DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The amendment filed 11/16/2022 has been placed of record in the file.
Claims 1, 10, and 17 have been amended. Claims 6, and 15 have been canceled. Claims 1-5, 7-14, and 16-20 are pending.

                     Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued
examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the
finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's
submission filed on 11/16/2022 has been entered.

                                                               Response to Arguments
On Pages 7-9 of remarks by applicant, the applicant argues that the cited reference Sharma does not appear to teach or suggest the claim element “an encrypted control channel", as in independent claims 1, 10 and 17 and the claims that depend thereon.
Applicant’s arguments, with respect to the rejection(s) of claim(s) 1,10 and 17 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Nandha Premnath et al. (US 2017/0308701 A1).
Applicant argues that the cited reference Qureshi does not appear to teach or suggest the claim element “an encrypted control channel", as in independent claims 1, 10 and 17 and the claims that depend thereon.
The examiner is relying on Qureshi reference in order to set up an application tunnel between a particular mobile device and an application server, a secure (SSL) connection has been used (Qureshi, Para. 0200).
Therefore, the applicant’s argument is not persuasive.

                                                         Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1- 4, 8, 10-13, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Qureshi et al. US (2019/0258781 A1), hereinafter Qureshi in view of Nandha Premnath et al. (US 2017/0308701 A1), hereinafter Nandha Premnath.

In regards to claim 1, Qureshi discloses a non-transitory computer-readable medium storing computer-executable instructions, and in response to execution by a node and a user device in a cloud- based system, the computer-executable instructions cause the node to perform steps of (Qureshi, Para. 0067):
obtaining network traffic associated with mobile applications operating on the user device via one or more data channels of a tunnel between the user device and the node (Qureshi, Fig. 25, and Paras. 0196, and 0197, a tunnel mediator 126 b which implements the tunneling encapsulation protocol, and which routes packets sent between the mobile devices 120 and application servers 2500) and (Paras. 0192 and 0200, the tunneling mediator opens a resource network connection (e.g., connection 152 of FIGS. 1A and 1C, or connection 162 of FIG. 1B) between the tunneling mediator and a server port associated with the requested enterprise resource 130), wherein the tunnel provides the network traffic for various ports and protocols via the one or more data channels (Qureshi, Para. 0197, When a mobile application writes to this port (by writing to localhost: XXX, where “XXX” is the listened-to port number), the enterprise agent 320, acting at an HTTP proxy for the mobile application, encapsulates and forwards the message, for example, as described above. More specifically, when a mobile application generates an HTTP request that is directed to an application server 2500);
Qureshi fails to disclose extracting data from the network traffic for each transaction;
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction;
communicating the score to the user device via an encrypted control channel of the tunnel; and
responsive to the communicating the computer-executable instructions cause the user device to flag the application based on the score communicated to the user device by the node.
However, Nandha Premnath teaches extracting data from the network traffic for each transaction (Nandha Premnath, Fig. 3, Para. 0021, the detonator component may be configured to receive or intercept a software application that is requested by a client computing device (e.g., a mobile or resource-constrained computing device, etc.));
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Nandha Premnath, Para. 0050, apply the generated behavior vectors to the generated machine learning classifier models to generate an analysis result, and use the generated analysis result to classify the software application as benign or non-benign); 
communicating the score to the user device via an encrypted control channel of the tunnel; and (Nandha Premnath, Para. 0048 and Para. 0037, the server computing device may also compute a risk score for the received software application, and send the computed risk score to the client computing device via the secure communication link); and
responsive to the communicating the computer-executable instructions cause the user device to flag the application based on the score communicated to the user device by the node (Nandha Premnath, Para. 0038 and Para. 0056, in response, the corporate or IT/Security system 206 may send notification message that includes information identifying the software application as non-benign to the client computing device 102 and/or take other corrective or preventive measures).
Qureshi and Nandha Premnath are both considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Nandha Premnath to include extracting data from the network traffic for each transaction (Nandha Premnath, Fig. 3, Para. 0021); analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Nandha Premnath, Para. 0050); communicating the score to the user device via an encrypted control channel of the tunnel; and (Nandha Premnath, Para. 0048 and Para. 0037); and responsive to the communicating the computer-executable instructions cause the user device to flag the application based on the score communicated to the user device by the node (Nandha Premnath, Para. 0038 and Para. 0056). Doing so would help the mobile devices to become the next frontier for malware and cyber attacks. Accordingly, new and improved security solutions that better protect resource-constrained computing devices, such as mobile and wireless devices, will be beneficial to consumers (Nandha Premnath, Para. 0002).

In regards to claim 2, the combination of Qureshi, Sharma and Dalvi teaches the non-transitory computer-readable medium of claim 1, wherein the data includes any of destination Internet Protocol (IP) address, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, and extra header fields (Qureshi, Para. 0197, a mobile application generates an HTTP request that is directed to an application server 2500).

In regards to claim 3, the combination of Qureshi and Nandha Premnath teaches the non-transitory computer-readable medium of claim 1, wherein the steps include causing the user device to block the application based on the score (Qureshi, Para. 0429 and 0430, Based on this analysis, a score (e.g., on a scale of 1 to 100) may be generated that represents the level of risk posed by the mobile application. The modification process may be terminated if this score exceeds a threshold).

In regards to claim 4, the combination of Qureshi and Nandha Premnath teaches the non-transitory computer-readable medium of claim 1, wherein the steps include obtaining feedback from a user of the user device based on the score (Qureshi, Para. 0279, a message delivered via the user interface 304, the remedial action 216 can further include instructions for the agent 320 in the event that the user 115 does not terminate the connection or deactivate the network connection capability); and labeling the data based on the feedback for training data (Qureshi, Para. 0279, a remedial action 216 can cause the agent 320 to lock the mobile device 120 to render it unusable, perhaps until the device disconnects from the unsecured or blacklisted communication network).

In regards to claim 8, the combination of Qureshi and Nandha Premnath teaches the non-transitory computer-readable medium of claim 1, wherein the steps include maintaining a list of malicious applications in the cloud-based system based on monitoring a plurality of users; detecting a presence of a malicious application on the user device based on the obtaining network traffic via the tunnel (Qureshi, Para. 0280, a rogue application that has malware or has been determined to collect device data and send the data to a rogue server). The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation)); and communicating the malicious application to the user device via the tunnel (Qureshi, Para. 0281, a corresponding remedial action 216 can cause the agent 320 to producing a message on the user interface 304, the message instructing the user 115 to uninstall the unauthorized software application 318 from the mobile device 120, perhaps within a specified time period).

In regards to claim 10, Qureshi discloses a cloud-based system comprising:
a central authority node (Qureshi, Fig. 1A);
a plurality of user devices (Qureshi, Para. 0065); and
a plurality of enforcement nodes connected to one another, to the central authority node, and to the plurality of user devices (Qureshi, Fig. 1A);
wherein an enforcement node is configured to obtain network traffic associated with mobile applications operating on a user device via one or more data channels of a tunnel between the user device and the node (Qureshi, Fig. 25, and parasO196, and 0197, a tunnel mediator 126 b which implements the tunneling encapsulation protocol, and which routes packets sent between the mobile devices 120 and application servers 2500) and (Paras. 0192 and 0200, the tunneling mediator opens a resource network connection (e.g., connection 152 of FIGS. 1A and 1C, or connection 162 of FIG. 1B) between the tunneling mediator and a server port associated with the requested enterprise resource 130), wherein the tunnel provides the network traffic for various ports and protocols via the one or more data channels (Qureshi, Para. 0197, When a mobile application writes to this port (by writing to localhost: XXX, where “XXX” is the listened- to port number), the enterprise agent 320, acting at an HTTP proxy for the mobile application, encapsulates and forwards the message, for example, as described above. More specifically, when a mobile application generates an HTTP request that is directed to an application server 2500),
Qureshi fails to disclose extract data from the network traffic for each transaction,
analyze the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction, and
communicate the score to the user device via the tunnel an encrypted control channel of  the tunnel,
wherein the user device is configured to flag the application based on the score communicated to the user device from the enforcement node.
However, Nandha Premnath teaches extract data from the network traffic for each transaction (Nandha Premnath, Fig. 3, Para. 0021, the detonator component may be configured to receive or intercept a software application that is requested by a client computing device (e.g., a mobile or resource-constrained computing device, etc.)),
analyze the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Nandha Premnath, Para. 0050, apply the generated behavior vectors to the generated machine learning classifier models to generate an analysis result, and use the generated analysis result to classify the software application as benign or non-benign), and
communicate the score to the user device via the tunnel (Nandha Premnath, Para. 0048 and Para. 0037, the server computing device may also compute a risk score for the received software application, and send the computed risk score to the client computing device via the secure communication link),
wherein the user device is configured to flag the application based on the score communicated to the user device from the enforcement node (Nandha Premnath, Para. 0038 and Para. 0056, in response, the corporate or IT/Security system 206 may send notification message that includes information identifying the software application as non-benign to the client computing device 102 and/or take other corrective or preventive measures).
Qureshi and Nandha Premnath are both considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Nandha Premnath to include extract data from the network traffic for each transaction (Nandha Premnath, Fig. 3, Para. 0021), analyze the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Nandha Premnath, Para. 0050), and communicate the score to the user device via the tunnel (Nandha Premnath, Para. 0048 and Para. 0037), wherein the user device is configured to flag the application based on the score communicated to the user device from the enforcement node (Nandha Premnath, Para. 0038 and Para. 0056). Doing so would help the mobile devices to become the next frontier for malware and cyber attacks. Accordingly, new and improved security solutions that better protect resource-constrained computing devices, such as mobile and wireless devices, will be beneficial to consumers (Nandha Premnath, Para. 0002).

In regards to claim 11, the combination of Qureshi and Nandha Premnath teaches the cloud-based system of claim 10, wherein the data includes any of destination Internet Protocol (IP) address, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, and extra header fields (Qureshi, Para. 0197, a mobile application generates an HTTP request that is directed to an application server 2500).

In regards to claim 12, the combination of Qureshi and Nandha Premnath teaches the cloud-based system of claim 10, wherein the enforcement node is configured to cause the user device to block the application based on the score (Qureshi, Para. 0429 and 0430, Based on this analysis, a score (e.g., on a scale of 1 to 100) may be generated that represents the level of risk posed by the mobile application. The modification process may be terminated if this score exceeds a threshold).

In regards to claim 13, the combination of Qureshi and Nandha Premnath teaches the cloud-based system of claim 10, wherein the enforcement node is configured to obtain feedback from a user of the user device based on the score (Qureshi, Para. 0279, a message delivered via the user interface 304, the remedial action 216 can further include instructions for the agent 320 in the event that the user 115 does not terminate the connection or deactivate the network connection capability); and label the data based on the feedback for training data (Qureshi, Para. 0279, a remedial action 216 can cause the agent 320 to lock the mobile device 120 to render it unusable, perhaps until the device disconnects from the unsecured or blacklisted communication network).

In regards to claim 16, the combination of Qureshi and Nandha Premnath teaches the cloud-based system of claim 10, wherein the steps include maintaining a list of malicious applications in the cloud- based system based on monitoring a plurality of users; detecting a presence of a malicious application on the user device based on the obtaining network traffic via the tunnel (Qureshi, Para. 0280, a rogue application that has malware or has been determined to collect device data and send the data toa rogue server). The enterprise agent 320 can use a mobile device rule 214 to detect a problem defined as the mobile device 120 having installed a software application 318 that the enterprise has blacklisted (i.e., forbidden for installation) or at least not white-listed (expressly permitted for installation)); and communicating the malicious application to the user device via the tunnel (Qureshi, Para. 0281, a corresponding remedial action 216 can cause the agent 320 to producing a message on the user interface 304, the message instructing the user 115 to uninstall the unauthorized software application 318 from the mobile device 120, perhaps within a specified time period).

In regards to claim 17, Qureshi discloses a method performed by a node and a user device in a cloud- based system comprising:
obtaining network traffic associated with mobile applications operating on the user device via one or more data channels of a tunnel between the user device and the node (Qureshi, Fig. 25, and parasO196, and 0197, a tunnel mediator 126 b which implements the tunneling encapsulation protocol, and which routes packets sent between the mobile devices 120 and application servers 2500), wherein the tunnel provides the network traffic for various ports and protocols via the one or more data channels (Qureshi, Para. 0197, When a mobile application writes to this port (by writing to localhost: XXX, where “XXX” is the listened-to port number), the enterprise
agent 320, acting at an HTTP proxy for the mobile application, encapsulates and forwards the message, for example, as described above. More specifically, when a mobile application generates an HTTP request that is directed to an application server 2500);
Qureshi fails to disclose extracting data from the network traffic for each transaction;
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction; and
communicating the score to the user device via the tunnel an encrypted control channel of the tunnel; and 
flagging the application based on the score communicated to the user device, wherein the flagging is performed at the user device.
However, Nandha Premnath teaches extracting data from the network traffic for each transaction (Nandha Premnath, Fig. 3, Para. 0021, the detonator component may be configured to receive or intercept a software application that is requested by a client computing device (e.g., a mobile or resource-constrained computing device, etc.));
analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Nandha Premnath, Para. 0050, apply the generated behavior vectors to the generated machine learning classifier models to generate an analysis result, and use the generated analysis result to classify the software application as benign or non-benign); 
communicating the score to the user device via an encrypted control channel of the tunnel; and (Nandha Premnath, Para. 0048 and Para. 0037, the server computing device may also compute a risk score for the received software application, and send the computed risk score to the client computing device via the secure communication link); and
flagging the application based on the score communicated to the user device, wherein the flagging is performed at the user device (Nandha Premnath, Para. 0038 and Para. 0056, in response, the corporate or IT/Security system 206 may send notification message that includes information identifying the software application as non-benign to the client computing device 102 and/or take other corrective or preventive measures).
Qureshi and Nandha Premnath are both considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Nandha Premnath to include extracting data from the network traffic for each transaction (Nandha Premnath, Fig. 3, Para. 0021); analyzing the data for a transaction utilizing a machine learning model to obtain a score indicative of possible maliciousness of an application associated with the transaction (Nandha Premnath, Para. 0050); communicating the score to the user device via an encrypted control channel of the tunnel; and (Nandha Premnath, Para. 0048 and Para. 0037); and flagging the application based on the score communicated to the user device, wherein the flagging is performed at the user device (Nandha Premnath, Para. 0038 and Para. 0056). Doing so would help the mobile devices to become the next frontier for malware and cyber attacks. Accordingly, new and improved security solutions that better protect resource-constrained computing devices, such as mobile and wireless devices, will be beneficial to consumers (Nandha Premnath, Para. 0002).

In regards to claim 18, the combination of Qureshi and Nandha Premnath teaches the method of claim 17, wherein the data includes any of destination Internet Protocol (IP) address, destination port, protocol, user agent, Hypertext Transport Protocol (HTTP) method, content-length, Server Name Indication (SNI) host, and extra header fields (Qureshi, Para. 0197, a mobile application generates an HTTP request that is directed to an application server 2500).

In regards to claim 19, the combination of Qureshi and Nandha Premnath teaches the method of claim 17, comprising obtaining feedback from a user of the user device based on the score (Qureshi, Para. 0279, a message delivered via the user interface 304, the remedial action 216 can further include instructions for the agent 320 in the event that the user 115 does not terminate the connection or deactivate the network connection capability); and labeling the data based on the feedback for training data (Qureshi, Para. 0279, a remedial action 216 can cause the agent 320 to lock the mobile device 120 to render it unusable, perhaps until the device disconnects from the unsecured or blacklisted communication network).

Claims 5, 7, 9, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Qureshi et al. US (2019/0258781 A1), hereinafter Qureshi in view of Nandha Premnath et al. (US 2017/0308701 A1), hereinafter Nandha Premnath and further in view of Sharma et al. (US 2016/0154960 A1), hereinafter Sharma.

In regards to claim 5, the combination of Qureshi and Nandha Premnath fails to teach the non-transitory computer-readable medium of claim 1, wherein the steps include updating the machine learning model based on training data obtained from monitoring through the cloud-based system.
However, Sharma teaches wherein the steps include updating the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036, the training module 220 also allows for retraining the RRF system to include new threat models and/or user defined security guidelines). 
Qureshi, Nandha Premnath and Sharma are all considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi and Nandha Premnath to incorporate the teachings of Sharma to include wherein the steps include updating the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 7, the combination of Qureshi and Nandha Premnath further in view of Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the node performs the extracting, the analyzing, and training of the machine learning model (Sharma, Para, 0035, a software-implemented module or a combination of both, which may be configured to analyze mobile computer applications and extract various features from the computer applications), and the user device performs blocking of malicious applications based on communication from the cloud-based system via the tunnel (Sharma, Para, 0085, Both PLS and Bayesian classifiers can detect these malicious mobile computer applications before they are deployed on a user's device).
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi and Nandha Premnath to incorporate the teachings of Sharma to include wherein the node performs the extracting, the analyzing, and training of the machine learning model (Sharma, Para, 0035), and the user device performs blocking of malicious applications based on communication from the cloud-based system via the tunnel (Sharma, Para, 0085). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 9, the combination of Qureshi and Nandha Premnath further in view of Sharma teaches the non-transitory computer-readable medium of claim 1, wherein the machine learning model is configured to detect a malicious application based on leaking personal data including any of location data, financial data, and contact data (Sharma, Para. 0031, possible concerns that can be addressed or included in the threat model includes leakage of sensitive information and privacy disclosure of personal information (e-mails, call logs, photos, contact lists, browser history logs), sensor information (GPS, accelerometer, audio, microphone, camera, SD card), device metadata (phones ID, system preferences, phone numbers), and user credentials (passwords, account information)).
Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi and Nandha Premnath to incorporate the teachings of Sharma to include wherein the machine learning model is configured to detect a malicious application based on leaking personal data including any of location data, financial data, and contact data (Sharma, Para. 0031). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 14, the combination of Qureshi and Nandha Premnath fails to teach the cloud-based system of claim 10, wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system.
However, Sharma teaches wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036, the training module 220 also allows for retraining the RRF system to include new threat models and/or user defined security guidelines).
Qureshi, Nandha Premnath and Sharma are all considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi and Nandha Premnath to incorporate the teachings of Sharma to include wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

In regards to claim 20, the combination of Qureshi and Nandha Premnath fails to teach the method of claim 17, comprising updating the machine learning model based on training data obtained from monitoring through the cloud-based system.
However, Sharma teaches updating the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036, the training module 220 also allows for retraining the RRF system to include new threat models and/or user defined security guidelines).
Qureshi, Nandha Premnath and Sharma are all considered to be analogous to the claim invention because they are in the same field of detecting malicious mobile applications using machine learning in a cloud-based system. Therefore, it would have been obvious to someone ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi and Nandha Premnath to incorporate the teachings of Sharma to include wherein the enforcement node is configured to update the machine learning model based on training data obtained from monitoring through the cloud-based system (Sharma, Para. 0036). Doing so would help to aid the Compliance Checking and Rule-based algorithms to determine if a user-defined security guideline is violated. These algorithms may use rules and/or heuristic methods to determine violations of user-defined security guidelines. For example, based on the permissions of the application and API calls the application makes, a determination is made whether the application is writing to a persistent memory, such as a Secure Digital (SD) memory card, or whether the application executes a UNIX command (Sharma, Para. 0028).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Verma et al. (US 11,323,486 B2) teaches a Methods and systems for enhanced security for CloT in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a subscriber identity for a new session.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GITA FARAMARZI whose telephone number is (571) 272-0248. The examiner can normally be reached 9:30 AM- 6:30 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/G.F./
Examiner, Art Unit 2496

/JORGE L ORTIZ CRIADO/             Supervisory Patent Examiner, Art Unit 2496