Prosecution Insights
Last updated: July 17, 2026
Application No. 18/179,137

NETWORK TRAFFIC FLOW CLASSIFICATION USING FULLY SEGMENTED MODELS

Final Rejection §103
Filed
Mar 06, 2023
Examiner
ROHD, BENJAMIN MATTHEW
Art Unit
2147
Tech Center
2100 — Computer Architecture & Software
Assignee
Hewlett Packard Enterprise Development L.P.
OA Round
2 (Final)
0%
Grant Probability
At Risk
3-4
OA Rounds
11m
Est. Remaining
0%
With Interview

Examiner Intelligence

Grants only 0% of cases
0%
Career Allowance Rate
0 granted / 2 resolved
-55.0% vs TC avg
Minimal +0% lift
Without
With
+0.0%
Interview Lift
resolved cases with interview
Typical timeline
4y 3m
Avg Prosecution
23 currently pending
Career history
40
Total Applications
across all art units

Statute-Specific Performance

§103
100.0%
+60.0% vs TC avg
Black line = Tech Center average estimate • Based on career data from 2 resolved cases

Office Action

§103
DETAILED ACTION This office action is in response to amendments filed on 03/04/2026. Claims 4 and 17-20 have been amended. Claims 1-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Prior Art Rejections: Applicant's arguments regarding the prior art rejections (pg. 10-16) have been fully considered but they are not persuasive. Applicant argues that the cited references fail to disclose or suggest the claimed generation and use of "a fully segmented rule set” with “each item of the training dataset having a combination of features matching a different leaf node of the fully segmented ruleset from all other items of the training dataset." Applicant specifically argues that while Carreira, paragraph 0080 may disclose “a decision tree containing one leaf per instance” (i.e. a fully segmented ruleset), both Buschlinger and Carreira teach away from the use of such a decision tree due to overfitting. In response to applicant’s assertion that Carreira teaches away from using a fully segmented ruleset, examiner points to In re Geisler, 116 F.3d 1465, 1471, 43 USPQ2d 1362, 1366 (Fed. Cir. 1997), where teaching away was not established (Applicant argued that the prior art taught away from use of a protective layer for a reflective article having a thickness within the claimed range of "50 to 100 Angstroms." Specifically, a patent to Zehender, which was relied upon to reject applicant’s claim, included a statement that the thickness of the protective layer "should be not less than about [100 Angstroms]." The court held that the patent did not teach away from the claimed invention. "Zehender suggests that there are benefits to be derived from keeping the protective layer as thin as possible, consistent with achieving adequate protection. A thinner coating reduces light absorption and minimizes manufacturing time and expense. Thus, while Zehender expresses a preference for a thicker protective layer of 200-300 Angstroms, at the same time it provides the motivation for one of ordinary skill in the art to focus on thickness levels at the bottom of Zehender’s ‘suitable’ range- about 100 Angstroms- and to explore thickness levels below that range. The statement in Zehender that ‘[i]n general, the thickness of the protective layer should be not less than about [100 Angstroms]’ falls far short of the kind of teaching that would discourage one of skill in the art from fabricating a protective layer of 100 Angstroms or less. [W]e are therefore ‘not convinced that there was a sufficient teaching away in the art to overcome [the] strong case of obviousness’ made out by Zehender.") (see MPEP 2144.05(III)(B)). Similarly, in this case, while Carreira may express a preference for a smaller decision tree, it still provides motivation for one of ordinary skill in the art to explore use of a fully-segmented decision tree as an efficient and easily constructed data structure: “a decision tree containing one leaf per instance is a fast data structure to map any x n to its y n … Such a tree can be easily constructed by recursive partitioning…” (Carreira, 0080). Therefore, the cited reference Carreira does not teach away from the use of a fully-segmented ruleset. In response to applicant’s assertion that Buschlinger teaches away from using a fully segmented ruleset, examiner notes that Buschlinger does not include any mention of a decision tree or ruleset being fully segmented. Buschlinger may express a preference for reducing overfitting and false positives, but these are natural characteristics of decision trees anyway, per Galarnyk: “Decision trees are a popular supervised learning method… They have several flaws including being prone to overfitting” (Galarnyk, “Understanding Decision Trees for Classification (Python)”, pg. 2, para. 1). According to MPEP 2145(X)(D)(1), “A known or obvious composition does not become patentable simply because it has been described as somewhat inferior to some other product for the same use.” In this case, while a fully-segmented decision tree may be somewhat inferior to a smaller decision tree in terms of overfitting, it is still a known composition with its own clearly stated advantages of efficiency and easy construction. Therefore, the cited reference Buschlinger does not teach away from the use of a fully-segmented ruleset. The prior art rejections have been updated to include the amended limitations and to clarify the reasoning given for the limitations that were not amended. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-2 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger et al. (hereinafter Buschlinger), “Decision Tree-Based Rule Derivation for Intrusion Detection in Safety-Critical Automotive Systems”, in view of Carreira-Perpiñán (hereinafter Carreira), U.S. Patent Application Publication US 20220318641 A1, and Scheidell, U.S. Patent Application Publication US 20040098623 A1. Regarding Claim 1, Buschlinger teaches A method of classifying network traffic flows across a network for improved network management by a user, the method comprising: receiving, at a first network device connected to the network, a training dataset; (Pg. 247-248, section III: “The generator is trained on a known labeled data set and rules are derived either from or by the resulting model. In regular operation, the rule generator is periodically retrained with an extended data set. In this study, the extended data set is obtained by combining the already available data with entries newly classified by the anomaly detector.” As can be seen in figure 1, (pg. 248), ‘Aggregated Traffic Logs’ are received at the ‘Backend’ (i.e. first network device) and labeled by the ‘Anomaly Detector’ so that the ‘Rule Generator’ receives ‘Classified Traffic’ for training (i.e. a training dataset).) training a decision tree machine learning (“ML”) algorithm with the training dataset, resulting in the generation of a [fully segmented] ruleset comprising a plurality of leaf nodes, each leaf node of the [fully segmented] ruleset being associated with at least one feature in the training dataset, and [each item of the training dataset having a combination of features matching a different leaf node of the fully segmented ruleset from all other items of the training dataset]; (Pg. 246, section I: “Our approach is based on Decision Trees (DTs) to generate traceable Snort rules which can be used by an expert as a basis when creating a rule set for a specific safety-critical use case.” Pg. 248-249, section IV-A: “Trained on labeled network traffic, a DT learns which feature values determine a malicious packet. As every branch is effectively an if-then decision, paths within DTs can easily be translated into IDS rules [11].” Pg. 250, section IV-A(c): “[O]nly paths ending in a leaf node with c l a s s   =   y [ 1 ] will result in an alert rule.” A decision tree is trained on labeled traffic data (i.e. the training dataset) to generate a ruleset mapping features to traffic classification leaf nodes (i.e. each leaf node is associated with at least one feature).) sending the [fully segmented] ruleset to a second network device connected to the network; (Pg. 248, section III: “The newly generated rules are finally transferred to the rule-based detector.” As can be seen in figure 1 (pg. 248), the ‘Rules’ generated by the ‘Rule Generator’ on the backend (i.e. first network device) are sent to the ‘Rule-Based Detector’ in the operational environment (i.e. second network device).) Buschlinger does not appear to explicitly disclose the remaining features of claim 1. However, Carreira teaches a fully segmented ruleset […] each item of the training dataset having a combination of features matching a different leaf node of the fully segmented ruleset from all other items of the training dataset (0080: “Indeed, if we regard the training set as a table { ( x n , y n ) } n = 1 N of (input instance, label) pairs, then a decision tree containing one leaf per instance is a fast data structure to map any x n to its y n .” In a decision tree containing one leaf per instance of the training data, each item of the training data has features matching a different leaf node (i.e. the ruleset is fully segmented, according to the definition of ‘fully segmented’ set forth in specification paragraph 0017 of the instant application).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger and Carreira. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. One of ordinary skill would have motivation to combine Buschlinger and Carreira because a decision tree containing one leaf per training example “is simply a data structure that allows one to retrieve quickly the prediction of any training instance” (Carreira, 0075). Such a tree can be constructed more easily than a smaller tree, and enables faster search time than a lookup table: “The search time is at most equal to the tree depth, which is at most [ l o g 2 N ] for a balanced tree; this is much faster than a O ( N ) linear search on the table. Such a tree can be easily constructed by recursive partitioning…” (Carreira, 0080). Scheidell teaches receiving, at the first network device, a classified network traffic flow metadata from the second network device; and (0044: “The HackerTrap includes a traffic analyzer 172 known to those familiar with the art, such as the process called “SNORT” (see snort.org for details). In an exemplary system, firewall 145 protecting a client network 140 may log 100,000 events per day. The events are generated in response to the signatures and other rules 174. Of those events, the traffic analyzer 170 will communicate 1000 alert events to the managed security service 160.” The managed security service (i.e. first network device) receives alert events generated in response to SNORT rules (i.e. classified network traffic flow metadata) from the HackerTrap’s traffic analyzer (i.e. second network device).) supplying the classified network traffic flow metadata to a user, wherein the classified network traffic flow metadata assists the user in managing the network. (0044: “The event analyzer 164 looks for trends in the events and generates a reduced number of alerts 165 for the Tier Two manual analysis 166.” 0053: “The five alerts generated in the example of FIG. 2 are analyzed by the Tier Two personnel, who may perform a detailed investigation of the attack after the initial “second alert” and may notify the IT manager in response to the initial “third alert” in order that an appropriate response may be taken.” The generated alerts (i.e. classified network traffic flow metadata) are supplied to the Tier Two personnel (i.e. a user) for investigation, notification of the IT manager, and appropriate responsive action (i.e. to assist the user in managing the network).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, and Scheidell. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. One of ordinary skill would have motivation to combine Buschlinger, Carreira, and Scheidell because Scheidell provides “an improved intrusion detection system with enhanced alert filtering, general vs. specific attack determination and intrusion preemption capabilities. The managed security service not only has the advantage of reduced false positive and negative alerts, but also reduces data overload and the need for systems resources and personnel resources, while providing intrusion preemption for new attacking processes” (Scheidell, 0064). Regarding Claim 2, Buschlinger, Carreira, and Scheidell teach The method of claim 1, as shown above. Carreira also teaches the method further comprising, before training the decision tree ML algorithm, adjusting hyperparameters associated with the decision tree ML algorithm, the adjustments reducing the maximum number of items of training data sharing a combination of features matching one leaf node of any ruleset generated by the decision tree ML algorithm. (0075: “Firstly, if the tree is grown large enough it will reach zero training error, however the loss is defined, because each leaf will contain a single instance.” The maximum number of items per leaf node is reduced to one by allowing the tree to grow large enough (i.e. by adjusting depth/stopping hyperparameters).) Regarding Claim 13, Buschlinger teaches A method of classifying network traffic flows across a network for improved network management by a user, the method comprising: receiving, at a first network device connected to the network, a [fully segmented] ruleset, wherein: (Pg. 248, section III: “The newly generated rules are finally transferred to the rule-based detector.” As can be seen in figure 1 (pg. 248), the ‘Rules’ generated by the ‘Rule Generator’ on the backend are sent to the ‘Rule-Based Detector’ in the operational environment (i.e. first network device).) the [fully segmented] ruleset was generated by training a decision tree machine learning (“ML”) algorithm with a training dataset; and (Pg. 246, section I: “Our approach is based on Decision Trees (DTs) to generate traceable Snort rules which can be used by an expert as a basis when creating a rule set for a specific safety-critical use case.” Pg. 248-249, section IV-A: “Trained on labeled network traffic, a DT learns which feature values determine a malicious packet. As every branch is effectively an if-then decision, paths within DTs can easily be translated into IDS rules [11].” A decision tree is trained on labeled traffic data (i.e. a training dataset) to generate a ruleset mapping features to traffic classification leaf nodes.) classifying a network traffic flow by comparing features of the network traffic flow against features tested in the [fully segmented] ruleset and applying a label at a leaf node of the [fully segmented] ruleset; (Pg. 248-249, section IV-A: “Trained on labeled network traffic, a DT learns which feature values determine a malicious packet. As every branch is effectively an if-then decision, paths within DTs can easily be translated into IDS rules [11].” Pg. 250, section IV-A(c): “[O]nly paths ending in a leaf node with c l a s s   =   y [ 1 ] will result in an alert rule.” Network traffic is classified by tracing the if-then feature decision paths in the ruleset (i.e. comparing features of the network traffic flow against features tested in the ruleset) and applying a classification label according to the path’s leaf node.) generating a classified network traffic flow metadata associated with the classified network traffic flow, the classified network traffic flow metadata comprising the features of the network traffic flow and the classification of the network traffic flow; and (Pg. 248, section III: “The network traffic within the IDS operating environment passes through the rule-based detector as well as the traffic logger. The detector applies its rule set to detect potential attacks and generates a log.” Pg. 251, section IV-C: “The logs are generated using Snort’s CSV alert mode with the corresponding features.” The rule-based detector generates an alert log (i.e. metadata) for the network traffic data which includes a detected attack (i.e. the classification of the network traffic flow) and the corresponding features (i.e. the features of the network traffic flow).) Buschlinger does not appear to explicitly disclose the remaining features of claim 13. However, Carreira teaches a fully segmented ruleset wherein each item of the training dataset has a combination of features matching a different leaf node of the fully segmented ruleset from all other items of the training dataset; (0080: “Indeed, if we regard the training set as a table { ( x n , y n ) } n = 1 N of (input instance, label) pairs, then a decision tree containing one leaf per instance is a fast data structure to map any x n to its y n .” In a decision tree containing one leaf per instance of the training data, each item of the training data has features matching a different leaf node (i.e. the ruleset is fully segmented, according to the definition of ‘fully segmented’ set forth in specification paragraph 0017 of the instant application).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger and Carreira. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. One of ordinary skill would have motivation to combine Buschlinger and Carreira because a decision tree containing one leaf per training example “is simply a data structure that allows one to retrieve quickly the prediction of any training instance” (Carreira, 0075). Such a tree can be constructed more easily than a smaller tree, and enables faster search time than a lookup table: “The search time is at most equal to the tree depth, which is at most [ l o g 2 N ] for a balanced tree; this is much faster than a O ( N ) linear search on the table. Such a tree can be easily constructed by recursive partitioning…” (Carreira, 0080). Scheidell teaches sending the classified network traffic flow metadata to a second network device connected to the network. (0044: “The HackerTrap includes a traffic analyzer 172 known to those familiar with the art, such as the process called “SNORT” (see snort.org for details). In an exemplary system, firewall 145 protecting a client network 140 may log 100,000 events per day. The events are generated in response to the signatures and other rules 174. Of those events, the traffic analyzer 170 will communicate 1000 alert events to the managed security service 160.” The HackerTrap’s traffic analyzer (i.e. first network device) sends alert events generated in response to SNORT rules (i.e. classified network traffic flow metadata) to the managed security service (i.e. second network device).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, and Scheidell. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. One of ordinary skill would have motivation to combine Buschlinger, Carreira, and Scheidell because Scheidell provides “an improved intrusion detection system with enhanced alert filtering, general vs. specific attack determination and intrusion preemption capabilities. The managed security service not only has the advantage of reduced false positive and negative alerts, but also reduces data overload and the need for systems resources and personnel resources, while providing intrusion preemption for new attacking processes” (Scheidell, 0064). Regarding Claim 14, Buschlinger, Carreira, and Scheidell teach The method of claim 13, as shown above. Buschlinger also teaches the method further comprising: receiving, at the first network device, a flagging strategy comprising methods for designating a network traffic flow for classification at the second device; (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” Only data not already recognized as malicious by the rule-based detector in the alert log is designated for classification by the LSTM on the backend (i.e. the second device). Thus, the alert log constitutes a flagging strategy. The alert log (i.e. flagging strategy) is received in the operational environment (i.e. the first network device), as can be seen in figure 2 (pg. 248).) applying the flagging strategy to the network traffic flow to designate the network traffic flow for classification at the second device; (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” The raw traffic data is filtered based on the alert log (i.e. the flagging strategy is applied) to designate the new unseen traffic data (i.e. network traffic flow) to be passed for classification to the LSTM anomaly detector on the backend (i.e. the second network device).) generating a flagged metadata associated with the designated network traffic flow, the flagged metadata comprising the features of the network traffic flow and the designation of the network traffic flow for classification at the second device; and (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), aggregated traffic logs (i.e. flagged metadata) are generated to be passed to the backend for classification. Aggregated traffic logs store features of the network traffic flow, and are processed and prepared for use in the anomaly detector (i.e. designated for classification at the second device).) sending the flagged metadata to the second network device. (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), the aggregated traffic logs (i.e. flagged metadata) are sent to the LSTM anomaly detector on the backend (i.e. second network device).) Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger in view of Carreira and Scheidell and further in view of Islam et al. (hereinafter Islam), “KNNTree: A New Method to Ameliorate K-Nearest Neighbour Classification using Decision Tree” and Warmenhoven et al. (hereinafter Warmenhoven), U.S. Patent Application Publication US 20200028857 A1. Regarding Claim 3, Buschlinger, Carreira, and Scheidell teach The method of claim 1, as shown above. Buschlinger also teaches the method further comprising, before supplying the classified network traffic flow metadata to the user: the flagging strategy comprising methods for designating a network traffic flow for classification at the first device; (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” Only data not already recognized as malicious by the rule-based detector is designated for classification by the LSTM on the backend (i.e. the first device). This constitutes a flagging strategy.) receiving flagged metadata relating to a designated network traffic flow from the second network device; (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), ‘Aggregated Traffic Logs’ representing new unseen data (i.e. flagged metadata relating to a designated network traffic flow) are received at the backend from the operational environment (i.e. from the second network device) to be classified by the backend’s (i.e. first network device’s) ‘LSTM (Anomaly Detector)’.) Buschlinger, Carreira, and Scheidell do not appear to explicitly disclose the remaining features of claim 3. However, Islam teaches comparing the flagged metadata with an item of the training dataset; (Pg. 2, section I: “In KNN, k represents the number of samples that are being chosen for classifying any instance [4]. It uses Euclidean distance, Manhattan distance, Minkowski distance and others for calculating the distance between the training instance and the testing instance… For inference, the test instance goes through the DT [decision tree] based on the condition it fits in till it reaches any leaf or a KNN classifier. If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” A test instance which reaches a KNN classifier is an item which the decision tree is unable to confidently classify at a leaf node (i.e. flagged metadata relating to a designated network traffic flow). In the KNN classifier, distance is measured between the test instance and training instances (i.e. the flagged metadata is compared with an item of the training dataset).) classifying the designated network traffic flow based on the comparison of the flagged metadata with the item of the training dataset; (Pg. 2, section I: “After gathering the distance of every training instance, the algorithm fetches the nearest k instance and assigns the class label of the testing instance to be the majority among the training instances.” The test instance (i.e. flagged metadata relating to a designated network traffic flow) is classified based on the class labels of the nearest k training instances (i.e. based on the comparison with the item of the training data).) updating the flagged metadata with the classification applied to the designated network traffic flow; and (Pg. 2, section I: “After gathering the distance of every training instance, the algorithm fetches the nearest k instance and assigns the class label of the testing instance to be the majority among the training instances.” The test instance (i.e. flagged metadata relating to a designated network traffic flow) is assigned the class label (i.e. updated with the classification).) incorporating the updated flagged metadata with the classified network traffic flow metadata. (Pg. 2, section I: “If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” The results of test instances classified by KNN (i.e. updated flagged metadata) are returned by the model alongside/incorporated with the results of test instances classified by a leaf node (i.e. classified network traffic flow metadata).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, and Islam. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. Islam teaches a decision tree-KNN hybrid model in which impure leaf nodes of a decision tree are designated for further classification using KNN. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, and Islam because “[t]he proposed KNNTree ameliorates the performance of both DT and KNN classifiers. In comparison to the conventional DT (ID3) or KNN, the suggested technique was found to perform better at predicting the class label on benchmark datasets” (Islam, pg. 7, section V). Warmenhoven teaches displaying a flagging strategy to the user, receiving a selection from the user indicating the flagging strategy; and sending the flagging strategy to the second network device; (0031: “In some embodiments, client systems 10 a-e are monitored, managed, and/or configured remotely using software executing on an administration device 13 connected to extended network 14 (e.g., the Internet). Exemplary administration devices 13 include a personal computer and a smartphone, among others. Device 13 may expose a graphical user interface (GUI) allowing a user (e.g., computer security professional, network administrator) to remotely monitor and/or manage operation of client systems 10 a-e, for instance to set configuration options and/or to receive security alerts regarding events occurring on the respective client systems.” The administrative device (i.e. first network device) includes a graphical user interface which allows the user to set configuration options (i.e. the device displays options and receives a selection from the user) for configuration of the remote client system (i.e. the selection is sent to the second network device).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, Islam, and Warmenhoven. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. Islam teaches a decision tree-KNN hybrid model in which impure leaf nodes of a decision tree are designated for further classification using KNN. Warmenhoven teaches a decision tree-based intrusion detection system including an administrative device with a graphical user interface for parameter configuration. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, Islam, and Warmenhoven in order to “allow an efficient detection and communication of computer security threats even in high performance computing applications and high-speed networks” and “enable an intuitive presentation of the relevant details in response to the detection of a security event” (Warmenhoven, 0068-0069). Regarding Claim 4, Buschlinger, Carreira, Scheidell, Islam, and Warmenhoven teach The method of claim 3, as shown above. Islam also teaches wherein the flagging strategy comprises indicating a flag leaf node, wherein all network traffic flows having a combination of features matching the flag leaf node are designated for classification [at the first device]. (Pg. 4, section III: “In proposed approach we first construct a decision tree from the training data till a depth L. From the root to the L’th level, the dataset gets divided into non overlapping subsets. After that, if the current node is not a leaf node, a KNN model is built on that subset… For each unique value of A i , if the corresponding subdataset contains only one column, that implies the leaf has been reached.” Pg. 2, section I: “For inference, the test instance goes through the DT [decision tree] based on the condition it fits in till it reaches any leaf or a KNN classifier. If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” A leaf node according to Islam is a node whose subdataset has only one class label. If a node at max tree depth L (i.e. a leaf node according to the standard definition) does not meet this purity criterion, it is indicated as a node requiring further classification via KNN classifier (i.e. it is indicated as a flag leaf node by the flagging strategy). If a test instance (i.e. network traffic instance) reaches a KNN classifier (i.e. its features match the flag leaf node), it is designated for classification at the KNN classifier.) Buschlinger teaches designating flagged traffic flows to be classified at the first device. (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), ‘Aggregated Traffic Logs’ representing new unseen data (i.e. flagged network traffic flows) are received at the backend from the operational environment (i.e. from the second network device) to be classified by the backend’s ‘LSTM (Anomaly Detector)’ (i.e. at the first network device).) Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger in view of Carreira, Scheidell, Islam, and Warmenhoven, and further in view of Dalitz et al. (hereinafter Dalitz), “Reject Options and Confidence Measures for kNN Classifiers”. Regarding Claim 5, Buschlinger, Carreira, Scheidell, Islam, and Warmenhoven teach The method of claim 3, as shown above. Warmenhoven also teaches the method further comprising, before supplying the classified network traffic flow metadata to the user: displaying a tolerance threshold to the user, and receiving a second selection from the user indicating the tolerance threshold; (0031: “In some embodiments, client systems 10 a-e are monitored, managed, and/or configured remotely using software executing on an administration device 13 connected to extended network 14 (e.g., the Internet). Exemplary administration devices 13 include a personal computer and a smartphone, among others. Device 13 may expose a graphical user interface (GUI) allowing a user (e.g., computer security professional, network administrator) to remotely monitor and/or manage operation of client systems 10 a-e, for instance to set configuration options and/or to receive security alerts regarding events occurring on the respective client systems.” The administrative device (i.e. first network device) includes a graphical user interface which allows the user to set configuration options (i.e. the device displays options and receives a selection from the user).) Buschlinger, Carreira, Scheidell, Islam, and Warmenhoven do not appear to explicitly disclose the remaining features of claim 5. Dalitz teaches the tolerance threshold relating to a difference calculated when comparing the flagged metadata with the item of the training dataset; (Pg. 17, section 1: “It is therefore desirable to have a reject option, i.e. an option to withhold a classifier decision.” Pg. 18, section 2: “‘Distance’ alludes to the decision criterion that a pattern is so far away from the training patterns in feature space that it is unlikely to be of any of the training classes. A ‘distance reject’ can also be considered as the detection of a novel class.” Pg. 26, section 5: “Therefore a threshold on the absolute distance of a test point from its neighboring training samples must be set, which is in the simplest case the mean distance to the k nearest neighbors… In the case k = 1, this is simply the distance to the nearest neighbor.” The threshold is a tolerance threshold relating to the difference between the test point (i.e. the flagged metadata) and its neighboring training samples (i.e. the item of the training dataset).) where the difference exceeds the tolerance threshold, classifying the designated network traffic flow associated with the flagged metadata as unknown; and where the difference does not exceed the tolerance threshold, classifying the designated network traffic flow associated with the flagged metadata according to a label applied to the item of the training dataset. (Pg. 17, section 1: “It is therefore desirable to have a reject option, i.e. an option to withhold a classifier decision.” Pg. 18, section 2: “‘Distance’ alludes to the decision criterion that a pattern is so far away from the training patterns in feature space that it is unlikely to be of any of the training classes. A ‘distance reject’ can also be considered as the detection of a novel class.” Pg. 26, section 5: “Therefore a threshold on the absolute distance of a test point from its neighboring training samples must be set, which is in the simplest case the mean distance to the k nearest neighbors… In the case k = 1, this is simply the distance to the nearest neighbor.” When the distance threshold is exceeded, the output of the model for the test point (i.e. flagged metadata) is a distance reject, where classification is withheld due to uncertainty (i.e. the traffic flow is classified as unknown). When the distance threshold is not exceeded, KNN classification proceeds as normal (i.e. the traffic flow is classified according to the label of its nearest neighbors in the training set).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, Islam, Warmenhoven, and Dalitz. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. Islam teaches a decision tree-KNN hybrid model in which impure leaf nodes of a decision tree are designated for further classification using KNN. Warmenhoven teaches a decision tree-based intrusion detection system including an administrative device with a graphical user interface for parameter configuration. Dalitz teaches withholding KNN classification of instances which are far away from the training examples in feature space or whose classes are otherwise ambiguous. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, Islam, Warmenhoven, and Dalitz in order to “avoid classifications with a high probability of error” (Dalitz, pg. 18, section 2). Regarding Claim 6, Buschlinger, Carreira, Scheidell, Islam, Warmenhoven, and Dalitz teach The method of claim 5, as shown above. Islam also teaches further wherein: comparing the flagged metadata with the item of the training dataset comprises calculating a Euclidean distance [based on a plurality of features, both the flagged metadata and item of the training dataset have values for each feature of the plurality of features]; and the difference is the Euclidean distance. (Pg. 2, section I: “[KNN] uses Euclidean distance, Manhattan distance, Minkowski distance and others for calculating the distance between the training instance and the testing instance.” Euclidian distance is calculated between the testing instance (i.e. flagged metadata) and training instance (i.e. item of the training dataset).) Dalitz teaches Euclidian distance based on a plurality of features, both the flagged metadata and item of the training dataset have values for each feature of the plurality of features; (Pg. 17, figure 1: “An example for the kNN rule for a two dimensional feature space and k = 3. The black test point is assigned to class A, because among its k nearest neighbors the majority is of class A.” In figure 1, the distance in KNN is calculated in two dimensional feature space (i.e. based on a plurality of features), and both the test point (i.e. flagged metadata) and the various training points (i.e. item of training data) are mapped in two dimensional space (i.e. have values for each feature).) Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger in view of Carreira and Scheidell and further in view of García et al. (hereinafter García), “Data Preprocessing in Data Mining”. Regarding Claim 7, Buschlinger, Carreira, and Scheidell teach The method of claim 1, as shown above. Buschlinger, Carreira, and Scheidell do not appear to explicitly disclose the remaining features of claim 7. However, García teaches identifying a problematic item in the training dataset, wherein the problematic item impedes the generation of rulesets having each item of the training dataset comprising a combination of features matching a different leaf node of the ruleset from all other items of the training dataset; and (Pg. 110, section 5.2: “Class noise can be attributed to several causes, such as subjectivity during the labeling process, data entry errors, or inadequacy of the information used to label each example. Two types of class noise can be distinguished: Contradictory examples – There are duplicate examples in the data set having different class labels…” Pg. 115, section 5.3: “Noise filters are generally oriented to detect and eliminate instances with class noise from the training data.” Contradictory examples impede the generation of single-item-per-leaf rulesets as they have the same features and thus necessarily match the features of the same leaf node. Instances with class noise, including contradictory examples (i.e. problematic items), are detected (i.e. identified) by noise filters.) modifying the training dataset by removing the problematic item from the training dataset. (Pg. 115, section 5.3: “Noise filters are generally oriented to detect and eliminate instances with class noise from the training data.” Instances with class noise, including contradictory examples (i.e. problematic items), are eliminated (i.e. removed) from the training data.) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, and García. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. García teaches eliminating noisy instances such as contradictory examples from training data for use in machine learning tasks. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, and García because “[i]n classification, noise can negatively affect the system performance in terms of classification accuracy, building time, size and interpretability of the classifier built” (García, pg. 107, section 5.1), and “[e]limination of such instances has been shown to be advantageous” (García, pg. 115, section 5.3). Claims 8-10 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger in view of Carreira, Scheidell, and García, and further in view of Islam et al. (hereinafter Islam), “KNNTree: A New Method to Ameliorate K-Nearest Neighbour Classification using Decision Tree” and Warmenhoven et al. (hereinafter Warmenhoven), U.S. Patent Application Publication US 20200028857 A1. Regarding Claim 8, Buschlinger, Carreira, Scheidell, and García teach The method of claim 7, as shown above. Buschlinger also teaches the method further comprising, before supplying the classified network traffic flow metadata to the user: the flagging strategy comprising methods for designating a network traffic flow for classification at the first device; (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” Only data not already recognized as malicious by the rule-based detector is designated for classification by the LSTM on the backend (i.e. the first device). This constitutes a flagging strategy.) receiving flagged metadata relating to a designated network traffic flow from the second network device; (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), ‘Aggregated Traffic Logs’ representing new unseen data (i.e. flagged metadata relating to a designated network traffic flow) are received at the backend from the operational environment (i.e. from the second network device) to be classified by the backend’s (i.e. first network device’s) ‘LSTM (Anomaly Detector)’.) Buschlinger, Carreira, Scheidell, and García do not appear to explicitly disclose the remaining features of claim 8. However, Islam teaches comparing the flagged metadata with an item of the training dataset; (Pg. 2, section I: “In KNN, k represents the number of samples that are being chosen for classifying any instance [4]. It uses Euclidean distance, Manhattan distance, Minkowski distance and others for calculating the distance between the training instance and the testing instance… For inference, the test instance goes through the DT [decision tree] based on the condition it fits in till it reaches any leaf or a KNN classifier. If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” A test instance which reaches a KNN classifier is an item which the decision tree is unable to confidently classify at a leaf node (i.e. flagged metadata relating to a designated network traffic flow). In the KNN classifier, distance is measured between the test instance and training instances (i.e. the flagged metadata is compared with an item of the training dataset).) before comparing the flagged metadata with an item of the training dataset, modifying the training dataset by adding the problematic item to the training dataset; (Pg. 4, section III: “From the root to the L’th level, the dataset gets divided into non overlapping subsets. After that, if the current node is not a leaf node, a KNN model is built on that subset.” If a node at maximum depth L is not a leaf node because its sub-dataset is impure (i.e. contains a problematic item), KNN is performed (i.e. the flagged metadata is compared with an item of the training dataset) on that sub-dataset, including the problematic item (i.e. the problematic item is added to the training dataset).) classifying the designated network traffic flow based on the comparison of the flagged metadata with the item of the training dataset; (Pg. 2, section I: “After gathering the distance of every training instance, the algorithm fetches the nearest k instance and assigns the class label of the testing instance to be the majority among the training instances.” The test instance (i.e. flagged metadata relating to a designated network traffic flow) is classified based on the class labels of the nearest k training instances (i.e. based on the comparison with the item of the training data).) updating the flagged metadata with the classification applied to the designated network traffic flow; and (Pg. 2, section I: “After gathering the distance of every training instance, the algorithm fetches the nearest k instance and assigns the class label of the testing instance to be the majority among the training instances.” The test instance (i.e. flagged metadata relating to a designated network traffic flow) is assigned the class label (i.e. updated with the classification).) incorporating the updated flagged metadata with the classified network traffic flow metadata. (Pg. 2, section I: “If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” The results of test instances classified by KNN (i.e. updated flagged metadata) are returned by the model alongside/incorporated with the results of test instances classified by a leaf node (i.e. classified network traffic flow metadata).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, García, and Islam. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. García teaches eliminating noisy instances such as contradictory examples from training data for use in machine learning tasks. Islam teaches a decision tree-KNN hybrid model in which impure leaf nodes of a decision tree are designated for further classification using KNN. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, García, and Islam because “[t]he proposed KNNTree ameliorates the performance of both DT and KNN classifiers. In comparison to the conventional DT (ID3) or KNN, the suggested technique was found to perform better at predicting the class label on benchmark datasets” (Islam, pg. 7, section V). Warmenhoven teaches displaying a flagging strategy to the user, receiving a selection from the user indicating the flagging strategy; and sending the flagging strategy to the second network device; (0031: “In some embodiments, client systems 10 a-e are monitored, managed, and/or configured remotely using software executing on an administration device 13 connected to extended network 14 (e.g., the Internet). Exemplary administration devices 13 include a personal computer and a smartphone, among others. Device 13 may expose a graphical user interface (GUI) allowing a user (e.g., computer security professional, network administrator) to remotely monitor and/or manage operation of client systems 10 a-e, for instance to set configuration options and/or to receive security alerts regarding events occurring on the respective client systems.” The administrative device (i.e. first network device) includes a graphical user interface which allows the user to set configuration options (i.e. the device displays options and receives a selection from the user) for configuration of the remote client system (i.e. the selection is sent to the second network device).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. García teaches eliminating noisy instances such as contradictory examples from training data for use in machine learning tasks. Islam teaches a decision tree-KNN hybrid model in which impure leaf nodes of a decision tree are designated for further classification using KNN. Warmenhoven teaches a decision tree-based intrusion detection system including an administrative device with a graphical user interface for parameter configuration. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven in order to “allow an efficient detection and communication of computer security threats even in high performance computing applications and high-speed networks” and “enable an intuitive presentation of the relevant details in response to the detection of a security event” (Warmenhoven, 0068-0069). Regarding Claim 9, Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven teach The method of claim 8, as shown above. Islam also teaches further wherein the flagging strategy comprises selecting a flag leaf node, wherein all network traffic flows having a combination of features matching the flag leaf node are designated for classification [at the first device]. (Pg. 4, section III: “In proposed approach we first construct a decision tree from the training data till a depth L. From the root to the L’th level, the dataset gets divided into non overlapping subsets. After that, if the current node is not a leaf node, a KNN model is built on that subset… For each unique value of A i , if the corresponding subdataset contains only one column, that implies the leaf has been reached.” Pg. 2, section I: “For inference, the test instance goes through the DT [decision tree] based on the condition it fits in till it reaches any leaf or a KNN classifier. If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” A leaf node according to Islam is a node whose subdataset has only one class label. If a node at max tree depth L (i.e. a leaf node according to the standard definition) does not meet this purity criterion, it is selected as a node requiring further classification via KNN classifier (i.e. it is indicated as a flag leaf node by the flagging strategy). If a test instance (i.e. network traffic instance) reaches a KNN classifier (i.e. its features match the flag leaf node), it is designated for classification at the KNN classifier.) Buschlinger teaches designating flagged traffic flows to be classified at the first device. (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), ‘Aggregated Traffic Logs’ representing new unseen data (i.e. flagged network traffic flows) are received at the backend from the operational environment (i.e. from the second network device) to be classified by the backend’s ‘LSTM (Anomaly Detector)’ (i.e. at the first network device).) Regarding Claim 10, Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven teach The method of claim 9, as shown above. Islam also teaches further wherein the flag leaf is selected because the problematic item has a combination of features matching the flag leaf node. (Pg. 4, section III: “In proposed approach we first construct a decision tree from the training data till a depth L. From the root to the L’th level, the dataset gets divided into non overlapping subsets. After that, if the current node is not a leaf node, a KNN model is built on that subset… For each unique value of A i , if the corresponding subdataset contains only one column, that implies the leaf has been reached.” A leaf node according to Islam is a node whose subdataset has only one class label. If a node at max tree depth L (i.e. a leaf node according to the standard definition) does not meet this purity criterion (i.e. if its subdataset has conflicting examples and thus its features match those of the problematic item), it is selected as a node requiring further classification via KNN classifier (i.e. it is a flag leaf node).) Claim 16 is a product claim containing substantially the same elements as method claims 1, 7, and 8. Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven teach the elements of claims 1, 7, and 8, as shown above. Warmenhoven also teaches A non-transitory computer-readable medium having instructions stored therein, which when executed by a processor cause the processor to perform operations, the operations comprising: (0024: “Computer readable media encompass non-transitory media such as magnetic, optic, and semiconductor storage media (e.g. hard drives, optical disks, flash memory, DRAM), as well as communication links such as conductive cables and fiber optic links. According to some embodiments, the present invention provides, inter alia, computer systems comprising hardware (e.g. one or more processors) programmed to perform the methods described herein, as well as computer-readable media encoding instructions to perform the methods described herein.”) Claims 17-18 are product claims containing substantially the same elements as method claims 9-10, respectively. Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven teach the elements of claims 9-10, as shown above. Claims 11-12 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger in view of Carreira, Scheidell, García, Islam, and Warmenhoven, and further in view of Dalitz et al. (hereinafter Dalitz), “Reject Options and Confidence Measures for kNN Classifiers”. Regarding Claim 11, Buschlinger, Carreira, Scheidell, García, Islam, and Warmenhoven teach The method of claim 8, as shown above. Warmenhoven also teaches the method further comprising, before supplying the classified network traffic flow metadata to the user: displaying a tolerance threshold to the user, and receiving a second selection from the user indicating the tolerance threshold; (0031: “In some embodiments, client systems 10 a-e are monitored, managed, and/or configured remotely using software executing on an administration device 13 connected to extended network 14 (e.g., the Internet). Exemplary administration devices 13 include a personal computer and a smartphone, among others. Device 13 may expose a graphical user interface (GUI) allowing a user (e.g., computer security professional, network administrator) to remotely monitor and/or manage operation of client systems 10 a-e, for instance to set configuration options and/or to receive security alerts regarding events occurring on the respective client systems.” The administrative device (i.e. first network device) includes a graphical user interface which allows the user to set configuration options (i.e. the device displays options and receives a selection from the user).) Buschlinger, Carreira, Scheidell, Islam, García, and Warmenhoven do not appear to explicitly disclose the remaining features of claim 11. However, Dalitz teaches the tolerance threshold relating to a difference calculated when comparing the flagged metadata with the item of the training dataset; (Pg. 17, section 1: “It is therefore desirable to have a reject option, i.e. an option to withhold a classifier decision.” Pg. 18, section 2: “‘Distance’ alludes to the decision criterion that a pattern is so far away from the training patterns in feature space that it is unlikely to be of any of the training classes. A ‘distance reject’ can also be considered as the detection of a novel class.” Pg. 26, section 5: “Therefore a threshold on the absolute distance of a test point from its neighboring training samples must be set, which is in the simplest case the mean distance to the k nearest neighbors… In the case k = 1, this is simply the distance to the nearest neighbor.” The threshold is a tolerance threshold relating to the difference between the test point (i.e. the flagged metadata) and its neighboring training samples (i.e. the item of the training dataset).) where the difference exceeds the tolerance threshold, classifying the designated network traffic flow associated with the flagged metadata as unknown; and where the difference does not exceed the tolerance threshold, classifying the designated network traffic flow associated with the flagged metadata according to a label applied to the item of the training dataset. (Pg. 17, section 1: “It is therefore desirable to have a reject option, i.e. an option to withhold a classifier decision.” Pg. 18, section 2: “‘Distance’ alludes to the decision criterion that a pattern is so far away from the training patterns in feature space that it is unlikely to be of any of the training classes. A ‘distance reject’ can also be considered as the detection of a novel class.” Pg. 26, section 5: “Therefore a threshold on the absolute distance of a test point from its neighboring training samples must be set, which is in the simplest case the mean distance to the k nearest neighbors… In the case k = 1, this is simply the distance to the nearest neighbor.” When the distance threshold is exceeded, the output of the model for the test point (i.e. flagged metadata) is a distance reject, where classification is withheld due to uncertainty (i.e. the traffic flow is classified as unknown). When the distance threshold is not exceeded, KNN classification proceeds as normal (i.e. the traffic flow is classified according to the label of its nearest neighbors in the training set).) It would have been obvious to one of ordinary skill in the art before the effective filing date of the present application to combine Buschlinger, Carreira, Scheidell, García, Islam, Warmenhoven, and Dalitz. Buschlinger teaches an intrusion detection system in which network traffic classification rules are generated on a backend by training a decision tree and then deployed in an operational environment. Carreira teaches training a decision tree in which each leaf node corresponds to a single training example. Scheidell teaches a rule-based intrusion detection system for generating, analyzing, filtering, and responding to attack alerts. García teaches eliminating noisy instances such as contradictory examples from training data for use in machine learning tasks. Islam teaches a decision tree-KNN hybrid model in which impure leaf nodes of a decision tree are designated for further classification using KNN. Warmenhoven teaches a decision tree-based intrusion detection system including an administrative device with a graphical user interface for parameter configuration. Dalitz teaches withholding KNN classification of instances which are far away from the training examples in feature space or whose classes are otherwise ambiguous. One of ordinary skill would have motivation to combine Buschlinger, Carreira, Scheidell, García, Islam, Warmenhoven, and Dalitz in order to “avoid classifications with a high probability of error” (Dalitz, pg. 18, section 2). Regarding Claim 12, Buschlinger, Carreira, Scheidell, García, Islam, Warmenhoven, and Dalitz teach The method of claim 11, as shown above. Islam also teaches further wherein: comparing the flagged metadata with the item of the training dataset comprises calculating a Euclidean distance [based on a plurality of features, both the flagged metadata and item of the training dataset have values for each feature of the plurality of features]; and the difference is the Euclidean distance. (Pg. 2, section I: “[KNN] uses Euclidean distance, Manhattan distance, Minkowski distance and others for calculating the distance between the training instance and the testing instance.” Euclidian distance is calculated between the testing instance (i.e. flagged metadata) and training instance (i.e. item of the training dataset).) Dalitz teaches Euclidian distance based on a plurality of features, both the flagged metadata and item of the training dataset have values for each feature of the plurality of features; (Pg. 17, figure 1: “An example for the kNN rule for a two dimensional feature space and k = 3. The black test point is assigned to class A, because among its k nearest neighbors the majority is of class A.” In figure 1, the distance in KNN is calculated in two dimensional feature space (i.e. based on a plurality of features), and both the test point (i.e. flagged metadata) and the various training points (i.e. item of training data) are mapped in two dimensional space (i.e. have values for each feature).) Claim 19-20 are product claims containing substantially the same elements as method claims 11-12, respectively. Buschlinger, Carreira, Scheidell, García, Islam, Warmenhoven, and Dalitz teach the elements of claims 11-12, as shown above. Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Buschlinger in view of Carreira and Scheidell and further in view of Islam et al. (hereinafter Islam), “KNNTree: A New Method to Ameliorate K-Nearest Neighbour Classification using Decision Tree”. Regarding Claim 15, Buschlinger, Carreira, and Scheidell teach The method of claim 14, as shown above. Buschlinger teaches designating flagged traffic flows to be classified at the second device. (Pg. 251, section IV-B(c): “For classification, the new unseen traffic data collected in the operational environment is passed through the LSTM. We assume that the raw traffic data has already been processed and prepared (e.g., removing data already recognized as malicious by the IDS by filtering based on the alert log) for use in the anomaly detector.” As can be seen in figure 2 (pg. 248), ‘Aggregated Traffic Logs’ representing new unseen data (i.e. flagged network traffic flows) are received at the backend from the operational environment to be classified by the backend’s ‘LSTM (Anomaly Detector)’ (i.e. at the second network device).) Buschlinger, Carreira, and Scheidell do not appear to explicitly disclose the remaining features of claim 15. However, Islam teaches further wherein applying the flagging strategy to the network traffic flow to designate the network traffic flow for classification at the second device comprises: designating the network traffic flow for classification [at the second device] because the network traffic flow has a combination of features matching a flag leaf node, wherein the flag leaf node was indicated within the flagging strategy. (Pg. 4, section III: “In proposed approach we first construct a decision tree from the training data till a depth L. From the root to the L’th level, the dataset gets divided into non overlapping subsets. After that, if the current node is not a leaf node, a KNN model is built on that subset… For each unique value of A i , if the corresponding subdataset contains only one column, that implies the leaf has been reached.” Pg. 2, section I: “For inference, the test instance goes through the DT [decision tree] based on the condition it fits in till it reaches any leaf or a KNN classifier. If it finds a leaf, it directly returns the result. Else, it returns the result obtained from KNN.” A leaf node according to Islam is a node whose subdataset has only one class label. If a node at max tree depth L (i.e. a leaf node according to the standard definition) does not meet this purity criterion, it is indicated as a node requiring further classification via KNN classifier (i.e. it is indicated as a flag leaf node by the flagging strategy). If a test instance (i.e. network traffic instance) reaches a KNN classifier (i.e. its features match the flag leaf node), it is designated for classification at the KNN classifier.) Conclusion THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN M ROHD whose telephone number is (571)272-6445. The examiner can normally be reached Mon-Thurs 8:00-6:00 EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Viker Lamardo can be reached at (571) 270-5871. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /B.M.R./Examiner, Art Unit 2147 /ERIC NILSSON/Primary Examiner, Art Unit 2151
Read full office action

Prosecution Timeline

Mar 06, 2023
Application Filed
Dec 04, 2025
Non-Final Rejection mailed — §103
Feb 18, 2026
Interview Requested
Feb 25, 2026
Examiner Interview Summary
Feb 25, 2026
Applicant Interview (Telephonic)
Mar 04, 2026
Response Filed
Jun 08, 2026
Final Rejection mailed — §103 (current)

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

3-4
Expected OA Rounds
0%
Grant Probability
0%
With Interview (+0.0%)
4y 3m (~11m remaining)
Median Time to Grant
Moderate
PTA Risk
Based on 2 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month