Detailed Action
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Applicant's arguments filed 2/5/2026 have been fully considered but they are not persuasive.
The examiner has reviewed the Applicant’s arguments in their entirety (Pages 7 - 12)
Applicant’s arguments are not persuasive because they repeatedly rely on limitations drawn from particular embodiments described in the specification rather than the language actually recited in the claims. During examination, claim terms are given their broadest reasonable interpretation with the specification. The claims do not recite a particular simulation architecture, a particular training corpus generation framework, a particular dual-dimensional labeling scheme, or a particular semantic taxonomy of user actions. Instead, applicant repeatedly argues that the claims should be limited to the specific examples described in the specification, such s the scripted generation of ground-truth training datasets and labels corresponding to specific user actions within a service. Those limitations do not appear in the claims.
With respect to the limitation of “assigning labels to the one or more transaction properties by executing a script to simulate network activity”, applicant’s arguments improperly narrow both the term “script” and the phrase “simulate network activity”. The examiner interpreter a script under its broadest reasonable interpretation as executable instructions capable of generating, controlling, processing, labeling, or otherwise manipulating network-related operations. Mai expressly teaches a supervised classifier operating on burst features, temporal information, and associated classifications. Applicant attempts to restrict the claim to a specific embodiment in which scripted interactions are deliberately executed to create a ground-truth training corpus. However, the claims do not recited “ground-truth training data,”, “training corpus”, “controlled interaction scenarios”, or any other limitation requiring the particular implementation described by applicant.
Applicant further argues that Mai merely classifies observed traffic and therefore does not satisfy the claimed simulation. This argument is not commensurate with the scope of the claims. Under the broadest reasonable interpretation, the claimed language encompasses scripted processing and labeling of network activity used to generate known classifications. Mai expressly teaches supervised classification using burst-level features and associated labels. The examiner’s interpretation does not read language out of the claim; rather applicant’s interpretation improperly reads additional language into the claim.
Applicant’s arguments regarding labels are similarly unpersuasive. Applicant argues that the claims require a specific dual-dimensional label identifying both a service and a semantic user action. However, the claims merely recite “a label comprising one or more of a network service and an action” The claims do not require a particular semantic hierarchy, a particular user-intent taxonomy, or a specific format for representing actions. Applicant again relies upon a preferred embodiment while failing to identify claim language requiring such narrowing.
Applicant’s repeated characterization of the cited references as merely extracting properties of individual network requests and classifying them is misleading and incomplete. The references operate on aggregate session level and burst level behavior, including ordering, duration, inter-arrival timing, connection behavior, session attributes, and associated classifications. As previously noted, Mehta expressly teaches session attributes including user client behavior, connection behavior, presence, absence, format, quantity of data fields, and other activity associated with web requests. Applicant’s arguments largely ignore these teachings and instead focus on isolated examples that do not accurately reflect the full disclosure relied upon in the rejection.
Applicant’s arguments further rely upon limitations drawn from exemplary embodiments disclosed in the specification rather than limitations actually recited in the claims, However, during examination, claim terms are given their broadest reasonable interpretation consistent with the specification. See In re Morris, 127 F.3d 1048, 1054 (Fed Cir. 1997). While the specification may be consulted to determine whether a particular interpretation is reasonable, limitations from preferred embodiments are not imported into the claims. See SuperGuide Corp. V. DirectTV Eters., Inc., 358 F.3d 870, 875 (Fed Cir. 2004); Liebel-Flarsheim Co. v. Medrad, Inc., 358 F.3d 898, 906 (Fed. Cir. 2004)
Here, applicant repeatedly relies upon details of particular embodiments, including specific forms of scripted training data generation, dual dimensional labeling structures, semantic user action classifications, and particular simulation frameworks. Such limitations do not appear in the pending claims because they seek to narrow otherwise broader claims language by importing features from exemplary embodiments into the claims.
Accordingly, the examiner maintains that the cited combination teaches or renders obvious the claimed subject matter under the broadest reasonable interpretation of the pending claims.
Examiner Note (for clarity of record and potential appeal)
The examiner notes that the claimed subject matter – identifying transaction bursts, extracting features, therefrom, and training a classifier or predictive model to recognize subsequent activity – is consistent with tools conventionally known to those of ordinary skill in the art for providing internet based services. For example, website-fingerprinting techniques employing traffic analysis of encrypted or dynamic web pages were routinely implemented using supervised learning models such as Bayesian network classifiers trained on burst-level features (e.g. burst size, inter-arrival time, and directionality). See e.g. Shi, “Website fingerprinting using traffic analysis of dynamic webpages”, the evidence of record describing traffic analysis systems that extract burst features and train classifiers to associate labeled traces with corresponding network identifiers or URIs. These teachings illustrate that the claimed processes reflect well – understood, routine, and conventional operations within the field of network service analytics.
For ease of reference, the following excerpts from the evidence of record (Shi) illustrate these conventional techniques.
Abstract:
This paper presents mechanisms for identification of web traffic masqueraded behind encrypted Virtual Private Network (VPN) tunnels. Website identification using Traffic Analysis (TA) has many administrative applications including preventing access to forbidden websites and site-specific Quality of Service (QoS) provisioning. Previous works in this area mainly looked at the problem of identifying traffic from relatively static websites, thus limiting the applicability of the technique for websites with dynamically changing contents. In this work, we attempt to generalize the mechanism for dynamic sites by the way of introducing a new classification feature traffic surge period, and adapting the first n Components of Haar Wavelet Transformation, which is commonly used in traditional signal processing applications. Our results from fingerprinting experiments carried out over an SSL VPN shows that the addition of these new features can indeed bridge the fingerprinting performance gap between static and dynamic websites.
B. Traffic Analysis
Under the protection of VPN, neither the content nor the actual identification of the destination web server is visible to routers on the tunnel. A node interested in WFP must turn to methods that do not have dependence on routing information or message body. Traffic Analysis (TA) is the primary method that can be used to fingerprint encrypted web traffic. Successful example of TA can be found in [9]. Those studies target a widely used encrypted Voice-over-IP (VoIP) protocol Speex. The classifier used consecutive packet size pairs as the features. Histograms of inter-packet size pairs are drawn from traffic streams, and then a nearest neighbor classifier is built based on the histogram feature. This scheme can achieve over 90% accuracy at recognizing the language a speaker is speaking out of 2 languages [9]. Similar results are also published by the same group for recognition of key phrases [10].
SECTION V.
Feature Definition and Extraction
Pre-processing of the probed traffic is performed following the approach in [5]. Pre-processing removes the non-TCP and pure ACK packets that might affect the results.
A. Existing Features
The term trace is used to describe a time-stamped sequence in which every packet is associated with the time it appears on a traffic probing point. It can be represented as a series of timestamps as {tn}. We assume that the content of traffic is generally encrypted and that only the direction and packet size are of importance. Following the convention in [1], we combine the packet size and direction into one scalar. The absolute value of the scalar equals the size of the packet. All upstream packets have negative signs and downstream packets have positive signs. This series of packet sizes is defined as {bn}. The following features have been used in the literature.
BurstSize
In [6], a burst is defined as the interval during which there are only packets in one direction, but preceded and followed immediately by packets in the opposite direction. There re upstream and downstream bursts. In Fig. 6 upstream bursts are shown on the negative half of the graph while downstream packets on the positive half. Each time the stream switches direction from the negative half to positive half or vise-versa, a burst boundary is recorded. Each burst is marked by 2 boundaries and the direction of packets inside that burst becomes the direction of the burst itself. Burst is also used in [5], albeit named differently. It is used as part of the feature set in two different ways. 1) Number of bytes transmitted in each burst is summed up into a histogram and contained in the feature. 2) Number of packets transmitted in each burst is summed up into a histogram and contained in the feature.
PNG
media_image1.png
846
1018
media_image1.png
Greyscale
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1-3, 7-10 and 14-17 are rejected under 35 USC 103 as being unpatentable over Mehta (US 10,931,686) in view of Mai (EP 3018620)
Regarding claim 1, Mehta discloses a method comprising:
identifying a transaction burst, the transaction burst comprising multiple encrypted network requests issued by a client device to a network endpoint within a fixed time period during a secure session, the transaction burst comprising a series of related requests followed by a period of inactivity (Mehta; Mehta teaches identifying a plurality (i.e. multiple) web requests (i.e. network requests) which are encrypted via SSL/TLS protocols a network endpoint within a specified time period (i.e. fixed time period). As Mehta teaches requests within the context of HTTP, one of ordinary skill in the art may contemplate conventional characteristics and/or attributes of the HTTP requests consisting of a series of related requests followed by a period of inactivity.
see e.g. Column 1, Lines 52 – 65 “... receiving a plurality of web requests during the user session that include the session identifier ...”
see e.g. Column 6, Lines 9 – 14 “... plurality of web requests with set of automation detection heuristics to identify session attributes associated with the session identifier during the user session over a specified time period”
see e.g. Column 11, Lines 37 – 58 “ ... SSL/TLS client ... SSL/TLS protocol versions ...”
The Examiner notes SSL is equivalent to Secure Sockets Layer which facilitates encryption within the technological environment. SSL is a technology for securing an Internet (TCP/IP) connection using certain encryption algorithms. TLS is an updated version of SSL using certain security certificates
see e.g. Column 8, Lines 15 – 36 “... Secure Sockets Layer (SSL) ...”
see e.g. Figure 4 illustrating multiple encrypted requests being identified and detected by a network endpoint;
see e.g. Column 12, Lines 26 – 34 “... an HTTP request sent by client may include multiple header fields ... )
extracting one or more transaction properties from the transaction burst (Mehta; Mehta teaches the extraction of transaction properties from fields of requests with the intent of subsequently generating labels (i.e. fingerprints);
see e.g. Column 12, Lines 19 – 34 “... An HTTP fingerprint may be determined from the characteristics of HTTP requests ...”
see e.g. Column 12, Lines 35 – 47 “An HTTTP fingerprint could also be generated based on capabilities supported by a client as indicated in the fields of the HTTP request header, and other features that the browser supports may also be listed in the HTTP header fields ...” )
assigning labels to the one or more transaction properties, a given label comprising one or more of a network service and an action (Mehta; Mehta teaches subsequent to extracting characteristics from the requests fingerprints (i.e. labels) are generated;
see e.g. Column 12, Lines 19 – 34 “... An HTTP fingerprint may be determined from the characteristics of HTTP requests ... Host, Accept, and Accept-Encoding”
see e.g. Column 8, Lines 15 – 36 “... session attributes could include user client behavior, connection behavior, presence, absence, format, and quantity of various data fields in the requests or request headers, and any other activity associated with the web requests ...”
The Examiner notes Host, Accept, and Accept-Encoding are equivalent to actions
see e.g. Column 12, Lines 35 – 47 “An HTTTP fingerprint could also be generated based on capabilities supported by a client as indicated in the fields of the HTTP request header, and other features that the browser supports may also be listed in the HTTP header fields ...” ) and
training a predictive model with the labels and the one or more transaction properties to identify subsequent transaction bursts (Mehta; Mehta teaches a machine learning algorithm (i.e., training a prediction model) is actuated based on the fingerprints (i.e. labels) and transaction properties
see e.g. Fig. 3 illustrating Steps 301, 302, 303
see e.g. Column 14, Lines 4 – 11 “... assessment operation 303 can combine multiple individual analysis (e.g. using various weight, as inputs to a machine learning algorithm”
PNG
media_image2.png
724
767
media_image2.png
Greyscale
)
Mehta does not expressly disclose:
extracting one or more transaction properties from the transaction burst, the one or more transaction properties comprising at least one of a datagram size of the requests and response within the transaction burst, a response time between a first and last transaction in the transaction burst, and an ordering of the multiple encrypted network requests within the transaction burst;
assigning labels to the one or more transaction properties by executing a script to simulate network activity between a client device and the network endpoint to generate known transaction bursts with a label comprising one or more of a network service and an action;
However in analogous art Mai discloses:
extracting one or more transaction properties from the transaction burst, the one or more transaction properties comprising at least one of a datagram size of the requests and response within the transaction burst, a response time between a first and last transaction in the transaction burst, and an ordering of the multiple encrypted network requests within the transaction burst (Mai;
see e.g. [0025] “... analysis features from the burst detection step, Those burst features may comprise for example: URL ordering within a burst, number of URLS within a burst duration, burst inter-arrival time, burst size, and similar”
The Examiner notes since HTTP requests follow URL patterns, this directly addresses temporal and logical sequencing of network activity for any HTTP requests comprising HTTPs requests (i.e. encrypted network requests;
The Examiner notes the inter-arrival time signifies the inactivity between transaction bursts or equivalently the transaction burst comprising a series of related requests followed by a period of inactivity;
The Examiner notes “burst size”, “number of URLs within a burst”, and burst duration may be readily able for one of ordinary skill in the art to infer the datagram size of the requests and response time within the transaction burst . The inference does not require speculation—it flows from directly the enclosed analytics;
See e.g. Fig. 8 illustrating inter-arrival time thresholds obtained from burst detection algorithms)
assigning labels to the one or more transaction properties by executing a script to simulate network activity between a client device and the network endpoint to generate known transaction bursts with a label comprising one or more of a network service and an action; (Mai;
see e.g. [0077] “... a burst detection module to build a supervised classifier capable to determine a unique representative domain for each identified URL burst. That classifier may be operable to utilize , for example, those record level features and associated temporal information which can be extracted in a streaming setting; aggregated burst features; and whether or oner a URL is marked representative or non-representative by the classifier in the domain characterization module”
see e.g. [0078] “... application update burst or a popup advertisement burst”
The Examiner interprets the term “script” to refer to code or executable instructions, including but not limited to interpretation or compiled instructions that are executed by a processor or computing device. Such scripts may include shell scripts, JavaScript, Python code, or any other type of instructions sequence capable of being executed to simulate, control, or manipulate network activity; see e.g. [0180])
The Examiner notes per [0077]-[0078] a supervised classifier trained on features such as burst duration, URL ordering, or inter-arrival time, and associated labels (e.g. burst types), constitutes a predictive model operable to identify subsequent transaction burst sharing similar patterns
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
Regarding claim 2, Mehta in view of Mai disclose the method of claim 1, the one or more transaction properties further comprising a property selected from the group consisting of: a transmission control protocol (TCP) port (Mehta; see .e.g. Column 11, Lines 6 – 20 “... transmission control protocol (TCP) packet characteristics; The Examiner notes one of ordinary skill in the art is readily able to utilize conventional introspection to realize a TCP port from traffic characteristics); an Internet Protocol (IP) address space; a response time; a number of requests in the transaction burst (The combined solution per Mai; see e.g. [0025];
The Examiner notes the number of request in a transaction burst is functionally and inferentially supported by “number of unique URLs within a burst” One of ordinary skill in the art would understand that each unique URL corresponds to a discrete request, and the enumeration of URLs thus servers as a functional proxy for the number of requests in the burst); and a network route trace (The combined solution per Mai; see e.g. [0077] “... network trace”
The Examiner notes one of ordinary skill in the art would recognize that such a trace would inherently includes routing information necessary to decompose and characterize bursts in real time- i.e. it includes or enables a network route trace as recited in the claims”).
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
Regarding claim 3, Mehta in view of Mai disclose The method of claim 1, further comprising combining the one or more transaction properties to form a fingerprint prior to training the predictive model (Mehta; Fingerprints are utilized to influence the training of the predictive model;
see e.g. Column 12, Lines 35 – 47 “An HTTTP fingerprint could also be generated based on capabilities supported by a client as indicated in the fields of the HTTP request header, and other features that the browser supports may also be listed in the HTTP header fields ...”
See e.g. Mehta Fig. 3, Steps 301 -303
see e.g. Mehta ;Column 14, Lines 4 – 11 “... assessment operation 303 can combine multiple individual analysis (e.g. using various weight, as inputs to a machine learning algorithm”).
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
.
Regarding claim 7, Mehta in view of Mai disclose the method of claim 1, wherein the predictive model comprises one of a neural network or support vector machine (The combined solution per Mai;
See e.g. [0023] “...support vector machine ...”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
Regarding claim 8, claim 8 comprises the same and/or similar subject matter as claim 1 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 9, claim 9 comprises the same and/or similar subject matter as claim 2 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 10, claim 10 comprises the same and/or similar subject matter as claim 3 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 14, claim 14 comprises the same and/or similar subject matter as claim 7 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 15, claim 15 comprises the same and/or similar subject matter as claim 1 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 16, claim 16 comprises the same and/or similar subject matter as claim 2 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 17, claim 17 comprises the same and/or similar subject matter as claim 3 and is considered an obvious variation; therefore it is rejected under the same rationale.
Claims 4-5, 11-12, and 18-19 are rejected under 35 USC 103 as being unpatentable over Mehta in view of Mai and in further view of Lerios (US 2015/0081701
Regarding claim 4, Mehta in view of Mai disclose the method of claim 1, wherein assigning labels to the one or more transaction properties comprises executing a script to access the network service (The combined solution per Mai as it would have been obvious to one off ordinary skill in the art at the time of the invention that the execution of embedder or linked web scripts (such as JavaScript used for tracking, ads, or age mangers) is inherently a form of programmatic script execution to access a network service. These scripts are executed within the user’s browser or network endpoint and initiate HTTPs requests to known services which are then available for burst level classification and labeling (see e.g. Mai [0077]-[0078])
As evidence of the above rationale Lerios discloses:
executing a script to access the network service (Lerios;
see e.g. [0132] “In some embodiments, one or more web services are implemented to provide remote access to various features described herein by clients. For example, a client may use the HTTP protocol and messages exchanged in the JSON format to communicate with a server that provides one or more web services implementing access to various features described herein. In another example, a client executing a script (e.g., from a command-line or as part of an unattended batch execution) that generates HTTP-based messages (e.g., similar to curl) can remotely access (e.g., over a network connection) features provided through one or more web services implementing access to various features described herein. As a further example, a client may remotely execute a script by submitting the script (e.g., in JSON form and via the HTTP protocol) to one or more web services implementing various features described herein”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Lerios’ script. The motivation being the combined solution provides for increased efficiencies in analyzing network traffic.
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
Regarding claim 5, Mehta in view of Mai and in further view of Lerios disclose the method of claim 4, wherein assigning labels to the one or more transaction properties further comprises executing the script to perform a known action with the network service (The combined solution provides for a technological environment where executing the script is for the purposes of accessing a network service which perform particular actions;
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Lerios’ script. The motivation being the combined solution provides for increased efficiencies in analyzing network traffic.
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
Regarding claim 11, claim 11 comprises the same and/or similar subject matter as claim 4 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 12, claim 12 comprises the same and/or similar subject matter as claim 5 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 18, claim 18 comprises the same and/or similar subject matter as claim 4 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 19, claim 19 comprises the same and/or similar subject matter as claim 5 and is considered an obvious variation; therefore it is rejected under the same rationale.
Claims 6, 13, and 20 are rejected under 35 USC 103 as being unpatentable over Mehta in view of Mai and in further view of Erman , “Traffic Classification Using Clustering Algorithms”
Regarding claim 6, Mehta in view of Mai disclose the method of claim 1 wherein assigning labels to the one or more transaction properties comprises clustering a set of unlabeled transaction bursts and applying labels to each transaction burst within each cluster (The combined solution per Mai;
See e.g. Abstract, [0042], [0064 “... URLs in to clusters that correspond to micro actions..”] ,[0077],).
As evidence of the above rationale, Erman discloses:
grouping of unlabeled training data [i.e. clustering]( Erman;
see e.g. Abstract “... Clustering Algorithms ...”
See e.g. Page 281, Column 2 “ ... clustering ... network identification ...”
see e.g. Page 22, Column ( “... The ability to group unlabelled training data is advantageous and offers some practical benefits over learning approaches that require labelled training data ...”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Erman’s teaching of aggregating unlabeled data. The motivation being the combined solution provides for increased efficiencies of analyzing traffic data.
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Mai’s burst detection scheme. The motivation being the combined solution provides for implementing a known technique resulting in increased efficiencies of classifying data.
Regarding claim 13, claim 13 comprises the same and/or similar subject matter as claim 6 and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 20, claim 20 comprises the same and/or similar subject matter as claim 6 and is considered an obvious variation; therefore it is rejected under the same rationale.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to TODD L. BARKER whose telephone number is (571) 270 0257. The Examiner can normally be reached on Monday through Friday, 7:30am to 5:00pm.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's supervisor Vivek Srivastava can be reached on (571) 272 7304.
/TODD L BARKER/Primary Examiner, Art Unit 2449