MACHINE LEARNING TECHNIQUES FOR UPDATING CONFIGURATION OF A COMPUTER NETWORK SECURITY SYSTEM

§103 §112

DETAILED ACTION This action is in response to the Request for Continued Examination filed on December 19, 2025. Claims 1, 10, 14, 15, 17, 19, and 20 have been amended. No Claims have been canceled. Claims 1-20 are pending. Claims 1-18 represent a method, claim 19 represents a system, and claim 20 represents a non-transitory computer readable medium directed to machine learning techniques for updating configuration of a computer network security system. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on December 19, 2025 has been entered. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(d): (d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers. The following is a quotation of pre-AIA 35 U.S.C. 112, fourth paragraph: Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA 35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers. Claim 11 is rejected under 35 U.S.C. 112(d) or pre-AIA 35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. Claim 11 discloses the limitation “or any other preceding claim” renders the dependency unclear. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements. Response to Arguments Applicant’s arguments in light of the amendments made to the claims, see Remarks, filed December 19, 2025, with respect to the rejection(s) of claim(s) 1-20 under 35 USC 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Thompson, Grover, and Gurnov. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 13-16, and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Thompson et al. (US 20200036684), hereinafter referred to as Thompson in view of Grover et al. (US 20240259347), hereinafter referred to as Grover. Regarding Claim 1, Thompson discloses: A method for using machine learning (ML) to update a configuration of a computer network security system operating in a cloud computing environment (In the abstract, Thompson discloses “methods and systems for cluster-based determination of signatures for detection of anomalous data traffic…The method may further include providing, by the processor, the one or more rules to a policy enforcement point associated with the destination.”), the method comprising: using at least one computer hardware processor to perform: obtaining a plurality of datasets containing information about a respective plurality of events detected by the computer network security system in the cloud computing environment (In ¶ 38, Thompson discloses “The data packet 305 can be captured in blocks of a pre-determined size, for example 10,000 of packets. The data packets 305 may include TCP/IP data packets. During the “peace time”, the structure of the data packets 305 can be analyzed using a transport layer (layer 4) protocol.”); clustering the plurality of signatures to obtain signature clusters representing clusters of events in the plurality of events (In ¶ 40, Thompson discloses “A new packet can be assigned to one of the one of the cluster by mapping the new packet to a new vector and determining to which cluster of vectors the new vector belongs.”); identifying a particular event cluster from among the clusters of events (In ¶ 46, Thompson discloses “Method 300 may include generation of new clusters, determining new outlier detection models, and extraction of new signatures.”); and updating the configuration of the computer network security system based on characteristics of events in the identified particular event cluster, the updating comprising configuring the computer security network system to use one or more new event processing rules generated based on characteristics of events in the particular event cluster (In ¶ 46, Thompson discloses “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.” And further in ¶ 48 discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”). Thompson discloses the use of a cloud computing system capable of clustering, however does not explicitly disclose the use of Machine Learning Models. Grover discloses: generating, using at least one trained ML model, a plurality of signatures representing the plurality of events (In ¶ 16, Grover discloses “The one or more transformations may include normalization and generation of a signature over the normalized data.”), the generating comprising processing the plurality of datasets using the at least one trained ML model to obtain the plurality of signatures (In ¶ 37, Grover discloses “For example, the first stage of the machine learning model includes a first attention layer operating on the first vector of integers to build a signature context (that defines signature tokens that are relevant to the classification task which in this case are signature tokens that are commonly associated with different classes of attack)….Thus, a signature context may specify signature tokens that are commonly associated with different classes of attack.”); One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) Regarding Claim 2, the combination of Thompson and Grover disclose: However, Thompson does not disclose the use of a web application firewall. Grover discloses: The method of claim 1, wherein the computer network security system comprises a web application firewall (WAF) configured to monitor network traffic from and to one or more software applications executing in the cloud computing environment (In ¶ 17, Grover discloses “FIG. 1 is an exemplary system for an ML based WAF according to an embodiment. The system includes a server 110 that receives network traffic (e.g., HTTP/S requests) and processes the traffic using an ML based WAF.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) Regarding Claim 3, the combination of Thompson and Grover disclose: The method of claim 2, wherein obtaining the plurality of datasets comprises: monitoring the network traffic in the cloud computing environment to detect events (In ¶ 31, Thompson discloses “The system 140 can be configured to monitor data traffic routed to the destination 150”); identifying a subset of the detected events as the plurality of events (In ¶ 7, Thompson discloses “The method may also include grouping, by at least one processor in communication with the network module, the data packets in clusters.”); and generating the plurality of datasets containing information about the plurality of events (In ¶ 8, Thompson discloses “Grouping the data packets in clusters may include transforming the data packets into a set of multidimensional vectors according to a pre-determined mapping and clustering of multidimensional vectors.”). Regarding Claim 4, the combination of Thompson and Grover disclose the limitations of Claim 1. However, Thompson does not explicitly disclose the type of attack. Grover discloses: The method of claim 1, wherein an event in the plurality of events may comprise one or more network communications of: a cross-site scripting (XSS) attack, a cross-site forgery attack, an HTTP redirect attack, an XML external entity (XXE) attack, an account takeover (ATO) attack, a structured query language (SQL) injection attack, an operating system (OS) command injection attack, a file path traversal attack, and/or a local file inclusion (LFI) attack. (In ¶ 18, Grover discloses “The ML-WAF 120 implements a classifier to distinguish various traffic types and attack vectors such as SQLi, XSS, and command injection based on structural and/or statistical properties of the content (e.g., request data).”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) Regarding Claim 13, the combination of Thompson and Grover disclose: The method of claim 1, wherein identifying the particular event cluster comprises: automatically identifying the particular cluster by applying one or more pre-defined rules to characteristics of events in the clusters of events (In ¶ 48, Thompson discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets”). Regarding Claim 14, the combination of Thompson and Grover disclose: The method of claim 1, wherein updating the configuration of the computer network security system, comprises: generating, based on the characteristics of the events in the identified particular event cluster, the one or more new event processing rules for processing events detected by the computer network security system in the cloud computing environment (In ¶ 46, Thompson discloses “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.” And further in ¶ 48 discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”). Regarding Claim 15, the combination of Thompson and Grover disclose: The method of claim 14, wherein generating the one or more new event processing rules comprises generating one or more rules for use by the WAF while monitoring network traffic to one or more software applications executing in the cloud computing environment, and wherein updating the configuration comprises configuring the WAF to use the generated one or more rules. (In ¶ 46, Thompson discloses “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.” And further in ¶ 48 discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”). However, Thompson does not disclose the use of a web application firewall. Grover discloses: wherein the computer network security system comprises a web application firewall (WAF) (In ¶ 17, Grover discloses “FIG. 1 is an exemplary system for an ML based WAF according to an embodiment. The system includes a server 110 that receives network traffic (e.g., HTTP/S requests) and processes the traffic using an ML based WAF.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) Regarding Claim 16, the combination of Thompson and Grover disclose: The method of claim 1, wherein the computer network security system is configured to monitor traffic from and/or to one or more software applications executing in the cloud computing environment (In ¶ 31, Thompson discloses “ The system 140 can be configured to monitor data traffic routed to the destination 150 and dynamically determine signatures of the data traffic and rules for allowing and blocking the data packets and provide the signature(s) and the rule(s) to the policy enforcement point 150.” And In ¶ 60, Thompson further discloses “In some embodiments, the computer system 700 may be implemented as a cloud-based computing environment, such as a virtual machine operating within a computing cloud.”), wherein the one or more software applications comprise one or more web servers and the plurality of events comprises one or more HTTP requests to the one or more web servers (In ¶ 27, Thompson discloses “The data source(s) 105 can be configured to send data packets, for example TCP/IP requests, to destination 120, via a network 130.”). Regarding Claim 18, the combination of Thompson and Grover disclose: The method of claim 1, further comprising: obtaining a second plurality of datasets containing information about a respective second plurality of events detected by the computer network security system in the cloud computing environment (In ¶ 38, Thompson discloses “The data packet 305 can be captured in blocks of a pre-determined size, for example 10,000 of packets. The data packets 305 may include TCP/IP data packets. During the “peace time”, the structure of the data packets 305 can be analyzed using a transport layer (layer 4) protocol.”); associating at least some signatures of the second plurality of signatures to a signature cluster corresponding to the identified particular event signature cluster (In ¶ 40, Thompson discloses “A new packet can be assigned to one of the one of the cluster by mapping the new packet to a new vector and determining to which cluster of vectors the new vector belongs.”); and updating the configuration of the computer network security system to process events corresponding to the at least some signatures using the generated one or more rules. (In ¶ 46, Thompson discloses “In block 340, the method 300 may proceed with generating rules based on the new signature, testing the rules, and determining the confidence level of the rules.” And further in ¶ 48 discloses “In block 345, the method 300 may proceed with generating, based on the rules, decision functions that can be provided to the policy enforcement point in order to filter data packets.”) Thompson discloses the use of a cloud computing system capable of clustering, however does not explicitly disclose the use of Machine Learning Models. Grover discloses: generating, using the at least one trained ML model, a second plurality of signatures representing the second plurality of events (In ¶ 16, Grover discloses “The one or more transformations may include normalization and generation of a signature over the normalized data.”), the generating comprising processing the second plurality of datasets using the at least one trained ML model to obtain the second plurality of signatures (In ¶ 37, Grover discloses “For example, the first stage of the machine learning model includes a first attention layer operating on the first vector of integers to build a signature context (that defines signature tokens that are relevant to the classification task which in this case are signature tokens that are commonly associated with different classes of attack)….Thus, a signature context may specify signature tokens that are commonly associated with different classes of attack.”); One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) Claim 19 is directed to a system having functionality corresponding to the method of Claim 1, and is rejected by a similar rationale, mutatis mutandis. Claim 20 is directed to a non-transitory computer readable medium having functionality corresponding to the method of Claim 1, and is rejected by a similar rationale, mutatis mutandis. Claim(s) 5-12 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Thompson et al. (US 20200036684), hereinafter referred to as Thompson in view of Grover et al. (US 20240259347), hereinafter referred to as Grover, in further view of Gurnov et al (US 20230199006), hereinafter referred to as Gurnov. Regarding Claim 5, the combination of Thompson and Grover disclose: The method of claim 1, wherein the plurality of datasets comprises a first dataset comprising information about a first event in the plurality of events (In ¶ 7, Thompson discloses “The method may also include grouping, by at least one processor in communication with the network module, the data packets in clusters.”); wherein generating the plurality of signatures comprises generating a first signature for the first event in the plurality of events (In ¶ 7, Thompson discloses “The method may also include detecting, by the least one processor, an anomaly in the data packets and, in response to the detection, determining, by the processor and based on the clusters, one or more signatures associated with the data packets.”), However, Thompson does not explicitly disclose the use of Machine Learning Models. Grover discloses: wherein the at least one trained ML model comprises a first trained ML model (In ¶ 16, Grover discloses “The one or more transformations may include normalization and generation of a signature over the normalized data.”), generating an initial numeric representation of the first dataset (In ¶ 24, Grover discloses “The multidimensional input vector may include a vector of integers on the generated signature, a vector of integers on the normalized data, and/or a vector of integers on the raw data.”); and providing the initial numeric representation as input to the first trained ML model to obtain the first signature (In ¶ 26, Grover discloses “The preprocessor 124 vectorizes the normalized data at operation 325 to produce the normalized vector 335. The preprocessor 124 vectorizes the generated signature at operation 330 to produce the signature vector 340.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) However, Thompson does not explicitly disclose the use of compression of the vector. Gurnov discloses: and wherein generating the first signature comprises: wherein the first signature is a lower-dimensional numeric representation than the initial numeric representation. (In ¶ 94, Gurnov discloses “In response to S230 providing the identified or derived digital event activity sequence to the embeddings machine learning model, the embeddings machine learning model may produce, as output, a corresponding embedding signature (as generally illustrated in FIG. 4A). It shall be noted that the term “embedding signature” may also be referred to herein as an “encoded or compressed digital activity signature.”) One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using clustering as the motivation would be using a clustering method and reduction of dimensionality allows for the machine learning algorithm to run unsupervised and automated to properly identify the event clusters based on the reduction algorithm generated from the autoencoder (See Gurnov, ¶ 99) Regarding Claim 6, the combination of Thompson, Grover, and Gurnov disclose the limitations of Claim 5. However, Thompson does not explicitly disclose the use of a character embedding model. Grover discloses: The method of claim 5, wherein generating the initial numeric representation of the first dataset is performed using a character embedding model (In ¶ 22, Grover discloses “The transformation(s) may include performing one or more of the following: URL-decode (single or recursive), replace HTML entities, replace JavaScript entities (e.g., map instances of characters represented as ‘uXXX’ or ‘u{XX}’ to their ASCII representation), replace hex entities (e.g., map instances of characters represented as \\xSSS to their ASCII representation), base64 decode, and/or character substitution (e.g., replacing all instances of one or more characters with a replacement such as mapping digits 0-9 to a special token).”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Grover’s approach of using a machine learning model as the motivation would be using a machine learning model when developing web application firewall rules allows for interpretability wherein the model allows administrators and users to see how the model is utilizing the rules for traffic filtering (See Grover, ¶ 35) Regarding Claim 7, the combination of Thompson, Grover, and Gurnov disclose the limitations of Claim 5. However, Thompson does not explicitly disclose the use of an autoencoder. Gurnov discloses: The method of claim 5, wherein the first trained ML model comprises a first autoencoder. (In ¶ 93, Gurnov discloses “In such embodiments, a target digital event sequence may be converted by an embeddings model, such as an autoencoder, to a unique vector mapped to a multi-dimensional space that includes a volume of distinct embedding signatures or vectors for a plurality of distinct target digital events.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using clustering as the motivation would be using a clustering method and reduction of dimensionality allows for the machine learning algorithm to run unsupervised and automated to properly identify the event clusters based on the reduction algorithm generated from the autoencoder (See Gurnov, ¶ 99) Regarding Claim 8, the combination of Thompson and Grover disclose: The method of claim 1, and wherein generating the plurality of signatures comprises: generating initial numeric representations of the datasets corresponding to events of different types (In ¶ 40, Thompson discloses “The vectors representing the data packets can be partitioned into clusters using a clustering algorithm, such as K-means algorithms.”). However, Thompson does not explicitly disclose the use of multiple models. wherein the at least one trained ML model comprises different trained ML models for processing datasets corresponding to events of different types (In ¶ 15, Gurnov discloses “implementing one or more unsupervised machine learning models that are configured to: receive model input comprising the plurality of distinct digital activity signatures”), and processing the initial numeric representations using the different trained ML models to obtain the plurality of signatures (In ¶ 93, Gurnov discloses “In one or more embodiments, S230 may function to generate, via an embeddings machine learning model, an embedding signature (i.e., embedding value or vector) for the target digital event based on the digital event activity sequence.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using clustering as the motivation would be using a clustering method and reduction of dimensionality allows for the machine learning algorithm to run unsupervised and automated to properly identify the event clusters based on the reduction algorithm generated from the autoencoder (See Gurnov, ¶ 99) Regarding Claim 9, the combination of Thompson, Grover, and Gurnov disclose: The method of claim 8, wherein events of different types correspond to network communications of different types of attacks on one or more software applications executing in the cloud computing environment. (In ¶ 7, Thompson discloses “The method may also include detecting, by the least one processor, an anomaly in the data packets and, in response to the detection, determining, by the processor and based on the clusters, one or more signatures associated with the data packets.”) Regarding Claim 10, the combination of Thompson and Grover disclose the limitations of Claim 1. However, Thompson does not explicitly disclose a DBSCAN algorithm. Gurnov discloses: The method of claim 1, wherein the clustering is performed using a density-based clustering algorithm, and wherein the density-based clustering algorithm is a density-based spatial clustering of applications with noise (DBSCAN) algorithm or a hierarchical density-based spatial clustering of applications with noise (HDBSCAN) algorithm. (In ¶ 50, Gurnov discloses “a clustering method (e.g., k-means clustering, density-based spatial clustering of applications with noise (DBSCAN), expectation maximization, and/or the like)”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using clustering as the motivation would be using a clustering method and reduction of dimensionality allows for the machine learning algorithm to run unsupervised and automated to properly identify the event clusters based on the reduction algorithm generated from the autoencoder (See Gurnov, ¶ 99) Regarding Claim 11, the combination of Thompson and Grover discloses the limitations of claim 1. However, Thompson does not explicitly disclose the use of a web interface. Gurnov discloses: wherein identifying the particular event cluster comprises: generating a visualization of the clusters of events (In ¶ 96, Gurnov discloses “S230 may function to construct a digital activity signature that graphically represents the identified digital event activity sequence (e.g., suspected automated fraud attack).”); displaying the visualization via a graphical user interface (GUI); and receiving, via the GUI, a selection of a particular event cluster (In ¶ 54, Gurnov discloses “The web interface 120 may be used by an entity or service provider to make any suitable request including requests to generate global digital threat scores and specific digital threat scores. In some embodiments, the web interface 120 comprises an application programming interface (API) client and/or a client browser.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a web interface as the motivation would be allow the client to monitor and assess threats identified by the system (See Gurnov, ¶ 53) Regarding Claim 12, the combination of Thompson, Grover and Gurnov disclose the limitations of claim 11. However, Thompson does not explicitly disclose the use of a web interface. Gurnov discloses: wherein generating the visualization comprises: applying a dimensionality reduction technique to the signature clusters to obtain a two- or-three dimensional representation of the signature clusters (In ¶ 99, Gurnov discloses “It shall be recognized that, in some embodiments, the embedding signature registry comprises a multi-dimensional embedding space that may include a volume of distinct classified or labeled embedding signatures.”); and generating a visualization of the clusters of events by generating a visualization of the two- or three-dimensional representation of the signature clusters (In ¶ 86, Gurnov discloses “In some embodiments, as generally illustrated in FIG. 4B, the digital activity signature may include a digital activity sequence graph. In some embodiments, each distinct location of the digital activity sequence graph may correspond to a target digital event associated with the suspected automated fraud or abuse attack and/or may correspond to a subject digital event feature.”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using a web interface as the motivation would be allow the client to monitor and assess threats identified by the system (See Gurnov, ¶ 53) Regarding Claim 17, the combination of Thompson and Grover disclose the limitations of claim 1. However, Thompson does not explicitly disclose API calls. Gurnov discloses: The method of claim 1, wherein the computer network security system is configured to monitor traffic from and/or to a software application having an application programming interface (API) and wherein the plurality of events comprises one or more API calls to the API of the software application. (In ¶ 26, Gurnov discloses “In some embodiments, the digital event is occurring at a web-enabled service of a subscriber, and identifying the digital event includes contemporaneously receiving properties or attributes of the digital event via an application programming interface (API).”). One of ordinary skill in the art of cryptography would have been motivated, before the effective filing date of the claimed invention to modify Thompson’s approach by utilizing Gurnov’s approach of using an API as the motivation would be using an API with the data sources allows for a structured format of data to be ingested by the service (See Gurnov, ¶ 26) Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kim et al. (US 20240154990) discloses using machine learning to inspect traffic and generate a signature based on the traffic assessment. Edwards et al. (US 20240171474) discloses methods for using machine learning and weights to generate recommendations and modifications to a control system. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHADI H KOBROSLI whose telephone number is (571)272-1952. The examiner can normally be reached M-F 9am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at 571-272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHADI H KOBROSLI/Examiner, Art Unit 2492 /RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492