machine learning model comprises a set of initial hyperparameter values (AMAD-UD-DIN, Para. 0044, The optimizers 204 suggest preliminary hyper-parameter values for the master models on the server side 302); 
transmitting the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner (AMAD-UD-DIN, Para. 0037, the Federated Learning Server master model 202 collects and stores the current configuration and performance metrics as part of model updates sent by clients. The hyper-parameter optimizer 204 is configured to update the configuration history and learn the optimization model),
wherein the first feedback comprises hyperparameter values generated via training of the raw machine learning model by the first remote computing device based on training data associated with a firewall of the first organization (AMAD-UD-DIN, Para. 0057, The training of the optimization model can be used to generate the new set of hyper-parameters that will be used to update the master model of the server 202), 
modifying the set of initial hyperparameter values based on the first feedback to produce an updated machine learning model (AMAD-UD-DIN, Para. 0006, receive an updated set of hyper-parameter values from the hyper-parameter optimization model; update the master machine learning model with the updated set of hyper parameter values; and redistribute the updated master machine learning model with the updated set of hyper-parameter values); 
Tulasi, Kolbitsch and AMAD-UD-DIN are all considered to be analogous to the claim invention because they are in the same field of generating by a firewall device an updated model based on the feedback and distribute the updated model to the other endpoints. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi and Kolbitsch to incorporate the teachings of AMAD-UD-DIN to include wherein the raw machine learning model comprises a set of initial hyperparameter values (AMAD-UD-DIN, Para. 0044, The optimizers 204 suggest preliminary hyper-parameter values for the master models on the server side 302); 
transmitting the raw machine learning model to a plurality of remote computing devices configured to perform training of the raw machine learning model in a federated manner (AMAD-UD-DIN, Para. 0037, the Federated Learning Server master model 202 collects and stores the current configuration and performance metrics as part of model updates sent by clients. The hyper-parameter optimizer 204 is configured to update the configuration history and learn the optimization model),
wherein the first feedback comprises hyperparameter values generated via training of the raw machine learning model by the first remote computing device based on training data associated with a firewall of the first organization (AMAD-UD-DIN, Para. 0057, The training of the optimization model can be used to generate the new set of hyper-parameters that will be used to update the master model of the server 202), 
modifying the set of initial hyperparameter values based on the first feedback to produce an updated machine learning model (AMAD-UD-DIN, Para. 0006). Doing so would aid to minimize the overhead cost for data transfer, storage and security for the optimization of a machine learning model that is trained on big data inherently distributed across millions of clients for example mobile phones or hand held devices (AMAD-UD-DIN, Para. 0012).

In regards to claim 13, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the non-transitory computer-readable storage medium of claim 12, further comprising: receiving additional feedback from additional remote computing devices of the plurality of remote computing devices (Tulasi, Para. 0004, the ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device and Para. 0021, Firewall device 210 may include one or more devices (e.g., one or more traffic transfer devices) capable of processing and/or transferring traffic between endpoint devices),
the additional remote computing devices associated with additional organizations of the different organizations (Tulasi, Para. 0048, Firewall device 210 may train the model using a first training set of match condition values and ranking values, or using a second training set of match condition values and training values and Para. 0016, a source Internet Protocol (IP) address, a destination IP address, a source network port, a destination network port, a protocol, etc.), matches a match condition value of a firewall rule), wherein the additional feedback received from each additional organization is generated via training of the raw machine learning model based on training data specific to each additional organization; and 
modifying the set of initial hyperparameters based on the additional feedback to product the updated model (AMAD-UD-DIN, Para. 0006, update the master machine learning model with the updated set of hyper parameter values; and redistribute the updated master machine learning model with the updated set of hyper-parameter values). Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi and Kolbitsch to incorporate the teachings of AMAD-UD-DIN to include
(AMAD-UD-DIN, Para. 0006, update the master machine learning model with the updated set of hyper parameter values; and redistribute the updated master machine learning model with the updated set of hyper-parameter values). Doing so would aid to minimize the overhead cost for data transfer, storage and security for the optimization of a machine learning model that is trained on big data inherently distributed across millions of clients for example mobile phones or hand held devices (AMAD-UD-DIN, Para. 0012).

In regards to claim 14, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the non-transitory computer-readable storage medium of claim 13, further comprising: aggregating the first feedback and the additional feedback; and calculating modified hyperparameter values based on the aggregating (AMAD-UD-DIN, Para. 0056, the server 202 is also configured to aggregate the predictive model updates obtained from each client 200 and update the master model of the predictive model 314 of the server 202), wherein the initial set of hyperparameter values are modified based on the modified hyperparameter values calculated based on aggregating of the first feedback and the additional feedback (AMAD-UD-DIN, Para. 0006, determine if a pre-defined threshold for received model updates is reached; transmit a set of current hyper-parameter values and corresponding validation set performance metrics obtained from the updated master machine learning model to a hyper-parameter optimization model; receive an updated set of hyper-parameter values from the hyper-parameter optimization model; update the master machine learning model with the updated set of hyper parameter value).

In regards to claim 15, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the non-transitory computer-readable storage medium of claim 13, further comprising applying weights to the first feedback and the additional feedback, wherein the hyperparameter values are modified based on the weights applied to the first feedback and the additional feedback (Tulasi, Para. 0037, A ranking value, of a particular firewall rule, may be determined based on a quantity of times that the particular firewall rule has been applied to a packet, based on a length of time in between occasions on which the particular firewall rule is applied to a packet, based on a relative importance of network traffic to which the particular firewall rule is configured to be applied, or the like).

In regards to claim 16, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the non-transitory computer-readable storage medium of claim 12, wherein the inputs to the raw machine learning model comprise one or more firewall rules of a firewall of the first organization (Tulasi, Para. 0015, firewall device and/or reduce processing power used by the firewall device to check firewall rules, before the new firewall rule, that may be less likely to apply to a packet than the new firewall rule), the one or more firewall rules associated with connections to one or more network resources (Tulasi, Para. 0016, the firewall device may determine whether packet information, associated with a received packet e.g.., packet information identifying a source Internet Protocol (IP) address, a destination IP address, a source network port, a destination network port, a protocol, etc.), matches a match condition value of a firewall rule), and wherein the first action and the second action correspond to labels applied to the firewall rules received as inputs to the model (Tulasi, Para. 0016, firewall device 210 may enforce a set of firewall rules (e.g., Rule 1, Rule 2, Rule 3, and Rule 4) to filter the packets 605), the first action corresponding to an allow action configured to allow a connection to one or more network resources associated with a particular firewall rule (Tulasi, Para. 0022, server device 220 may include a communication interface that allows server device 220 to receive information from and/or t information to other devices in environment 200) and the second action corresponding to a deny action configured to prevent a connection to one or more network resources associated with a particular firewall rule (Tulasi, Para. 0022, as further shown, firewall device 210 may enforce a set of firewall rules (e.g., Rule 1, Rule 2, Rule 3, and Rule 4) to filter the packets 605).

In regards to claim 17, Tulasi discloses a system comprising: a firewall comprising a plurality of firewall rules (Tulasi, Para. 0015, firewall device and/or reduce processing power used by the firewall device to check firewall rules, before the new firewall rule, that may be less likely to apply to a packet than the new firewall rule);
 a memory (Tulasi, Para. 0025); and 
one or more processors communicatively coupled to the memory and the firewall (Tulasi, Para. 0025, device 300 may include a bus 310, a processor 320, a memory 330, a storage component 340, an input component 350, an output component 360, and a communication interface 370), 
determine a training dataset for the raw machine learning model based on the plurality of firewall rules (Tulasi, Para. 0045, firewall device 210 may enforce a set of implemented firewall rules); and
configure labels for one or more firewall rules of the firewall based on the updated machine learning model (Tulasi, Para. 0045, by training the model using the second set of match condition values and ranking values, firewall device 210 may improve accuracy of the prediction made using the model),
wherein the labels associate the one or more firewall rules with the first action or the second action (Tulasi, Para. 0034, firewall device 210 may perform an action indicated by the particular firewall rule).
Tulasi fails to disclose the one or more processors configured to: receive a raw machine learning model configured to label firewall rules with a first action or a second action from a firewall analysis device,
However, Kolbitsch teaches receive a raw machine learning model configured to label firewall rules with a first action or a second action from a firewall analysis device (Kolbitsch, Para. 0037, and Para. 0026, the monitor 140 may compare the contents or routing behavior of communications between the host 120 and a remote endpoint 130 n with the traffic models in the catalog), 
Tulasi and Kolbitsch are both considered to be analogous to the claim invention because they are in the same field of generating by a firewall device an updated model based on the feedback and distribute the updated model to the other endpoints. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi to incorporate the teachings of Kolbitsch to include receive a raw machine learning model configured to label firewall rules with a first action or a second action from a firewall analysis device (Kolbitsch, Para. 0037, and Para. 0026). Doing so would aid monitoring network traffic comprising one or more data packets, collecting a set of data packets from the network traffic, comparing a destination endpoint for at least one data packet in the collected set of data packets to one or more network endpoints in a watch-list of network endpoints, and determining, responsive to the comparing, that the collected set of data packets comprise malicious network activity (Kolbitsch, Para. 0006).
Tulasi and Kolbitsch fail to teach wherein the raw machine learning model comprises a set of initial hyperparameter values.

train the raw machine learning model based on the training dataset to produce an updated set of hyperparameters;
 send the updated set of hyperparameters to the firewall analysis device as feedback; 
receive an updated machine learning model from the firewall analysis device, the updated machine learning model comprising a modified set of hyperparameters derived based at least in part on the feedback; 
However, AMAD-UD-DIN teaches wherein the raw machine learning model comprises a set of initial hyperparameter values (AMAD-UD-DIN, Para. 0044, The optimizers 204 suggest preliminary hyper-parameter values for the master models on the server side 302); train the raw machine learning model based on the training dataset to produce an updated set of hyperparameters (AMAD-UD-DIN, Para. 0013processor is configured to cause the trained optimization model to infer the updated set of hyper-parameter values for the master machine learning model from the received hyper parameter values);
 send the updated set of hyperparameters to the firewall analysis device as feedback (AMAD-UD-DIN, Para. 0038, A new or updated hyper-parameter configuration can be outputted 214 or otherwise transmitted to the Federated Learning Server 202); 
receive an updated machine learning model from the firewall analysis device, the updated machine learning model comprising a modified set of hyperparameters derived based at least in part on the feedback (AMAD-UD-DIN, Para. 0039, the Federated Learning master model 202 is configured to update the current hyper-parameters in the master model with the new values and distribute the updated copy of the master model across one or more of clients 200-a to 200-n); 
Tulasi, Kolbitsch and AMAD-UD-DIN are all considered to be analogous to the claim invention because they are in the same field of generating by a firewall device an updated model based on the feedback and distribute the updated model to the other endpoints. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filling date of the claimed invention to have modified Tulasi and Kolbitsch to incorporate the teachings of AMAD-UD-DIN to include wherein the raw machine learning model comprises a set of initial hyperparameter values (AMAD-UD-DIN, Para. 0044);  train the raw machine learning model based on the training dataset to produce an updated set of hyperparameters (AMAD-UD-DIN, Para.);
 send the updated set of hyperparameters to the firewall analysis device as feedback (AMAD-UD-DIN, Para. 0038); 
receive an updated machine learning model from the firewall analysis device, the updated machine learning model comprising a modified set of hyperparameters derived based at least in part on the feedback (AMAD-UD-DIN, Para. 0039). Doing so would aid to minimize the overhead cost for data transfer, storage and security for the optimization of a machine learning model that is trained on big data inherently distributed across millions of clients for example mobile phones or hand held devices (AMAD-UD-DIN, Para. 0012).

In regards to claim 18, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the system of claim 17, wherein determining the training dataset comprises selecting one or more firewall rules from among the firewall rules, each of the one or more firewall rules selected for inclusion in the training dataset associated with a score satisfying a threshold confidence level (Tulasi, Para. 0053, firewall device 210 may determine that the predicted ranking value exceeds, does not exceed, etc. a threshold, and may not implement the new firewall rule accordingly).

In regards to claim 19, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the system of claim 17, wherein the one or more processors are configured to test the one or more firewall rules configured based on the updated machine learning model prior to adding the one or more firewall rules to the firewall (Tulasi, Para. 0053, Firewall device 210 may compare the predicted rating value to the actual ranking value, and may update the model based on comparing the predicted ranking value and the actual ranking value).

In regards to claim 20, the combination of Tulasi, Kolbitsch, and further AMAD-UD-DIN teaches the system of claim 17, wherein configuring the one or more firewall rules comprises modifying one or more labels of the firewall rules based on the updated machine learning model (Tulasi, Para. 0050, based on the fit of the model, firewall device 210 may perform an action, such as modifying one or more model rules and/or increasing or decreasing the size of the training set).

                                                        Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/             Supervisory Patent Examiner, Art Unit 2496