DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 23 is objected to for the following informality:
Regarding claim 23, the claim recites an acronym (TCP/IP) which is not fully written out in the claim language. For clarity, the examiner recommends to fully define the acronym in the claim language. Corrective action is required. 
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: network monitoring unit and network activity analyzer in claim 32.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) 
Allowable Subject Matter
Claims 2-4 and 19-20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  the prior art, either alone or in combination does not expressly disclose a method wherein the analysis of the data packets further encompasses the subject matter of the objected to claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 5-12, 21-25 and 31-32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al (US 2016/0381070) in view of Stiansen et al (US 2016/044054). 
Regarding claims 1, 31 and 32, Zhang et al discloses a method, a non-transitory storage medium having stored thereon instructions that, when executed by a machine, cause the machine to perform a method and a system comprising [0021-0022]: 
a network activity analyzer to analyze packets of data that are transported via said communication network; and based on said analyzing, performing at least one of: (I) determining that said a particular server is a malicious infecting web-server that infects multiple accessing devices with a cryptocurrency mining malware; (II) determining that a specific server is a malicious Command and Control (C&C) server that commands and controls a distributed bot-net of cryptocurrency mining bots [0036, 0037 0032];
Please note that in this example traffic is processed by the security device to determine if different protocols have been broken. 
However, Zhang et al does not expressly disclose but Stiansen et al discloses a method, anon-transitory storage medium having stored thereon instructions that, when executed by a machine, cause the machine to perform a method and a system comprising:
a network monitoring unit to monitor communication network activity of an end-user device that communicates with one or more servers over a communication network [0027, 0028, 0039];
Please note that in this example a monitoring agent may be utilized to monitor network traffic. 
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zhang et al by monitoring captured traffic, for the purpose of analyzing traffic patterns for malicious activity, based upon the beneficial teachings provided by Stiansen et al, see for example [0039].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Regarding claim 5, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses the analyzing comprises: correlating among network communications of multiple end-user devices that have been identified as engaging in cryptocurrency mining activity, to identify a particular remote entity which is the malicious infecting web-server that infects multiple accessing devices with a cryptocurrency mining malware [0032, 0036-0037]. 
Regarding claim 6, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses the analyzing comprises: correlating among network communications of multiple end-user devices, that have been identified as engaging in cryptocurrency mining activity, to identify a particular remote entity which is the malicious Command and Control (C&C) server that commands and controls a distributed bot-net of cryptocurrency mining bots [0032, 0036-0037]. 
Regarding claim 7, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses the analyzing comprises: detecting a first set of 
Regarding claim 8, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses selectively blocking some, but not all, of data packets that are sent from said end-user device via said communication network, based on determining that said end-user device is an infected and activated and operational cryptocurrency mining bot (i.e., blocking traffic to or from) [0036]. 
Regarding claim 9, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses selectively blocking some, but not all, of data packets that are sent towards said end-user device via said cellular communication network, based on determining that said end-user device is an infected and activated and operational cryptocurrency mining bot (i.e., blocking traffic to or from) [0036]. 
Regarding claim 10, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not disclose but Stiansen et al further discloses sending an alert notification to a user of said end-user device, indicating that it was determined that said end-user device is an infected and activated and operational cryptocurrency mining bot [0039]. 
The rationale to combine is the same as disclosed in point (19). 
Regarding claim 11, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not disclose but Stiansen et al further discloses sending a query notification to a user of said end-user device, querying whether said user is aware that said end-user device is performing cryptocurrency mining activity; upon receiving a positive response, authorizing further network communications from and to said end-user device; upon receiving a negative response, blocking at least some network communications to or from said end-user device [0039]. 
The rationale to combine is the same as disclosed in point (19). 
Regarding claim 12, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses (A) blocking transport of data packets that belong to one or more of the following groups: (i) data packets sent from said malicious infecting web-server to said end-user device; (ii) data packets sent to said malicious infecting web-server by said end-user device; (iii) data packets sent from said malicious C&C server to said end-user device; (iv) data packets sent to said malicious C&C server from said end-user device; (B) relaying and transporting data packets that are sent to said end-user device or that are sent from said end-user device, and that do not belong to any of the groups (i), (ii), (iii) or (iv) [0036-0037]. 
Regarding claim 21, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al further discloses determining that said end-user device is associated with a device-type; analyzing network activity data of said end-user device, relative to network activity data of other end-user devices of same device-type; detecting that both (I) said end-user device, and (II) said other end-user devices, exhibit a same activity pattern of (i) 
Regarding claim 22, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not disclose but Stiansen et al further discloses the communication network is a cellular communication network; wherein the analyzing comprises analyzing of cellular data packets [0039-0041]. 
The rationale to combine is the same as disclosed in point (19). 
Regarding claim 23, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not disclose but Stiansen et al further discloses the communication network is a cellular communication network; wherein the analyzing comprises analyzing of cellular data packets in TCP/IP format [0039-0041, 0116, 0005-0006]. 
The rationale to combine is the same as disclosed in point (19). 
Regarding claim 24, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not disclose but Stiansen et al
The rationale to combine is the same as disclosed in point (19). 
Regarding claim 23, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not disclose but Stiansen et al further discloses the communication network is a cellular communication network; wherein the analyzing comprises analyzing of cellular data packets; wherein the method further comprises: (A) blocking transport of cellular data packets that belong to one or more of the following groups: (i) cellular data packets sent from said malicious infecting web-server to said end-user device; (ii) cellular data packets sent to said malicious infecting web-server by said end-user device; (iii) cellular data packets sent from said malicious C&C server to said end-user device: (iv) cellular data packets sent to said malicious C&C server from said end-user device: (B) relaying and transporting cellular data packets that are sent to said end-user device or that are sent from said end-user device, and that do not belong to any of the groups (i), (ii), (iii) or (iv) [0039-0041, 0116, 0005-0006]. 
The rationale to combine is the same as disclosed in point (19). 
Claim 13-17 and 26-30 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al (US 2016/0381070) in view of Stiansen et al (US 2016/044054) and in further view of Boubez et al (US 2015/0341246). 
Regarding claim 13-16, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al and Stiansen et al does not disclose but Boubez et al
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zhang et al and Stiansen et al by limiting interaction with malicious servers, for the purpose of preventing client infection with the malicious servers, based upon the beneficial teachings provided by Boubez et al, see for example [0124].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Regarding claim 17, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al and Stiansen et al does not disclose but Boubez et al further discloses performing a network rate-limiting with regard to data sent from said end-user device, based on determining that said end-user device is an infected and activated and operational cryptocurrency mining bot [0124]. 
The rationale to combine is the same as disclosed in point (41). 
Regarding claim 26-29, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not futher disclose but Stiansen et al further discloses that the communication network is a cellular communication network, analyzing comprises the analysis of the cellular packets [0039-0041, 0116, 0005-0006].  Zhang et al and Stiansen et al do not disclose but Boubez et al further discloses performing a network quarantine and rate limiting of both the malicious infecting web-server and C&C server [0124]. 
The rationale to combine is the same as disclosed in point (19) and (41). 
Regarding claim 30, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al does not futher disclose but Stiansen et al further discloses that the communication network is a cellular communication network, analyzing comprises the analysis of the cellular packets [0039-0041, 0116, 0005-0006].  Zhang et al and Stiansen et al do not disclose but Boubez et al further discloses performing a network rate-limiting with regard to data sent from said end-user device, based on determining that said end-user device is an infected and activated and operational cryptocurrency mining bot [0124]. 
The rationale to combine is the same as disclosed in point (19) and (41). 
Claim 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al (US 2016/0381070) in view of Stiansen et al (US 2016/044054) and in further view of Salsamendi et al (US 9,542,554). 
Regarding claim 18, Zhang et al and Stiansen et al disclose all the limitations of the method of claim 1. Zhang et al and Stiansen et al does not disclose but  Salsamendi et al further discloses (a) detecting an access of said end-user device to a first server, (b) detecting that the access of step (a) was followed within a time period T1 by an access of said end-user device to a second server, (c) detecting that the access of step (b) was followed within a time period T2 by one or more subsequent accesses of said end-user device to said second server (clock value) [column 11 lines 14-37]. 
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Zhang et al and Stiansen et al by detecting malicious activity within a time period, for the purpose of preventing client infection with the malicious servers, based upon the beneficial teachings provided by Salsamendi et al, see for example [column 11 lines 14-37].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENDALL DOLLY whose telephone number is (571)270-1948.  The examiner can normally be reached on Monday-Thursday 7am-4pm(EST) and Friday 7am-11am(EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.