DETERMINING NETWORK-SPECIFIC USER BEHAVIOR AND INTENT USING SELF-SUPERVISED LEARNING

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This action is responsive to the Amendment filed on December 30, 2025. Claims 1, 13, and 18 are amended. Claims 1-21 are pending in the case. Claims 1, 13, and 18 are the independent claims. This action is final. Applicant’s Response In the Amendment filed on December 30, 2025, Applicant amended the claims and provided arguments in response to the rejections of the claims under 35 USC 103 in the previous office action. Response to Argument/Amendment Applicant’s amendments to the claims in response to the rejection of the claims under 35 USC 103 in the previous office action are acknowledged, and Applicant’s associated arguments have been fully considered. Applicant argues that “no reference alone or in combination teaches, suggests, or discloses features of collecting ‘user cursor movement’ as part of ‘user behavior information’ that is processed along with ‘network information indicative of a plurality of network devices in a network domain’ by self-supervised machine learning to ‘determine contextual meaning of the input data’” as recited in the amended independent claims. Examiner agrees that the cited references do not appear to explicitly disclose the user behavior information “including user cursor movement,” as recited in the amended independent claims. Therefore, the rejection is withdrawn. However, new grounds of rejection are provided below. Claim Rejections – 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims under pre-AIA 35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA 35 U.S.C. 103(c) and potential pre-AIA 35 U.S.C. 102€, (f) or (g) prior art under pre-AIA 35 U.S.C. 103(a). Claims 1-3, 9, 11, 13-15, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over S et al. (US 20230274010 A1) in view of Srivatsa et al. (US 20240137375 A1), further in view of Nagpal et al. (US 20240176840 A1). With respect to claims 1, 13, and 18, S teaches an apparatus comprising: a memory, a network interface configured to enable network communications, and a processor, wherein the processor is configured to perform a method; one or more non-transitory computer readable storage media encoded with software comprising computer executable instructions that, when executed by a processor, cause the processor to perform the method (e.g. paragraph 0036, processor 102, programs and data stored in storage device 108; system memory 114; execution of computer programs by processor 102; paragraph 0040, processor 102 executing instructions to perform described functions); and the method, comprising: obtaining, by a computing device, input data including one or more of network information indicative of a plurality of network devices in a network domain and user behavior information indicative of one or more user interactions with the network domain (e.g. paragraph 0050, Fig. 8, GUI launch page including credential elements such as username and password, identifier 802a that identifies remote access controller device 304, computing device identifier that identifies computing device 202/300; paragraph 0051, domain element 806 providing for selection of a domain, such as a domain for remote access controller device 304, along with other domains; paragraph 0055, management actions associated with computing device 300; paragraph 0056, remote access controller devices and computing devices that are similar to the remote access controller device 304 and computing device 202/300; paragraph 0057, associating management actions performed by network administrators and other users, based on credentials used to perform the management actions, resulting in association of plurality of management actions with particular administrator or other user; i.e. input data (such as via GUI of a user) includes devices and a corresponding domain, along with user credentials and user management actions performed using the devices); performing, by the computing device, a machine learning using a plurality of elements that represent the input data, to determine contextual meaning of the input data (e.g. paragraph 0057, plurality of management actions learned by remote access controller engine/device; using machine learning algorithms to analyze plurality of management actions associated with network administrators and other users as well as permissions, roles, and requirements of administrators and users; i.e. a machine learning process is performed in order to learn management actions associated with a particular context, such as a particular administrator, set of permissions, roles, etc.); generating at least one actionable task related to the network domain based on the contextual meaning of the input data (e.g. paragraph 0057, identifying and prioritizing management actions as management actions that will be provided in GUI via management action select element 808; paragraph 0058, management actions included for selection for different administrators/users, dynamically changing as use of the device/management subsystem changes, and may be dynamically generated for presentment to administrator/user; identifying actions associated with credentials and providing those actions for presentation to user/administrator); and providing, by the computing device, the at least one actionable task for performing one or more actions associated with the network domain (e.g. paragraph 0054, Fig. 9B, GUI launch page includes management action select element 808; paragraph 0055, management action select element includes dropdown feature utilized to present management action list 808a that includes a plurality of management actions associated with computing device and that may be selected; paragraph 0058, providing selected actions for selection via management subsystem GUI launch page; paragraph 0059, Fig. 9C, selection of perform action element 814 by administrator/user, after which plurality of operations performed automatically; paragraph 0067, automatically performing the (i.e. selected) management action). S does not explicitly disclose that the machine learning is self-supervised machine learning using mask modeling. However, Srivatsa teaches that the machine learning is self-supervised machine learning using mask modeling to determine contextual meaning of the input data (e.g. paragraph 0026, learning contextual embeddings for fully qualified domain names, protocol fields, and other categorical features in network, which can be used to achieve various network management tasks; paragraph 0055, training model to learn contextual embeddings for tokens of categorical features of networks and to output those embeddings with contextual meanings; model trained on broad data using self-supervision and can be adapted to wide range of downstream tasks; paragraph 0062, training machine learning model to generate contextual embeddings by inputting sentences of tokens, where some tokens are masked; some tokens masked at random and model predicts values of masked tokens). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S and Srivatsa in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to utilize, as the machine learning (i.e. of S), self-supervised machine learning using mask modeling to determine contextual meaning of the input data (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). S and Srivatsa do not explicitly disclose the user behavior information including user cursor movement. However, Nagpal teaches the user behavior information including user cursor movement (e.g. paragraph 0046, machine learning model trained using training data set including patterns of user interactions such as cursor movements; performing feature extraction on the training data and using extracted features to train the machine learning model). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, and Nagpal in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain) and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage) to include the capability to include, within the user behavior information, user cursor movement. One of ordinary skill would have been motivated to perform such a modification in order to determine meaningful information associated with user interactions in a webpage or application, providing valuable insight into the user experience including a prediction of an action of the user in real-time as described in Nagpal (abstract). With respect to claims 2, 14, and 19, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claims 1, 13, and 18 as previously discussed, and S further teaches wherein providing the at least one actionable task for performing the one or more actions includes one or more of: providing at least one shortcut for executing the one or more actions that relate to a configuration or management of the network domain (e.g. paragraph 0051, providing for selection of management action via management action select element 808, selection of domain via domain element 806; paragraph 0055, management action list 808a including plurality of management actions associated with computing device (such as remote access controller device 304) that may be selected and identified via element 808 (such as showing critical alerts, launching virtual console, power options for the device, etc.); paragraph 0056, management actions available via element 808 may be those management actions most commonly utilized by network administrators, etc.; i.e. a UI component/shortcut is provided for executing various different management actions, such as management actions of a network administrator or other user role with respect to a particular domain); providing guided support for performing the at least one actionable task by sequentially providing or executing a next action from the one or more actions; or providing a first path for performing the at least one actionable task, the first path includes the one or more actions and is faster than a second path for performing the at least one actionable task. With respect to claims 3, 15, and 20, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claims 1, 13, and 18 as previously discussed, and S further teaches wherein the input data includes the network information and the user behavior information (e.g. paragraph 0050, Fig. 8, GUI launch page including credential elements such as username and password, identifier 802a that identifies remote access controller device 304, computing device identifier that identifies computing device 202/300; paragraph 0051, domain element 806 providing for selection of a domain, such as a domain for remote access controller device 304, along with other domains; paragraph 0055, management actions associated with computing device 300; paragraph 0056, remote access controller devices and computing devices that are similar to the remote access controller device 304 and computing device 202/300; paragraph 0057, associating management actions performed by network administrators and other users, based on credentials used to perform the management actions, resulting in association of plurality of management actions with particular administrator or other user; i.e. input data (such as via GUI of a user) includes devices and a corresponding domain, along with user credentials and user management actions performed using the devices) and the method further comprising: determining device similarities of the plurality of network devices and behavioral similarities between the one or more user interactions, based on the contextual meaning of the input data (e.g. paragraph 0056, most commonly utilized management actions by plurality of network administrators or other users of devices, including similar devices; i.e. the system determines which actions are the same/similar between different users, and whether relevant devices for the actions are similar), wherein generating the at least one actionable task includes generating at least one of: a first action related to at least one network device in the network domain that is similar to one of the plurality of network devices based on the device similarities (e.g. paragraph 0056, plurality of management actions prepopulated based on most commonly utilized management actions by users of devices that are the same or similar to remote access controller device 304 or computing device 202/300), a second action related to a user behavior that is similar to a behavior defined by the one or more user interactions based on the behavioral similarities (e.g. paragraph 0056, plurality of management actions prepopulated based on most commonly utilized management actions selected/identified by plurality of network administrators/other users), or a third action to be performed on the at least one network device that is related to the user behavior, based on the device similarities and the behavioral similarities (e.g. paragraph 0056, plurality of management actions prepopulated based on most commonly utilized management actions selected/identified by plurality of network administrators/other users of remote access controller devices and/or similar computing devices). With respect to claim 9, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claim 1 as previously discussed, and Srivatsa further teaches wherein the input data includes the network information and further comprising: embedding the network information indicative of the plurality of network devices to generate a network embedding structure that includes the contextual meaning of a respective network device, an enterprise site of the respective network device, and a connection of the respective network device to other network devices in the network domain (e.g. paragraph 0034, categorical features extracted from network packet traces of network traces and used to make tokens; examples of categorical features including fully qualified domain names, protocol fields, and protocol values; paragraph 0035, creating contextual embeddings from the tokens of the categorical features of the network traffic; paragraph learning contextual embeddings for tokens of categorical features of networks and to output those embeddings with contextual meanings; paragraph 0053, end points representative of user devices; paragraph 0060, sentences of tokens, each associated with its own end point, such that the sentence captures the network traffic of an end point, where the end point is a user device, etc.; paragraph 0066, extracting categorical features from network packet traces of network traffic, tokenizing categorical features into tokens, constructing sentences of the tokens, each sentence associated with its own end point such that the sentence captures the network traffic of an end point, allowing the sentence and corresponding contextual embeddings to uniquely define and correspond back to that end point; paragraph 0068, clustering contextual embeddings of sentences corresponding to end points; paragraph 0069, determining anomalies of the end points based on the cluster; paragraph 0070, indicating that a particular end point device can be identified and isolated based on the clustering, and that the contextual embeddings are indicative of connections between end devices/network devices and servers; paragraph 0073, labeling each sentence of tokens with descriptions (manufacturer, device type, etc.) associated with the end point for which the sentence was created; paragraph 0078, tokenizing categorical features and constructing sentences from the tokens, where each sentence is generated from and associated with the network traffic for an end point in the network, thereby allowing the sentence and contextual embeddings to uniquely define and correspond back to the end point; paragraph 0079, inferring descriptions/characteristics of the end points/devices (user devices) based on sentences; paragraph 0083-0084, detecting and classifying devices, information showing connections to particular servers revealing presence of particular device made by particular manufacturer; presences of devices in particular enterprise networks; paragraph 0097, categorical data/variables used to group information with similar characteristics; structuring categorical variables for network traffic, providing improvements to classifying descriptions/characteristics of end points; paragraph 0098, FQDNs providing information including types of entities, countries where domain is hosted, related organizations, services, departments, etc.; i.e. the sentences of tokens of categorical features (which are used to group information) are used to generate contextual embeddings, and information characterized by the sentences/tokens, contextual embeddings includes information which indicates a particular device, including its type, manufacturer, etc., along with behavior of that device, connections of that device to other devices (such as servers), and presence of that device within a particular enterprise site/network), wherein performing the self-supervised machine learning includes the mask modeling of the network embedding structure (e.g. paragraph 0026, learning contextual embeddings for fully qualified domain names, protocol fields, and other categorical features in network, which can be used to achieve various network management tasks; paragraph 0055, training model to learn contextual embeddings for tokens of categorical features of networks and to output those embeddings with contextual meanings; model trained on broad data using self-supervision and can be adapted to wide range of downstream tasks; paragraph 0062, masking of tokens of sentences). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Nagpal, and Srivatsa in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain) and Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to embed the input data, in the form of event sequences, to generate a contextual data structure/contextual embedding indicative of the context/meaning of a particular end point device (such as type of device, manufacturer of the device, and behavior device), the presence of the device in a particular enterprise network/site, and connections of the device to other devices such as servers (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). With respect to claim 11, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claim 9 as previously discussed, and Srivatsa further teaches wherein performing the self-supervised machine learning includes: iteratively training the network embedding structure by replacing one of the plurality of network devices in the network embedding structure with a masked token to determine the contextual meaning of the plurality of network devices including one or more of a device type, a device role in the network domain, a device function, or a device product family type (e.g. paragraph 0060, each sentence of tokens associated with its own end point, such as a user device; paragraph 0061, each end point has its own sentence of tokens; paragraph 0062, generating contextual embeddings by inputting sentences of tokens, where some of the tokens are masked; masking tokens at random and machine learning model predicts the values of the masked tokens, masking tokens in order to train machine learning model; paragraph 0070, indicating that a particular end point device can be identified and isolated based on the clustering, and that the contextual embeddings are indicative of connections between end devices/network devices and servers; paragraph 0073, labeling each sentence of tokens with descriptions (manufacturer, device type, etc.) associated with the end point for which the sentence was created; paragraph 0074, training machine learning model to generate contextual embeddings by inputting sentences of tokens with labels, where some tokens are masked, allowing the model to learn contextual embeddings for the tokens and the labels for the sentences of the contextual embeddings for the end points; paragraph 0075-0076, training dataset includes description/characteristic labels of endpoints with sentences of tokens for the endpoints; each of the sentences of contextual embeddings labels the end points with, for example, device type and manufacturer; classifying end point by description/characteristics such as device type and manufacturer; model trained to classify/infer end points by descriptions/characteristics based on input of sentences of contextual embeddings for the end points; paragraph 0079, inferring descriptions/characteristics of the end points/devices (user devices) based on sentences; paragraph 0083-0084, detecting and classifying devices, information showing connections to particular servers revealing presence of particular device made by particular manufacturer; presences of devices in particular enterprise networks; paragraph 0105, given input, percentage of tokens are randomly chosen as training anchors, and a percentage of these are replaced with a masking token, and the model must fill in the blanks from its learned vocabulary; separate percentage of anchors are unchanged, and a remaining percentage are replaced with random tokens from the vocabulary; using optimizer and linear annealing schedule for learning rate; training sequence length ranges from 8 to 64, resampled every batch; paragraph 0127, indicating that FQDNs of an endpoint are themselves indicative of a device/end point type, such as those starting with prefix laptop-”, “desktop-”, and “win-” being indicative of user computers in an enterprise network (where such FQDNs are themselves tokens in the sentences/contextual embeddings as discussed in paragraph 0141); paragraph 0141, tokens masked during training of the model, which is configured to predict contextual embeddings for masked tokens, contextual embeddings having a relationship to one another, such as contextual embeddings representing fully qualified domain names in a communication session for an end point; i.e. where the embeddings may be representative of information associated with an endpoint/user device (captured as tokens, such as FQDNs, and also applied as labels of the contextual embeddings/sentences), and the model is iteratively trained to generate the contextual embeddings using masked tokens in place of a percentage of original tokens in order to learn contextual information for analysis of the device, such as a device type, device manufacturer, device connections within the network/domain, device behavior (such as a sequence of domain requests by the device), etc.). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Das, Nagpal, and Srivatsa in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to iteratively train the model to generate contextual embeddings using a masking process in which a percentage of original information (such as tokens of FQDNs, which may include information indicative of an associated end point device) is replaced with masked tokens, in order to learn contextual information associated with the associated devices, including device type, manufacturer, connections, behavior, etc. (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). Claims 4-8, 12, 16, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over S in view of Srivatsa, further in view of Nagpal, further in view of Das et al. (US 11,475,053 B1). With respect to claims 4, 16, and 21, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claims 1, 13, and 18 as previously discussed, and Srivatsa further teaches wherein the input data includes the user behavior information in a form of stream data (e.g. paragraph 0060, sentences of tokens, each associated with its own end point, such that the sentence captures the network traffic of an end point, where the end point is a user device, etc.) and the method further comprising: embedding one or more event sequences in the stream data to generate an event embedding structure that includes the contextual meaning of a respective event, a sequence of the respective event, and a position of the respective event in the sequence (e.g. paragraph 0061, constructing sentence by concatenating truncated FQDNs issued by end point, i.e. end point sending DNS requests for the FQDNs; sentence of tokens generated for session of end point corresponding to given time interval for which end point communicates over the network; paragraph 0062, generating contextual embeddings by inputting sentences of tokens where some tokens are masked; paragraph 0063, each token of sentence assigned contextual embedding; paragraph 0064, outputting contextual embeddings/numerical vector for each FQDN, learning contextual embeddings with semantic meaning; i.e. where each DNS request in a session is analogous to an event, the sequence of DNS requests in the session is analogous to a sequence of events, and contextual embeddings of sentences of tokens including the sequence of events are analogous to an embedding structure that includes the contextual meaning of the associated events, their sequence, and their respective positions in the sequence), wherein performing the self-supervised machine learning includes the mask modeling of the event embedding structure (e.g. paragraph 0026, learning contextual embeddings for fully qualified domain names, protocol fields, and other categorical features in network, which can be used to achieve various network management tasks; paragraph 0055, training model to learn contextual embeddings for tokens of categorical features of networks and to output those embeddings with contextual meanings; model trained on broad data using self-supervision and can be adapted to wide range of downstream tasks; paragraph 0062, masking of tokens of sentences). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, and Nagpal, in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain) and Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to embed the input data, in the form of event sequences, to generate a contextual data structure/contextual embedding including the context/meaning and sequence of the input data, and to utilize, as the machine learning (i.e. of S), self-supervised machine learning using mask modeling to determine contextual meaning of the input data (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). S and Srivatsa do not explicitly disclose that the user behavior information is in a form of click-through stream data. However, Das teaches that the user behavior information is in a form of click-through stream data (e.g. col. 69 lines 52-61, as users interact with domain-specific data sources through NL application, NL application stores relevant information including clickstreams in knowledge database, and corresponding ML model is trained based on the knowledge database; col. 71, lines 38-51, interaction history database includes information associated with interactions of users with components of NL system, such as information extracted from clickstreams, etc.; col. 76 lines 46-56, user interaction data including clickstream). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, Nagpal, and Das in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment) to include the capability to utilize, as the user behavior information, clickthrough stream data (as taught by Das). One of ordinary skill would have been motivated to perform such a modification in order to enable the system to recommend request completions and follow-on requests as described in Das (col. 2 lines 37-46). With respect to claim 5, S in view of Srivatsa, further in view of Nagpal, further in view of Das teaches all of the limitations of claim 4 as previously discussed, and Srivatsa further teaches wherein embedding the one or more event sequences further comprises: generating grouping information for the stream data by grouping the one or more event sequences into one or more groups based on at least one attribute that includes one or more of an identity of a user that generated the respective event, a role of the user within the network domain, an enterprise of the user, and a geolocation of the user (e.g. paragraph 0034, categorical features extracted from network packet traces of network traces and used to make tokens; examples of categorical features including fully qualified domain names, protocol fields, and protocol values; paragraph 0035, creating contextual embeddings from the tokens of the categorical features of the network traffic; paragraph learning contextual embeddings for tokens of categorical features of networks and to output those embeddings with contextual meanings; paragraph 0053, end points representative of user devices; paragraph 0060, sentences of tokens, each associated with its own end point, such that the sentence captures the network traffic of an end point, where the end point is a user device, etc.; paragraph 0066, extracting categorical features from network packet traces of network traffic, tokenizing categorical features into tokens, constructing sentences of the tokens, each sentence associated with its own end point such that the sentence captures the network traffic of an end point, allowing the sentence and corresponding contextual embeddings to uniquely define and correspond back to that end point; paragraph 0068, clustering contextual embeddings of sentences corresponding to end points; paragraph 0069, determining anomalies of the end points based on the cluster; paragraph 0070, indicating that a particular end point device can be identified and isolated based on the clustering; paragraph 0073, labeling each sentence of tokens with descriptions (manufacturer, device type, etc.) associated with the end point for which the sentence was created; paragraph 0078, tokenizing categorical features and constructing sentences from the tokens, where each sentence is generated from and associated with the network traffic for an end point in the network, thereby allowing the sentence and contextual embeddings to uniquely define and correspond back to the end point; paragraph 0079, inferring descriptions/characteristics of the end points/devices (user devices) based on sentences; paragraph 0097, categorical data/variables used to group information with similar characteristics; structuring categorical variables for network traffic, providing improvements to classifying descriptions/characteristics of end points; paragraph 0098, FQDNs providing information including types of entities, countries where domain is hosted, related organizations, services, departments, etc.; paragraph 0127, clustering based on FQDNs having similar semantics; FQDNs corresponding to user computers such as starting with prefix “laptop-“, “desktop-“, and “win-“, as shown in table 4 of Fig. 7, determining particular user’s computer differs significantly and may indicate unexpected behavior; i.e. the sentences of tokens of categorical features (which are used to group information) can be clustered/grouped based on the categorical features, where the categorical features of the sentences are associated with a unique end point/user device, and therefore with the particular user of that end point/user device, analogous to a grouping/clustering based on an attribute that identifies/includes the identity of a user that generated the event); and embedding the grouping information into the event embedding structure (e.g. paragraph 0034, categorical features extracted from network packet traces of network traces and used to make tokens; examples of categorical features including fully qualified domain names, protocol fields, and protocol values; paragraph 0035, creating contextual embeddings from the tokens of the categorical features of the network traffic; paragraph learning contextual embeddings for tokens of categorical features of networks and to output those embeddings with contextual meanings; paragraph 0053, end points representative of user devices; paragraph 0060, sentences of tokens, each associated with its own end point, such that the sentence captures the network traffic of an end point, where the end point is a user device, etc.; paragraph 0066, extracting categorical features from network packet traces of network traffic, tokenizing categorical features into tokens, constructing sentences of the tokens, each sentence associated with its own end point such that the sentence captures the network traffic of an end point, allowing the sentence and corresponding contextual embeddings to uniquely define and correspond back to that end point; paragraph 0078, tokenizing categorical features and constructing sentences from the tokens, where each sentence is generated from and associated with the network traffic for an end point in the network, thereby allowing the sentence and contextual embeddings to uniquely define and correspond back to the end point; paragraph 0127, clustering based on FQDNs having similar semantics; i.e. where a categorical feature such as a FQDN provides a basis for clustering of contextual embeddings (and is also indicative of a particular device and associated user), generating contextual embeddings built from tokens of the categorical features is analogous to embedding grouping information (i.e. categorical features) into the event embedding structure (i.e. contextual embeddings)). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Das, Nagpal, and Srivatsa in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to embed the input data, in the form of event sequences, to generate a contextual data structure/contextual embedding including the context/meaning and sequence of the input data, where the embedded input data includes categorical features such as domain information associated with/identifying a particular user device/user, and the categorical features provide a basis for grouping/clustering the contextual embeddings (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). Das teaches that the stream data is click-through stream data (e.g. col. 69 lines 52-61, as users interact with domain-specific data sources through NL application, NL application stores relevant information including clickstreams in knowledge database, and corresponding ML model is trained based on the knowledge database; col. 71, lines 38-51, interaction history database includes information associated with interactions of users with components of NL system, such as information extracted from clickstreams, etc.; col. 76 lines 46-56, user interaction data including clickstream). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, Nagpal, and Das in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment) to include the capability to utilize, as the user behavior information, clickthrough stream data (as taught by Das). One of ordinary skill would have been motivated to perform such a modification in order to enable the system to recommend request completions and follow-on requests as described in Das (col. 2 lines 37-46). With respect to claim 6, S in view of Srivatsa, further in view of Nagpal, further in view of Das teaches all of the limitations of claim 5 as previously discussed, and Srivatsa further teaches wherein generating the grouping information includes: determining the at least one attribute of the click-through stream data based on clustering the one or more event sequences in the event embedding structure (e.g. paragraph 0068, clustering contextual embeddings of sentences corresponding to end points; paragraph 0069, determining anomalies of the end points based on the cluster; paragraph 0070, indicating that a particular end point device can be identified and isolated based on the clustering; paragraph 0127, clustering based on FQDNs having similar semantics). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Das, Nagpal, and Srivatsa in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to determine an attribute/categorical feature for grouping based on clustering of the event sequences/contextual embeddings of the input data (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). Das teaches that the stream data is click-through stream data (e.g. col. 69 lines 52-61, as users interact with domain-specific data sources through NL application, NL application stores relevant information including clickstreams in knowledge database, and corresponding ML model is trained based on the knowledge database; col. 71, lines 38-51, interaction history database includes information associated with interactions of users with components of NL system, such as information extracted from clickstreams, etc.; col. 76 lines 46-56, user interaction data including clickstream). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, Nagpal, and Das in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment) to include the capability to utilize, as the user behavior information, clickthrough stream data (as taught by Das). One of ordinary skill would have been motivated to perform such a modification in order to enable the system to recommend request completions and follow-on requests as described in Das (col. 2 lines 37-46). With respect to claim 7, S in view of Srivatsa, further in view of Nagpal, further in view of Das teaches all of the limitations of claim 4 as previously discussed, and Srivatsa further teaches wherein performing the self-supervised machine learning includes: iteratively training the event embedding structure by replacing an element in the event embedding structure with a masked token to determine the contextual meaning of a user behavior defined by the one or more user interactions (e.g. paragraph 0062, generating contextual embeddings by inputting sentences of tokens, where some of the tokens are masked; masking tokens at random and machine learning model predicts the values of the masked tokens, masking tokens in order to train machine learning model; paragraph 0074, training machine learning model to generate contextual embeddings by inputting sentences of tokens with labels, where some tokens are masked, allowing the model to learn contextual embeddings for the tokens and the labels for the sentences of the contextual embeddings for the end points; paragraph 0089, learned embeddings used for analysis of user behaviors; paragraph 0105, given input, percentage of tokens are randomly chosen as training anchors, and a percentage of these are replaced with a masking token, and the model must fill in the blanks from its learned vocabulary; separate percentage of anchors are unchanged, and a remaining percentage are replaced with random tokens from the vocabulary; using optimizer and linear annealing schedule for learning rate; training sequence length ranges from 8 to 64, resampled every batch; paragraph 0141, tokens masked during training of the model, which is configured to predict contextual embeddings for masked tokens, contextual embeddings having a relationship to one another, such as contextual embeddings representing fully qualified domain names in a communication session; i.e. where the embeddings may be representative of user behaviors via an endpoint/user device, and the model is iteratively trained to generate the contextual embeddings using masked tokens in place of a percentage of original tokens in order to learn contextual information for analysis of user behaviors). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Das, Nagpal, and Srivatsa in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment), to incorporate the teachings of Srivatsa (directed to foundational models for network packet traces) to include the capability to iteratively train the model to generate contextual embeddings using a masking process in which a percentage of original information is replaced with masked tokens, in order to learn contextual information associated with user behaviors (as taught by Srivatsa). One of ordinary skill would have been motivated to perform such a modification in order to create state-of the art models or a wide range of tasks without substantial task specific architecture modifications, where the tasks may include various network management, monitoring, and security tasks as described in Srivatsa (paragraphs 0004-0005). With respect to claim 8, S in view of Srivatsa, further in view of Nagpal, further in view of Das teaches all of the limitations of claim 7 as previously discussed, and Das further teaches wherein performing the self-supervised machine learning further includes: iteratively training the event embedding structure using an adjacent sequence prediction to determine one or more relationships between the one or more user interactions (e.g. col. 105 lines 12-36, request prediction model models probabilities of request sequences based on historical request data (previous requests) and historical intent data obtained from interaction history database, given the same or similar context; modeling historical request data and historical intent data as a directed graph data structure in which nodes correspond to requests/intents of requests and directed edges connect requests in sequences; request prediction model used to determine probabilities of different request sequences given a common starting point; data dependency model models dependencies between artifacts of data in domain-specific source, and represents reasonable paths of inquiry that a user may pursue to identify causes of an event or issue; data dependency model used to determine probability of a certain request given a prior request based on the artifacts included in the requests; col. 105 line 54-col. 106 line 45, ML algorithm training request prediction model and ML algorithm training data dependency model; request prediction model and data dependency model trained according to sequence-to-sequence approaches such as request-to-request sequences for the request prediction model and artifact-to-artifact dependency sequences for the data dependency model; training based on information included in knowledge database and domain specific data source, such as based on interaction history database that reflects sequences of requests, contextual artifacts, and associated effectiveness). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, Nagpal, and Das in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment) to include the capability to perform the self-supervised machine learning (of Srivatsa) using iterative training of the event embedding structure (such as a graph structure of event/request sequences) using an adjacent sequence prediction to determine relationships of user interactions (such as request-to-request sequences or artifact-to-artifact dependency sequences for determining probabilities for various request sequences, as taught by Das). One of ordinary skill would have been motivated to perform such a modification in order to enable the system to recommend request completions and follow-on requests as described in Das (col. 2 lines 37-46). With respect to claim 12, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claim 11 as previously discussed, and further teaches wherein performing the self-supervised machine learning further includes: iteratively training the network embedding structure using a sequence prediction to determine one or more relationships between a plurality of enterprise sites in the network domain (e.g. paragraph 0058, FQDN is a complete address for a website, etc.; paragraph 0095, capturing semantic relationships within a sequence; paragraph 0105, capturing high level semantics of network traffic sequences; paragraph 0112, sequence of N successive FQDNs queried by same device; paragraph 0118, training corpuses created from sequences of successive FQDNs queried by same device; network trace from large enterprise network; paragraphs 0123-0128, given list of FQDNs, retrieving nearest neighbor using cosine similarity/cluster model to compute distance between pairs of embeddings; Table 4 of Fig. 7 presents results; first set of FQDNs and nearest neighbors determined to be similar; next sets of FQDNs may have different second level domains or third level domains, but appear to be owned by same organization; last set of FQDNs all point to computers in the enterprise network; for many computers nearest neighbor seems to be another computer from the same domain; this confirms that the embeddings capture semantic relationships between FQDNs; observing that FQDNs starting with particular prefixes and ending with second level domain of the enterprise form a compact cluster with no outstanding outlier; i.e. the model is trained using contextual embeddings that capture semantic relationships between FQDNs, where the FQDNs may indicate different websites, including enterprise websites in a network domain). S and Srivatsa do not explicitly disclose an adjacent sequence prediction. However, Das teaches an adjacent sequence prediction (e.g. col. 105 lines 12-36, request prediction model models probabilities of request sequences based on historical request data (previous requests) and historical intent data obtained from interaction history database, given the same or similar context; modeling historical request data and historical intent data as a directed graph data structure in which nodes correspond to requests/intents of requests and directed edges connect requests in sequences; request prediction model used to determine probabilities of different request sequences given a common starting point; data dependency model models dependencies between artifacts of data in domain-specific source, and represents reasonable paths of inquiry that a user may pursue to identify causes of an event or issue; data dependency model used to determine probability of a certain request given a prior request based on the artifacts included in the requests; col. 105 line 54-col. 106 line 45, ML algorithm training request prediction model and ML algorithm training data dependency model; request prediction model and data dependency model trained according to sequence-to-sequence approaches such as request-to-request sequences for the request prediction model and artifact-to-artifact dependency sequences for the data dependency model; training based on information included in knowledge database and domain specific data source, such as based on interaction history database that reflects sequences of requests, contextual artifacts, and associated effectiveness). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, Nagpal, and Das in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Das (directed to providing completion recommendations for natural language requests in a natural language processing system, such as in an IT management environment) to include the capability to perform the self-supervised machine learning (of Srivatsa) using iterative training of the network embedding structure (such as contextual embeddings of sequences of FQDN requests as taught by Srivatsa, and a graph structure of event/request sequences as taught by Das) using an adjacent sequence prediction to determine relationships information characterized by requests, such as between different websites designated in the sequence of FQDNs (of Srivatsa), corresponding to different end device/user device requests (such as request-to-request sequences or artifact-to-artifact dependency sequences for determining probabilities for various request sequences, as taught by Das). One of ordinary skill would have been motivated to perform such a modification in order to enable the system to recommend request completions and follow-on requests as described in Das (col. 2 lines 37-46). Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over S in view of Srivatsa, further in view of Nagpal, further in view of Singh et al. (US 11,475,053 B1). With respect to claim 10, S in view of Srivatsa, further in view of Nagpal teaches all of the limitations of claim 9 as previously discussed. S and Srivatsa do not explicitly disclose wherein the network embedding structure includes topology of the network domain defined by embedding the connection of the respective network device for each of the plurality of network devices using an adjacency matrix. However, Singh teaches wherein the network embedding structure includes topology of the network domain defined by embedding the connection of the respective network device for each of the plurality of network devices using an adjacency matrix (e.g. paragraph 0103, deriving information from site network and determining topology of the site network, network devices included, software and hardware configuration, and how the network is used at any given time; paragraph 0316, receiving network topology including information associated with network devices, subnetworks in the site network, devices in each subnetwork, etc.; paragraph 0440-0441, Fig. 25, adjacency data structure for interactions in network; can be adjacency list or adjacency matrix; adjacency data structure generated by correlating interactions such as by establishing mutual relationship or connection between two or more machines based on interactions in the network, where interactions can be determined by analyzing interaction information and machine information; paragraph 0442-0443, interaction information can include time stamp, source IP address, source host name, user, destination IP address, destination host name, action, protocol type, number of packets sent, etc.; machine information can include category, city/country/latitude/longitude where machine is located, DNS for the machine, IP address, MAC address, machine name, user name, PCI domain, etc.). Accordingly, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention having the teachings of S, Srivatsa, Nagpal, and Singh in front of him to have modified the teachings of S (directed to a quick management action system, including use of machine learning to learn management tasks for devices in a domain), Nagpal (directed to predicting a meaningful event based on user interaction data for a webpage), and Srivatsa (directed to foundational models for network packet traces), to incorporate the teachings of Singh (directed to thread analysis and correlation, such as in an IT management environment) to include the capability to further include, within the embedding structure, topology information of the network domain using an adjacency matrix which characterizes connections/interactions between respective network devices (as taught by Singh). One of ordinary skill would have been motivated to perform such a modification in order to facilitate configuring security for a network, using an adjacency data structure which can associate interacting machines in a network, and which can be updated as new interactions occur, but which can also be limited to particular information in order to avoid retaining the large number of interactions in the network as time progresses as described in Singh (abstract, paragraph 0438 and 0456). It is noted that any citation to specific pages, columns, lines, or figures in the prior art references and any interpretation of the references should not be considered to be limiting in any way. “The use of patents as references is not limited to what the patentees describe as their own inventions or to the problems with which they are concerned. They are part of the literature of the art, relevant for all they contain,” In re Heck, 699 F.2d 1331, 1332-33, 216 USPQ 1038, 1039 (Fed. Cir. 1983) (quoting in re Lemelson, 397 F.2d 1006, 1009, 158 USPQ 275, 277 (GCPA 1968)). Further, a reference may be relied upon for all that it would have reasonably suggested to one having ordinary skill the art, including nonpreferred embodiments. Merck & Co, v. Biocraft Laboratories, 874 F.2d 804, 10 USPQ2d 1843 (Fed. Cir.), cert, denied, 493 U.S. 975 (1989). See also Upsher-Smith Labs. v. Pamlab, LLC, 412 F,3d 1319, 1323, 75 USPQ2d 1213, 1215 (Fed. Cir, 2005): Celeritas Technologies Ltd. v. Rockwell International Corp., 150 F.3d 1354, 1361, 47 USPQ2d 1516, 1522-23 (Fed. Cir. 1998). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY L STANLEY whose telephone number is (469)295-9105. The examiner can normally be reached on Monday-Friday from 9:00 AM to 5:00 PM CST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Abdullah Al Kawsar, can be reached at telephone number (571) 270-3169. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form. /JEREMY L STANLEY/ Primary Examiner, Art Unit 2127