DETAILED ACTION
This action is in response to the amendment filed on May 12, 2026. Claims 1, 11, 19, and 20 have been amended. No Claims have been canceled. Claims 1-20 are pending. Claims 1-18 represent a method, claim 19 represents a system, and claim 20 represents a non-transitory computer readable medium directed to machine learning techniques for updating configuration of a computer network security system.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The rejection to Claim 11 has been withdrawn in view of the amendments to the claims submitted on May 12, 2026.
Response to Arguments
Applicant's arguments filed on May 12, 2026 have been fully considered and with respect to the arguments directed to Grover in Claims 1, 19, and 20, they are moot in view of the amendments made to the claims as the new grounds of rejection does not rely on Grover. With respect to the arguments directed to Thompson, they have been fully considered but they are not persuasive.
On page 10 of the Remarks, the Applicant states that Thompson has a “complete, self-contained pipeline for generating signatures” such that there is “no gap…that would necessitate incorporating a Machine Learning Model”.
This argument is not persuasive.
The argument proposed by the Applicant does not address the limitation as amended. Thompson generates its signatures after clustering, by performing an analysis on the header fields of the packets within an already-formed cluster (Thompson, ¶ 45). Thompson’s signatures are a product of clustering, not the points that are clustered. Amended claim 1 requires a trained ML model generates the signatures, and those signatures are the points “for subsequent clustering”. Thompson’s self-contained pipeline does not produce signatures of this kind, and the Applicant’s amendments give rise to this deficiency in which Gurnov is relied upon.
On pages 10-11 of the Remarks, the Applicant states that Thompson merely “extracts field values from a cluster… as a signature” and that “there is no description…where a cluster is selected as the basis for updating the configuration”.
This argument is not persuasive.
Thompson discloses in ¶ 44 determining the cluster having the highest density and uses the selected cluster as the basis for the “bad signature”, from which the rules provided to the policy enforcement point are generated. It is the selection of the highest-density cluster that drives the resulting configuration update.
However, upon further consideration, a new ground(s) of rejection to the independent claims (1, 19, and 20) is made in view of Thompson and Gurnov.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1, 3, 5, 7-14, and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Thompson et al. (US 20200036684), hereinafter referred to as Thompson in view of Gurnov et al. (US 20230199006), hereinafter referred to as Gurnov.
Regarding Claim 1, Thompson discloses:
A method for using machine learning (ML) to update a configuration of a computer network security system operating in a cloud computing environment (In the abstract, Thompson discloses “methods and systems for cluster-based determination of signatures for detection of anomalous data traffic…The method may further include providing, by the processor, the one or more rules to a policy enforcement point associated with the destination.”), the method comprising: using at least one computer hardware processor to perform: obtaining a plurality of datasets containing information about a respective plurality of events detected by the computer network security system in the cloud computing environment (In ¶ 38, Thompson discloses “The data packet 305 can be captured in blocks of a pre-determined size, for example 10,000 of packets. The data packets 305 may include TCP/IP data packets. During the “peace time”, the structure of the data packets 305 can be analyzed using a transport layer (layer 4) protocol.” And further in ¶ 27 “The data source(s) 105 can be configured to send data packets, for example TCP/IP requests, to destination 120, via a network 130.”); identifying a particular event cluster from among the clusters of events as a selected cluster for updating the configuration of the computer network security system (In ¶ 44, Thompson discloses “A “bad signature” can be further extracted from the cluster with the highest density. The signature can be extracted using an iterations procedure based on a genetic algorithm.” And in ¶ 45 “The fields with the most frequent value higher than 50% of the confidence level may be considered as signature fields and can be used in generation of rules.”); and updating the configuration of the computer network security system based on characteristics of events in the selected event cluster, the updating comprising configuring the computer security network system to use one or more new event processing rules generated based on characteristics of events in the selected event cluster (In ¶ 45, Thompson discloses “performing a frequency analysis to determine the most frequent value for header fields (source, destination port, sequence number, header length, flags, checksum, and others) in data packets…The fields with the most frequent value higher than 50% of the confidence level may be considered as signature fields and can be used in generation of rules.” And further in ¶ 46 “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.”).
Thompson discloses the use of a cloud computing system capable of clustering, however does not explicitly disclose the use of Machine Learning Models.
Gurnov discloses:
generating, using at least one trained ML model, a plurality of signatures representing the plurality of events, the generating comprising processing the plurality of datasets using the at least one trained ML model to obtain the plurality of signatures as points for subsequent clustering (In ¶ 93 Gurnov discloses “an embedding signature (i.e., embedding value or vector) for the target digital event based on the digital event activity sequence. In such embodiments, a target digital event sequence may be converted by an embeddings model, such as an autoencoder, to a unique vector mapped to a multi-dimensional space that includes a volume of distinct embedding signatures or vectors for a plurality of distinct target digital events.”) clustering the plurality of signatures generated using the at least one trained ML model to obtain signature clusters representing clusters of events in the plurality of events (In ¶ 99, Gurnov discloses “the search may include performing one or more cluster identification techniques (e.g., a k-nearest neighbor or the like) to identify whether the embedding value maps to a cluster of embedding signatures of the multi-dimensional embedding space.” And further discloses in ¶ 102 “implementing one or more unsupervised machine learning models that… predict a plurality of distinct clusters of digital activity signatures based on the model input;”);
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a trained autoencoder-embedding signature approach as the motivation would be that prior signature-based detection implementations lack the capabilities to detect new and/or never been encountered before digital threats and automatically evolve the technology implementation to respond and neutralize the digital threats (See Gurnov, ¶ 5)
Regarding Claim 3, the combination of Thompson and Gurnov disclose:
The method of claim 2, wherein obtaining the plurality of datasets comprises: monitoring the network traffic in the cloud computing environment to detect events (In ¶ 31, Thompson discloses “The system 140 can be configured to monitor data traffic routed to the destination 150”); identifying a subset of the detected events as the plurality of events (In ¶ 7, Thompson discloses “The method may also include grouping, by at least one processor in communication with the network module, the data packets in clusters.”); and generating the plurality of datasets containing information about the plurality of events (In ¶ 8, Thompson discloses “Grouping the data packets in clusters may include transforming the data packets into a set of multidimensional vectors according to a pre-determined mapping and clustering of multidimensional vectors.”).
Regarding Claim 5, the combination of Thompson and Gurnov disclose:
The method of claim 1, wherein the plurality of datasets comprises a first dataset comprising information about a first event in the plurality of events (In ¶ 38, Thompson discloses “The data packet 305 can be captured in blocks of a pre-determined size, for example 10,000 of packets.”);
However, Thompson does not explicitly disclose machine learning models when performing clustering.
Gurnov discloses:
wherein the at least one trained ML model comprises a first trained ML model (In ¶ 95, Gurnov discloses “ In a preferred embodiment, the embeddings model may be an Autoencoder model.”); wherein generating the plurality of signatures comprises generating a first signature for the first event in the plurality of events (In ¶ 93, Gurnov discloses “S230 may function to generate, via an embeddings machine learning model, an embedding signature (i.e., embedding value or vector) for the target digital event based on the digital event activity sequence.”), and wherein generating the first signature comprises: generating an initial numeric representation of the first dataset (In ¶ 96, Gurnov discloses “S230 may function to construct a digital activity signature that graphically represents the identified digital event activity sequence”); and providing the initial numeric representation as input to the first trained ML model to obtain the first signature (In ¶ 96, Gurnov discloses “S230 may function to provide the digital event signature as input to the above-described embeddings model, which in turn, may produce, as output, a corresponding embedding signature”), wherein the first signature is a lower-dimensional numeric representation than the initial numeric representation (In ¶ 93, Gurnov discloses “a target digital event sequence may be converted by an embeddings model, such as an autoencoder,”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a trained autoencoder-embedding signature approach as the motivation would be that prior signature-based detection implementations lack the capabilities to detect new and/or never been encountered before digital threats and automatically evolve the technology implementation to respond and neutralize the digital threats (See Gurnov, ¶ 5)
Regarding Claim 7, the combination of Thompson and Gurnov disclose the limitations of Claim 5.
However, Thompson does not explicitly disclose machine learning models when performing clustering.
Gurnov discloses:
The method of claim 5, wherein the first trained ML model comprises a first autoencoder. (In ¶ 93, Gurnov discloses “S230 may function to generate, via an embeddings machine learning model, an embedding signature (i.e., embedding value or vector) for the target digital event based on the digital event activity sequence.”)
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a trained autoencoder-embedding signature approach as the motivation would be that prior signature-based detection implementations lack the capabilities to detect new and/or never been encountered before digital threats and automatically evolve the technology implementation to respond and neutralize the digital threats (See Gurnov, ¶ 5)
Regarding Claim 8, the combination of Thompson and Gurnov disclose:
The method of claim 1, and wherein generating the plurality of signatures comprises: generating initial numeric representations of the datasets corresponding to events of different types (In ¶ 40, Thompson discloses “The vectors representing the data packets can be partitioned into clusters using a clustering algorithm, such as K-means algorithms.”).
However, Thompson does not explicitly disclose the use of multiple models.
wherein the at least one trained ML model comprises different trained ML models for processing datasets corresponding to events of different types (In ¶ 102, Gurnov discloses “implementing one or more unsupervised machine learning models that: (a) receive model input comprising the plurality of distinct digital activity signatures, and (b) predict a plurality of distinct clusters of digital activity signatures based on the model input”), and processing the initial numeric representations using the different trained ML models to obtain the plurality of signatures (In ¶ 93, Gurnov discloses “In one or more embodiments, S230 may function to generate, via an embeddings machine learning model, an embedding signature (i.e., embedding value or vector) for the target digital event based on the digital event activity sequence.”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a trained autoencoder-embedding signature approach as the motivation would be that prior signature-based detection implementations lack the capabilities to detect new and/or never been encountered before digital threats and automatically evolve the technology implementation to respond and neutralize the digital threats (See Gurnov, ¶ 5)
Regarding Claim 9, the combination of Thompson and Gurnov disclose:
The method of claim 8, wherein events of different types correspond to network communications of different types of attacks on one or more software applications executing in the cloud computing environment. (In ¶ 7, Thompson discloses “The method may also include detecting, by the least one processor, an anomaly in the data packets and, in response to the detection, determining, by the processor and based on the clusters, one or more signatures associated with the data packets.”)
Regarding Claim 10, the combination of Thompson and Gurnov disclose the limitations of Claim 1.
However, Thompson does not explicitly disclose a DBSCAN algorithm.
Gurnov discloses:
The method of claim 1, wherein the clustering is performed using a density-based clustering algorithm, and wherein the density-based clustering algorithm is a density-based spatial clustering of applications with noise (DBSCAN) algorithm or a hierarchical density-based spatial clustering of applications with noise (HDBSCAN) algorithm. (In ¶ 50, Gurnov discloses “a clustering method (e.g., k-means clustering, density-based spatial clustering of applications with noise (DBSCAN), expectation maximization, and/or the like)”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a trained autoencoder-embedding signature approach as the motivation would be that prior signature-based detection implementations lack the capabilities to detect new and/or never been encountered before digital threats and automatically evolve the technology implementation to respond and neutralize the digital threats (See Gurnov, ¶ 5)
Regarding Claim 11, the combination of Thompson and Gurnov discloses the limitations of claim 1.
However, Thompson does not explicitly disclose the use of a web interface.
Gurnov discloses:
wherein identifying the particular event cluster comprises: generating a visualization of the clusters of events (In ¶ 96, Gurnov discloses “S230 may function to construct a digital activity signature that graphically represents the identified digital event activity sequence (e.g., suspected automated fraud attack).”); displaying the visualization via a graphical user interface (GUI) (In ¶ 53, Gurnov discloses “The web interface 120 may include any suitable graphical frontend that can be accessed via a web browser using a computing device.”); and receiving, via the GUI, a selection of a particular event cluster (In ¶ 54, Gurnov discloses “The web interface 120 may be used by an entity or service provider to make any suitable request including requests to generate global digital threat scores and specific digital threat scores. In some embodiments, the web interface 120 comprises an application programming interface (API) client and/or a client browser.”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a web interface as the motivation would be allow the client to monitor and assess threats identified by the system (See Gurnov, ¶ 53)
Regarding Claim 12, the combination of Thompson and Gurnov disclose the limitations of claim 11.
However, Thompson does not explicitly disclose the use of a web interface.
Gurnov discloses:
wherein generating the visualization comprises: applying a dimensionality reduction technique to the signature clusters to obtain a two- or-three dimensional representation of the signature clusters; and generating a visualization of the clusters of events by generating a visualization of the two- or three-dimensional representation of the signature clusters (In ¶ 50, Gurnov discloses “a dimensionality reduction method (e.g., principal component analysis, partial lest squares regression, Sammon mapping, multidimensional scaling, projection pursuit, and/or the like),”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a web interface as the motivation would be allow the client to monitor and assess threats identified by the system (See Gurnov, ¶ 53)
Regarding Claim 13, the combination of Thompson and Gurnov disclose:
The method of claim 1, wherein identifying the particular event cluster comprises: automatically identifying the particular cluster by applying one or more pre-defined rules to characteristics of events in the clusters of events (In ¶ 48, Thompson discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets”).
Regarding Claim 14, the combination of Thompson and Gurnov disclose:
The method of claim 1, wherein updating the configuration of the computer network security system, comprises: generating, based on the characteristics of the events in the identified particular event cluster, the one or more new event processing rules for processing events detected by the computer network security system in the cloud computing environment (In ¶ 46, Thompson discloses “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.” And further in ¶ 48 discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”).
Regarding Claim 16, the combination of Thompson and Gurnov disclose:
The method of claim 1, wherein the computer network security system is configured to monitor traffic from and/or to one or more software applications executing in the cloud computing environment (In ¶ 31, Thompson discloses “ The system 140 can be configured to monitor data traffic routed to the destination 150 and dynamically determine signatures of the data traffic and rules for allowing and blocking the data packets and provide the signature(s) and the rule(s) to the policy enforcement point 150.” And In ¶ 60, Thompson further discloses “In some embodiments, the computer system 700 may be implemented as a cloud-based computing environment, such as a virtual machine operating within a computing cloud.”), wherein the one or more software applications comprise one or more web servers and the plurality of events comprises one or more HTTP requests to the one or more web servers (In ¶ 27, Thompson discloses “The data source(s) 105 can be configured to send data packets, for example TCP/IP requests, to destination 120, via a network 130.”).
Regarding Claim 17, the combination of Thompson and Gurnov disclose the limitations of claim 1.
However, Thompson does not explicitly disclose API calls.
Gurnov discloses:
The method of claim 1, wherein the computer network security system is configured to monitor traffic from and/or to a software application having an application programming interface (API) and wherein the plurality of events comprises one or more API calls to the API of the software application. (In ¶ 26, Gurnov discloses “In some embodiments, the digital event is occurring at a web-enabled service of a subscriber, and identifying the digital event includes contemporaneously receiving properties or attributes of the digital event via an application programming interface (API).”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using an API as the motivation would be using an API with the data sources allows for a structured format of data to be ingested by the service (See Gurnov, ¶ 26)
Regarding Claim 18, the combination of Thompson and Gurnov disclose:
The method of claim 1, further comprising: obtaining a second plurality of datasets containing information about a respective second plurality of events detected by the computer network security system in the cloud computing environment (In ¶ 38, Thompson discloses “The data packet 305 can be captured in blocks of a pre-determined size, for example 10,000 of packets. The data packets 305 may include TCP/IP data packets.”); and updating the configuration of the computer network security system to process events corresponding to the at least some signatures using the generated one or more rules (In ¶ 48, Thompson discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”).
However, Thompson does not explicitly disclose machine learning models when performing clustering.
Gurnov discloses:
generating, using the at least one trained ML model, a second plurality of signatures representing the second plurality of events (In ¶ 93, Gurnov discloses “S230 may function to generate, via an embeddings machine learning model, an embedding signature (i.e., embedding value or vector) for the target digital event based on the digital event activity sequence.”), the generating comprising processing the second plurality of datasets using the at least one trained ML model to obtain the second plurality of signatures (In ¶ 95, Gurnov discloses “the embeddings model may be an Autoencoder model”); associating at least some signatures of the second plurality of signatures to a signature cluster corresponding to the identified particular event signature cluster (In ¶ 99, Gurnov discloses “the search may include performing one or more cluster identification techniques (e.g., a k-nearest neighbor or the like) to identify whether the embedding value maps to a cluster of embedding signatures of the multi-dimensional embedding space.” and further in ¶ 100 “the query optionally returns one or more clusters that are “close” to the first embedding signature (e.g., returns the clusters in the automated fraud or abuse signature registry that are within a predetermined cosine or Euclidean distance threshold (e.g., 0.0, 0.1, 0.2, 0.5, 0.7, 1, 1.3, 1.5, 1.9, and/or the like) from the embedding signature ”);
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a trained autoencoder-embedding signature approach as the motivation would be that prior signature-based detection implementations lack the capabilities to detect new and/or never been encountered before digital threats and automatically evolve the technology implementation to respond and neutralize the digital threats (See Gurnov, ¶ 5)
Claim 19 is directed to a system having functionality corresponding to the method of Claim 1, and is rejected by a similar rationale, mutatis mutandis.
Claim 20 is directed to a non-transitory computer readable medium having functionality corresponding to the method of Claim 1, and is rejected by a similar rationale, mutatis mutandis.
Claim(s) 2, 4, 6, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Thompson et al. (US 20200036684), hereinafter referred to as Thompson in view of Gurnov et al (US 20230199006), hereinafter referred to as Gurnov, in further view of Grover et al. (US 20240259347), hereinafter referred to as Grover.
Regarding Claim 2, the combination of Thompson and Gurnov disclose the limitations of Claim 1.
However, Thompson does not disclose the use of a web application firewall.
Grover discloses:
The method of claim 1, wherein the computer network security system comprises a web application firewall (WAF) configured to monitor network traffic from and to one or more software applications executing in the cloud computing environment (In ¶ 17, Grover discloses “FIG. 1 is an exemplary system for an ML based WAF according to an embodiment. The system includes a server 110 that receives network traffic (e.g., HTTP/S requests) and processes the traffic using an ML based WAF.”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35)
Regarding Claim 4, the combination of Thompson and Gurnov disclose the limitations of Claim 1.
However, Thompson does not explicitly disclose the type of attack.
Grover discloses:
The method of claim 1, wherein an event in the plurality of events may comprise one or more network communications of: a cross-site scripting (XSS) attack, a cross-site forgery attack, an HTTP redirect attack, an XML external entity (XXE) attack, an account takeover (ATO) attack, a structured query language (SQL) injection attack, an operating system (OS) command injection attack, a file path traversal attack, and/or a local file inclusion (LFI) attack. (In ¶ 18, Grover discloses “The ML-WAF 120 implements a classifier to distinguish various traffic types and attack vectors such as SQLi, XSS, and command injection based on structural and/or statistical properties of the content (e.g., request data).”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35)
Regarding Claim 6, the combination of Thompson and Gurnov disclose the limitations of Claim 5.
However, Thompson does not explicitly disclose the use of a character embedding model.
Grover discloses:
The method of claim 5, wherein generating the initial numeric representation of the first dataset is performed using a character embedding model (In ¶ 23, Grover discloses “The preprocessor 122 may transform the byte-string content (pre or post transformations) into vectors of integers where each integer represents a token in a finite vocabulary… Other algorithms may be used to vectorize the data such as TF-IDF, FastText, Word2Vec, and GloVe.”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35)
Regarding Claim 15, the combination of Thompson and Gurnov disclose:
The method of claim 14, wherein generating the one or more new event processing rules comprises generating one or more rules for use by the WAF while monitoring network traffic to one or more software applications executing in the cloud computing environment, and wherein updating the configuration comprises configuring the WAF to use the generated one or more rules. (In ¶ 46, Thompson discloses “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.” And further in ¶ 48 discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”).
However, Thompson does not disclose the use of a web application firewall.
Grover discloses:
wherein the computer network security system comprises a web application firewall (WAF) (In ¶ 17, Grover discloses “FIG. 1 is an exemplary system for an ML based WAF according to an embodiment. The system includes a server 110 that receives network traffic (e.g., HTTP/S requests) and processes the traffic using an ML based WAF.”).
One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Barford et al. (US 8065722) discloses a method for generating signatures for malicious network traffic performs a cluster analysis of known malicious traffic to create a signature in the form of a state machine.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHADI H KOBROSLI/Examiner, Art Unit 2492 /RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492