Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Detail Action
Response to Amendment
This office action is response to the amendment filed on 01/19/2021 to the application 15/885,388 filed on 01/31/2018. Claims 1-6, 8-10 & 12-29 are pending in this communication. Applicant's arguments filed on 01/19/2021 have been fully considered but those are not persuasive. Thus, CLEVY; Laurent et al. (US 2012/0272316 A1) has been used to address the newly added issues. Accordingly, this action has been made final.

Response to Arguments
Applicant's arguments filed 01/19/2021 have been fully considered.
Applicant’s Argument:

Examiner’s response:
These arguments have been respectfully considered and the following rejection addresses them. NGUYEN further discloses “wherein the filtering out of system-generated events includes filtering out network activities associated with a predetermined network protocol” {[0009], “data may be collected from system log-files, packet sniffers, Simple Network Management Protocol (SNMP) traps and queries, computer system user behavioral databases, computer network messages, etc.”. Examiner’s note: a predetermined protocol for filtering could be SNMP, an application layer protocol of Internet Protocol set}
Applicant’s Argument:
As amended, independent Claims 1, 16, and 20 further recite analyzing logs for "a set of entries occurring within a predetermined sliding time window that matches the malware profile" and determining that a host has been compromised if "the set of entries" is identified as "occurring within the predetermined sliding time window." Support for the amendments may be found, without limitation, in the Specification at [0060] and [0066]. No new matter has been added. Neither Baliga nor Nguyen discloses use of such a malware profile in such a manner. Accordingly, independent Claims 1, 16, and 20 are believed to be allowable.
Examiner’s response:
determine, based at least in part on identifying the set of entries occurring within the predetermined sliding time window as matching the malware profile, that a host was compromised” {[0077], “During the hashing step 112, information on any potential authorization to store transmitted packets that thus makes it possible to analyze the packets that are suspected of being infected.  When the service provider is given such an authorization, these packets may be analyzed, for example within a sliding time window so that packets that have been stored for a predetermined time are deleted”}.
Applicant’s Argument:
Applicant argues that the remaining claims depend, either directly or indirectly from one of the aforementioned independent claims and are therefore also believed to be allowable.
Examiner’s response:
These arguments have been respectfully considered but they are not persuasive as the previously presented as well as amended limitations are taught or suggested by cited references. Other independent claims & dependent claims are rejected for the same reasons mentioned in independent claim as answered above.

Claim Rejections - 35 USC § 103
The following is a quotation of AIA  35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-6, 8-10, 12-14 and 16-28 are rejected under AIA  35 U.S.C. 103 as being unpatentable over BALIGA; Arati et al., Pat. No.: US 8,695095 B2 in view of NGUYEN, Timothy Thien-Kiem et al., Pub. No.: US 2004/0064731 A1 and further in view of CLEVY; Laurent et al., Pub. No.: US 2012/0272316 A1.

Regarding Claim 1, BALIGA discloses a system, comprising:
a processor {col. 20 lines 61-64. Examiner’s note: support to overcome 36 USC 101 software per se is available at last line of claim 1} configured to:
receive a malware profile {Fig. 9 & col. 12 lines 55-57, “If a device suspected of exhibiting malware behavior has been detected (Y at 904), then at 906 a traffic profile of the malware is generated” … (col.13 lines 2-4), “at 912 the traffic profile of the suspect malware behavior is sent, transmitted, or otherwise provided to the suspect device”}, wherein the malware profile comprises a … [action] previously taken by a known malicious application during execution of the known malicious application {Fig. 4 & col. 8 lines 38-42, “the analysis component 402 can start with information related to one or more pieces of malware previously known to be residing in the network 100, and can identify data traffic and data flows that are similar to the data traffic and data flows generated by the known malware”}, …
analyze a set of one or more logs for a set of entries occurring within a predetermined … time window {Fig. 6 & col. 10 lines 21-23, “the mobility log 602 chronicles, tracks, or otherwise maintains information for each outgoing data request from a mobile device. … a start time 606 for each request, an end time 608 for which the assigned IP address 604 was valid, and a device identification 610, such as an IMSI or an IMEI of the device generating the request”} that matches the malware profile {col 2 lines 41-43, “a correlation component configured to analyze a set of logs that maintain records regarding activities of a set of devices” … (Fig. 4 & col. 8 lines 26-29), ”The analysis component 402 analyzes data in the core network 102 or at the edge of the network 100 where the core network 102 connects to the mobility network 104 (see FIG. 1)”};	
…
in response to determining that the host has been compromised, take a remedial action with respect to the host {Fig. 9 elements 922, 924 & col. 13 lines 26-33, “If it is determined that additional action is required (Y at 922), then at 924 additional mitigation actions can be performed, including but not limited to automatically dropping packets from the suspect application/binary, quarantining the suspect application/binary, or blocking user access to the suspect application/binary. If the user elects to delete the suspect application/binary (Y at 920), then at 926 the application/ binary is removed from the device”}; and
a memory coupled to the processor and configured to provide the processor with instructions {Fig. 16 & col. 20 lines 61-64,” non-mobile device 1605 includes processor 1685 which can be functionally coupled (e.g., through a memory bus) to memory 1695 in order to store and retrieve information to operate and/or confer functionality”}.
BALIGA, however, does not explicitly disclose
… sequence of network events and corresponding attributes …
… wherein the malware profile was generated at least in part by filtering out, from a raw profile comprising network activity events, system-generated events taken by a sample analysis system coincident to the execution of the malicious application, and wherein the filtering out of system-generated events includes filtering out network activities associated with a predetermined network protocol;
determine, based at least in part on identifying the set of entries occurring within the predetermined sliding time window as matching the malware profile, that a host was compromised; and
In an analogous reference NGUYEN discloses
sequence of network events and corresponding attributes {[0005], “Data collected and available to IDS's may be used in order to detect future security breaches by creating databases of historical activity on the computer network.  Such databases may include signatures, which describe attributes of, or sequences of actions, that typify attacks on computer networks … Thus, IDS's may detect anomalous user behavior or computer network activity by comparing observed activity against expected stored databases and/or profiles developed for users, groups of users, applications, or computer network resource usage”}
wherein the malware profile was generated at least in part by filtering out, from a raw profile comprising network activity events, system-generated events taken by a sample analysis system coincident to the execution of the malicious application {[0054], “However, certain of the events may be eliminated from a set of events obtained. For example, a Windows attack against a Unix computer may be eliminated from the set of events because it is an effectual attack. A significance criteria or criterion-may be used to determine whether the event is significant or insignificant. A determination is then made as to whether the event is suitable for aggregation or elimination (Step 186). Typically, numerous events will be obtained every day from the IN. … Thus, by elimination and aggregation, the set of events is reduced to obtain a reduced set of events”}, and wherein the filtering out of system-generated events includes filtering out network activities associated with a predetermined network protocol {[0009], “data may be collected from system log-files, packet sniffers, Simple Network Management Protocol (SNMP) traps and queries, computer system user behavioral databases, computer network messages, etc.”. Examiner’s note: a predetermined protocol for filtering could be SNMP, an application layer protocol of Internet Protocol set};
In an analogous reference CLEVY discloses
… sliding [time window] {[0077]}…
determine, based at least in part on identifying the set of entries occurring within the predetermined sliding time window as matching the malware profile, that a host was compromised {[0077], “During the hashing step 112, information on any potential authorization to store transmitted packets that thus makes it possible to analyze the packets that are suspected of being infected.  When the service provider is given such an authorization, these packets may be analyzed, for example within a sliding time window so that packets that have been stored for a predetermined time are deleted”}; and
motivation is to consolidate action/reaction to protect assets, enhances capacity and security management capabilities, escalate reactive actions to insure timely resolutions of intrusions, in addition the invention is easily extended to include new systems/devices. For intrusion detection the data mining algorithms include link analysis, clustering, association, rule abduction, deviation analysis, and sequence analysis based on time window. Such data mining algorithms provide the ability to identify or extract relevant intrusion data and provide analysts with different views of the collected data to formulate appropriate and efficient malware remediation.

Regarding Claim 2, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein the set of logs comprises entries associated with a plurality of hosts and wherein analyzing the set of logs includes performing, for each respective is host included in the plurality of hosts, a search {BALIGA: col. 25 claim 5, “wherein the comparing the internet protocol address to the mobility log comprises querying a general packet radio service support node device”. Examiner’s note: ‘a set of IP addresses’, i.e. IP devices or processes functioning as plurality of hosts}.

Regarding Claim 3, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein determining that the set of entries matches the malware profile comprises determining a subsequence match {BALIGA: Fig. 12 & col. 15, lines 35-46, at 1204, the data traffic on the mobile device is inspected, and at 1206 the data traffic on the mobile device is correlated, compared, or otherwise analyzed against the suspect traffic profile … At 1208, a determination is made as to whether a binary (or application) matching the traffic profile has been identified? If a binary matching the traffic profile has not been identified (N at 1208), then the methodology 1200 returns to the 1204, and continues inspecting data traffic on the mobile device}.

Regarding Claim 4, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein the processor is further configured to transmit a copy of a sample to a security platform for analysis {BALIGA: Fig. 4 element 302 – ‘Malware Detection Component’, Fig. 12 & col. 15 lines 27-30, ”methodology 1200 can begin at block 1202, wherein a suspect traffic profile is obtained, received, or otherwise acquired from a mobility network”}.

Regarding Claim 5, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein the malware profile is received from the security platform {BALIGA: Fig. 4 element 302 – ‘Malware Detection Component’, Fig. 12 & col. 15 lines 27-30. Examiner’s note: malware profile is processed inside a security architecture}.

Regarding Claim 6, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein the malware profile is received in response to the security platform determining that the sample is malicious {BALIGA: Fig. 12 & col. 15 lines 42-43, “at 1208, a determination is made as to whether a binary (or application) matching the traffic profile has been identified”}.

Regarding Claim 7, cancelled.

Regarding Claim 8, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein analyzing the set of one or more logs is performed periodically {BALIGA: Fig. 4 & col.10 lines 5-11, “the confirmation component 510 can determine that the period of time from time T1 to time T2 is less than the predetermined duration threshold desired to obtain positive identification of the suspect mobile device. As a result, the confirmation component 510 can hold off sending the traffic profile and/or an indication to the mobile device until the IMSI or IMEI of the mobile device is again determined by the correlation component 504 to be linked to an IP address that is suspected of malware infection”. Examiner’s note: a configured time threshold period is used for further assessment of the intrusion}.

Regarding Claim 9, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein analyzing the set of one or more logs {BALIGA: col 2 lines 41-43, “a correlation component configured to analyze a set of logs that maintain records regarding activities of a set of devices”} is performed in response to receipt of the malware profile {Fig. 12 & col. 15 lines 42-43, “at 1208, a determination is made as to whether a binary (or application) matching the traffic profile has been identified”}.

Regarding Claim 10, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein the malware profile is generated {BALIGA: Fig. 4 element 404 & col. 8 lines 53-54, “the profile generation component 404 generates a traffic profile of the suspected malware behavior”} at least in part by abstracting a capture of network activity associated with the execution of the known malicious application into a set of network activities taken by the known malicious application {BALIGA: Fig. 3 & col. 2 lines 52-55, ”obtaining, from a core network, an internet protocol address that is exhibiting bot behavior, a profile of the bot behavior, and a time when the internet protocol address was exhibiting the bot behavior”. Examiner’s note: ‘Internet Protocol address’ is referring to a device with a process using an IP }.

Regarding Claim 11, cancelled.

Regarding Claim 12, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
at least one activity included in the set of activities taken by the known malicious application comprises service probing {BALIGA: col. 1 lines 46-51, ”a compromised mobile device can cause serious issues for both the user and the associated communication infrastructure. Malicious software on a mobile device can transmit spam messages over the wireless network, make expensive international calls, track and disrupt user activity, or send text messages to premium numbers without the user's knowledge or permission”. Examiner’s note: the malware penetrate or probe normal communication service}.

Regarding Claim 13, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein at least one activity included in the set of activities taken by the known malicious application comprises a denial of service activity {BALIGA: col. 5 lines 63-66, ”the bot master can issue commands to the compromised mobile devices 202, via the set of command and control servers 204, to execute a denial of service (DoS) attack against the set of remote targets 206”}.

Regarding Claim 14, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1 and further discloses
wherein at least one activity included in the set of activities taken by the known malicious application comprises a local action taken by the known malicious application {BALIGA: col. 1 lines 46-51, ”a compromised mobile device can cause serious issues for both the user and the associated communication infrastructure. Malicious software on a mobile device can transmit spam messages over the wireless network, make expensive international calls, track and disrupt user activity, or send text messages to premium numbers without the user's knowledge or permission”. Examiner’s note: while malware interrupting or probing service ,individual user devices are intruded locally by using the device for local actions such as making expensive international calls for example}.

Regarding claim 16, claim 16 is claim to method using the system of claim 1. Therefore, claim 16 is rejected for the reasons set forth for claim 1. 

Regarding claim 17, claim 17 is a dependent claim of claim 16, claim 17 is claim to method using the system of claim 2. Therefore, claim 17 is rejected for the reasons set forth for claim 2.

Regarding claim 18, claim 18 is a dependent claim of claim 16, claim 18 is claim to method using the system of claim 3. Therefore, claim 18 is rejected for the reasons set forth for claim 3.

Regarding claim 19, claim 19 is a dependent claim of claim 16, claim 19 is claim to method using the system of claim 10. Therefore, claim 19 is rejected for the reasons set forth for claim 10.

Regarding claim 20, claim 20 is claim to computer program product embodied in a non-transitory computer readable storage medium using the system of claim 1. Therefore, claim 20 is rejected for the reasons set forth for claim 1. 

Regarding claim 21, claim 21 is a dependent claim of claim 16, claim 21 is claim to method using the system of claim 4. Therefore, claim 21 is rejected for the reasons set forth for claim 4.

Regarding claim 22, claim 22 is a dependent claim of claims 21 & 16, claim 22 is claim to method using the system of claim 5. Therefore, claim 22 is rejected for the reasons set forth for claim 5.

Regarding claim 23, claim 23 is a dependent claim of claims 22, 21 & 16, claim 23 is claim to method using the system of claim 6. Therefore, claim 23 is rejected for the reasons set forth for claim 6.

Regarding claim 24, claim 24 is a dependent claim of claim 16, claim 24 is claim to method using the system of claim 8. Therefore, claim 24 is rejected for the reasons set forth for claim 8.

Regarding claim 25, claim 25 is a dependent claim of claim 16, claim 25 is claim to method using the system of claim 9. Therefore, claim 25 is rejected for the reasons set forth for claim 9.

Regarding claim 26, claim 26 is a dependent claim of claim 16, claim 26 is claim to method using the system of claim 12. Therefore, claim 26 is rejected for the reasons set forth for claim 12.

Regarding claim 27, claim 27 is a dependent claim of claim 16, claim 27 is claim to method using the system of claim 13. Therefore, claim 27 is rejected for the reasons set forth for claim 13.

Regarding claim 28, claim 28 is a dependent claim of claim 16, claim 28 is claim to method using the system of claim 14. Therefore, claim 28 is rejected for the reasons set forth for claim 14.

Claims 15 and 29 is rejected under AIA  35 U.S.C. 103 as being unpatentable over Baliga; Arati et al. (hereinafter BALIGA), Pat. No.: US 8,695095 B2 in view of Nguyen, Timothy Thien-Kiem et al. (hereinafter NGUYEN), Pub. No.: US 2004/0064731 A1 and further in view of CLEVY; Laurent et al., Pub. No.: US 2012/0272316 A1 and SANDERS; Kyle et al., Pat. No.: US 9,165142 B1.

Regarding Claim 15, BALIGA as modified by NGUYEN & CLEVY discloses all the features of claim 1, however, the combination does not explicitly disclose
wherein the malware profile corresponds to a malware family and wherein the known malicious application shares the malware profile with a plurality of malicious applications that are members of the malware family.
In an analogous teaching SANDERS discloses
wherein the malware profile corresponds to a malware family {Fig. 3 & col. 7 lines 23-25, at 312, “a malware family determination of the potential malware sample is provided if there is a profile signature match”} and wherein the known malicious application shares the malware profile with a plurality of malicious applications that are members of the malware family {col. 9 lines 39-42, “determining that a particular malware sample is a member of a known malware family provides valuable information to security vendors and customers”}.
motivation is to consolidate action/reaction to protect assets, enhances capacity and security management capabilities, escalates reactive actions to insure timely resolutions, in addition the invention is easily extended to include new systems/devices.

Regarding claim 29, claim 29 is a dependent claim of claim 16, claim 29 is claim to method using the system of claim 15. Therefore, claim 29 is rejected for the reasons set forth for claim 15.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
Following prior art has been considered but is not applied:
NEIL; Joshua Charles et al. (US 20150020199 A1): Path scanning for the detection of anomalous subgraphs and use of DNS requests and host. Summary – Detecting network intrusions, anomalies, and policy violations, and more particularly, to detecting network intrusions, anomalies, and policy violations by path scanning for the detection of anomalous sliding windows of time may be used to examine the data.  Stochastic models may be built for each path, and historical parameters may be compared with current estimated parameters in the time window to determine the level of anomalousness.
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUAZI FAROOQUI whose telephone number is (571) 270-1034. The examiner can normally be reached on M-F 8:30AM-5:00PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B. Patel can be reached on 571-272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-270-2034.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-flee). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/QUAZI FAROOQUI/
Examiner, Art Unit 2491