Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The instant application having Application No. 17/159,248 is presented for examination by the examiner.

Drawings
The drawings are objected to because the details of Fig 5 are illegible.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.




Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –


(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.





Claims 1-3, 5-9, 12-14, and 16-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by USP Application Publication 2020/0366717 to Chaubey.

As per claims 1, 13, and 20, Chaubey teaches a method of determining a service associated with an unclassified traffic flow (0033) in a computer network, the method comprising: 
obtaining classification information [trained model] for a plurality of classified traffic flows in the computer network, wherein the classification information indicates an association between each of the plurality of classified flows and one of a plurality of services (0028, 0067, and 0068); 
performing a primary cluster analysis on the plurality of classified flows and the unclassified flow to associate the unclassified flow to a group of classified flows having a common service [using the trained model on unknown traffic flows; 0028, 0031, and 0033]; 
determining that the unclassified flow is associated with the common service [matching unknown flow to known application using the models; 0028]; and 
providing the determination to a network security management system [exports results to training platform; 0063).

As per claims 2 and 14, Chaubey teaches the network security management system combines the determination with user network access grouping information to create baseline network security profiles for one or more user access groups [default security policies can be updated 0042-0043 and 0067; policies are grouped for unknown and known applications respectively; 0100].
As per claim 3, Chaubey teaches the network security management system creates a custom user profile based on an intersection or a union of the baseline network security profiles associated with a user [the policy is based on criteria which includes the user associated with the traffic and the criteria drives the generation of a security policy to enforce actions on the traffic that matches the criteria.  Thus, the traffic associated with that user could be blocked per said security policy; 0044].
As per claims 5 and 16, Chaubey teaches the unclassified traffic flow is encrypted (0031).
As per claims 6 and 17, Chaubey teaches the unclassified traffic flow (0031) and the plurality of classified traffic flows are encrypted [trained model can match encrypted flows to known encrypted flows which were used to train the model; allows encrypted traffic to be potentially matched to known traffic types; 0026-0028].
As per claims 7 and 18, Chaubey teaches performing a primary cluster analysis comprises partitioning flows based on one or more flow attributes (0033).
As per claims 8 and 19, Chaubey teaches the primary cluster analysis is based on a preliminary cluster analysis [trained model] applied to the plurality of classified flows (0024 and 0051) and a respective user (0044) associated with each of the classified flows [criteria of known application include user associated with the traffic flow] (0033).
As per claim 9, Chaubey teaches the cluster analysis is a k- means cluster analysis (0033).
As per claim 12, Chaubey teaches the unclassified traffic flow is a Transport Layer Security (TLS) flow (0031).



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 4 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Chaubey in view of USP Application Publication 2021/0112032 to DiRosa et al., hereinafter DiRosa.

As per claims 4 and 15, Chaubey is silent in explicitly teaching modifying a user access policy to whitelist an internet protocol (IP) address associated with the unclassified flow.  Chaubey does teaching modifying security policies but not specifically whitelisting IP addresses although IP addresses are factors extracted from unclassified traffic to help identify their nature (0042, 0061, and 0067).  DiRosa teaches modifying a user access policy to whitelist an internet protocol (IP) address once they are determined to be safe (0030).  Chaubey could have used whitelists to train the model to classify unknown traffic from certain addresses and alternatively or in combination modify the policy to permit traffic from whitelist addresses in any of the classifiers (220 or 225).  The claim is obvious because one of ordinary skill in the art can combine methods known before the effective filing date which do not produce unpredictable results.  



Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Chaubey in view of NPL entitled “Detecting malware using process tree and process activity data” which appears as technical paper as part of the published thesis by Wijnands cited on the enclosed PTO-892.  Reference is made to this particular document and is provided for Applicant.

As per claim 11, Chaubey does not explicitly teach the cluster analysis is a Hartigan-Wong cluster analysis but does teach k-means clustering to identify unknown traffic flows (0033).  Wijnands teaches that Hartigan-Wong clustering is a type of k-means clustering (pg. 3, 1st paragraph) and explicitly uses it to cluster malware.    Hartigan-Wong clustering algorithm has been known since 1979 and already used in computer security as shown by Wijnands.  The claim is obvious because one of ordinary skill in the art can substitute methods known before the effective filing date which do not produce unpredictable results.  



Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form.

Allowable Subject Matter
Claims 11 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.  Claim 11 uses the phrase “consisting of” which denotes a closed set that excludes elements not specified in the set.  The set is directed to numerous flow attributes and there is no obvious reason why only these attributes are listed and others are excluded.  The language of “comprise at least one of the group consisting of” is interpreted as a Markush group requiring one or more being selected from the close group.  If the claim were amended with language synonymous with open-ended groups, the prior art need not be constrained to only teaching the closed group. Thus, the claim would not be allowable because the prior art reference above teaches at least one of the attributes of claim 11.    See MPEP 2111.03, section II and 2173.05(h).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Friday, 9:30am - 5:30pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431