Notice of Pre-AIA  or AIA  Status
Claims 1-20 are presented for examination.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/16/19 has been considered by the Examiner.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  Independent claims 1 & 8 recite “one or bit patterns”; rendering the scope of the claim limitation unclear.  Claims 2-7 & 9-14 are rejected by virtue of their dependency on claims 1 & 8.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-14 are rejected under 35 U.S.C. 103 as being unpatentable over Judge (U.S. Patent Publication 2003/0172302) in view of Palliyil (U.S. Patent Publication 2005/0132206).

Regarding claims 1 and 8:
Judge discloses a method and computing program product for testing file data, comprising: performing a bit pattern test, wherein performing the bit pattern test comprises examining one or more portions of data in a file for one or bit patterns (see the various tests at paragraphs 0131, 0132, 0134, & 0135, wherein the invention examines inter alia the source addresses, Subject line, and attachment file name, all of which are character strings [i.e. bit patterns] characteristic of the email); identifying that the file has an extension (paragraph 0135); identifying that the file includes at least one portion corresponding to a bit pattern associated with executable code (e.g. detecting a virus as part of the attachment: paragraphs 0137 & 0138; see also paragraphs 0067 & 0068); and quarantining the file based on the identification of the extension associated non-executable code and the identification that the at least one portion corresponds to 
Although Judge can recognize and retain knowledge of the file extensions of email attachments (paragraph 0135), Judge does not explicitly disclose recognizing that the attachment extension is indicative of a file comprising non-executable code.  However, Palliyil discloses a related invention for defending against malware wherein it is disclosed that one may optionally scan files with a non-executable file extension for viruses, on the possibility that the file extension was deliberately changed to hide executable code (paragraphs 0056 & 0057).  It would have been obvious prior to the time of the instant invention to modify the Judge invention to determine that a particular file comprises a non-executable file extension, as doing so would be a known option within the grasp of a person of ordinary skill in the art in order to achieve the predictable result of detecting viruses hidden in intentionally mislabeled files (Palliyil, Ibid).

Regarding claims 2 and 9:	The combination further discloses performing a second test on the file (Judge, paragraphs 0108-0110 & 0137-0138); and identifying that the file is infectious based on a result of the second test (Judge, Ibid). 

Regarding claims 3 and 10:	The combination further discloses: identifying an increase in a number of email messages that includes the file (Judge, paragraphs 0135-0138); and assigning an 

Regarding claims 4 and 11:	The combination further discloses: identifying a file type of the file (Judge, paragraphs 0135-0136); identifying that the number of email messages that include the file are associated with a first subnet of a computer network and a first group of a plurality of groups of an organization (Ibid); and identifying that the file type is not characteristic of the first organization (Ibid). 

Regarding claims 5 and 12:	The combination further discloses: classifying the email messages as suspicious based on the number of email messages that include the file (Judge, paragraph 0135); receiving one or more additional messages that include the file, wherein the number of email messages that include the file is incremented for each of the one or more additional messages received (Ibid); and classifying the email messages as infectious based on the incremented number of email messages (Ibid). 

Regarding claims 6 and 13:	The combination further discloses sending a cancellation message to an email server specifying that emails including the file are to be cancelled, wherein the email server deletes subsequent emails that include the file in accordance with the cancellation message (Judge, paragraph 0122). 
. 

Claims 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Judge (U.S. Patent Publication 2003/0172167)1 in view of “Anomalous Payload-based Network Intrusion Detection” (hereinafter, “Wang”).

Regarding claim 15:
Judge discloses a method for testing file data, the method comprising: establishing an N-gram model as a baseline of token sequences based on a series of known good messages (paragraph 0183), and quarantining the first received message based on the comparison indicating that the first received message is likely not legitimate (paragraph 0217). 
	Although Judge discloses the use of n-gram models to scan messaged, Judge does not disclose the explicit details of this approach.  However, Wang discloses an approach to scanning messages using n-gram models (e.g. page 4, last paragraph; and page 5, “3.1 Length Conditioned n-gram Payload Model”) wherein each of the token sequences is associated with a corresponding probability (i.e. the confidence values PAYL operates as follows.  We first observe many exemplar payloads during a training phase…”); comparing the N-gram sequences of the first received message with the token sequences and the corresponding probabilities, wherein the comparison results in a probability of the first received message being legitimate (Ibid).  It would have been obvious prior to the time of the instant invention to use the technique disclosed by Wang in part or in whole as the n-gram embodiment of the Judge invention, as doing so would result in a method to detect dangerous HTTP traffic [i.e. traffic on port 80] with nearly 100% accuracy and only a 0.1% false positive rate (Wang, page 18, “Conclusion”).

Regarding claim 16:	The combination further discloses: performing a second test on the first received message (Judge, e.g. paragraph 0047-0051 & 0249); and identifying that the first received message is infectious based on a result of the second test (Judge, Ibid). 

Regarding claim 17:	The combination further discloses comparing the probability of the first received message being legitimate to a predetermined infectiousness threshold, wherein the comparison indicates that the first received message is likely not legitimate (Judge, paragraphs 0114 & 0216), wherein quarantining the first message is further based on the infectiousness probability threshold being met (Judge, paragraph 0217). 



Regarding claim 19:	The combination further discloses wherein the similar emails are identified based on at least one of a receipt time, a number of recipients, an identity of a sender, a size of an attachment, a file name, a file extension type, or a file type (see the various tests of Judge, paragraphs 0272-0277). 

Regarding claim 20:	The combination further discloses wherein the file type is identified by examining a binary sequence associated with a file attached to the first received message (Judge, paragraph 0276). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: U.S. Patent Publication 2005/0111367 (Jonathan Chao).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849.  The examiner can normally be reached on 10:00am - 6:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        2/13/2021


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Please be advised that this reference, although from the same inventive unit as the reference used in the rejection of claims 1-14, is a separate and distinct reference therefrom.