Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 16/370,853 filed on 01/12/2021; Claims 1, 10, and 19 have been amended; claims 5 and 14 have been canceled; Claims 1, 10, and 19 are independent claims.  Claims 1-4, 6-13, and 15-20 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. WESTERN, JONATHON (Reg. No.: 68095) has agreed and authorized the Examiner to amend claims 1, 10, and 19; cancel claims 9 and 18.
The eTerminal Disclaimer filed 12/18/2019 (US Patent 10,305,928).

Examiner’s Amendments
Claims
Replacing claims 1-20 as following:
(Currently Amended)  A computer-implemented method comprising:
receiving, at a network infrastructure device, an encrypted flow comprising a plurality of packets, the plurality of packets comprising a first set of packets and a second set of packets that is received after the first set of packets;

determining, at the network infrastructure device, a sequence of datagram lengths and times for the first datagram and the second datagram within the encrypted flow based on an arrival time of the first sets of packets and the second set of packets; and
sending, from the network infrastructure device, the sequence of datagram lengths and times to a collector device, 
wherein, upon receiving the sequence of datagram lengths and times, the collector device identifies a sequence of lengths and times that is nearest to the received sequence of datagram lengths and times as an application associated with the received sequence of datagram lengths and times, determines whether the application is malicious, and upon determining that the application is malicious, sends an alert signal to an administrator, and
wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the malicious application or information regarding the flow
(Original)  The computer-implemented method of claim 1, wherein the sequence of datagram lengths and times for the first datagram and the second datagram comprises a first length of the first datagram, a second length of the second datagram, and a duration value between a first arrival time of the first datagram at the network infrastructure device and a second arrival time of the second datagram at the network infrastructure device.

(Original)  The computer-implemented method of claim 1, wherein determining the application that is associated with the received sequence of datagram lengths and times comprises:
retrieving information from a database of datagram lengths and times that is associated with known applications;
comparing the received sequence of datagram lengths and times to the information retrieved from the database of datagram lengths and times.

(Original)  The computer-implemented method of claim 1, wherein determining the application that is associated with the received sequence of datagram lengths and times comprises:
determining at least one of a name, a type, or a version of the application associated with the received sequence of datagram lengths and times.

(Canceled)  

(Previously Presented)  The computer-implemented method of claim 1, further 
generating training data based on the sequence of datagram lengths and times for the first datagram and the second datagram; and
training a machine learning-based classifier using the generated training data for detecting whether the application is malicious.

(Original)  The computer-implemented method of claim 6, further comprising:
in response to receiving the sequence of datagram lengths and times at the collector device, storing the sequence of datagram lengths and times;
updating the trained classifier with the received sequence of datagram lengths and times; detecting a previously unknown malware based on the updated trained classifier.

(Original)  The computer-implemented method of claim 1, further comprising:
upon determining that the application is malicious, displaying the alert signal in a computer-generated graphical user interface of the collector device.

(Canceled)  

(Currently Amended)  A system comprising:
a network infrastructure device comprising a first memory unit and one or more first processors configured to perform instructions stored in the first memory unit; and

wherein the network infrastructure device is configured to:
receive an encrypted flow comprising a plurality of packets, the plurality of packets comprising a first set of packets and a second set of packets that is received after the first set of packets;
identify a first datagram comprising the first set of packets and a second datagram comprising the second set of packets, the first datagram being associated with a first message and the second datagram being associated with a second message, wherein each packet of the first set of packets is received within a threshold amount of time of receipt of a preceding packet of the first set of packets, and wherein a first packet of the second set of packets is received after the threshold amount of time of receipt of a last packet of the first set of packets;
determine a sequence of datagram lengths and times for the first datagram and the second datagram within the encrypted flow based on an arrival time of the first sets of packets and the second set of packets; and
send the sequence of datagram lengths and times to a collector device, and
wherein the collector device is configured to:
upon receiving the sequence of datagram lengths and times, identify a sequence of lengths and times that is nearest to the received sequence of 
determine whether the application is malicious; and
upon determining that the application is malicious, send an alert signal to an administrator,
wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the malicious application or information regarding the flow.

(Original)  The system of claim 10, wherein the sequence of datagram lengths and times for the first datagram and the second datagram comprises a first length of the first datagram, a second length of the second datagram, and a duration value between a first arrival time of the first datagram at the network infrastructure device and a second arrival time of the second datagram at the network infrastructure device.

(Previously Presented)  The system of claim 10, wherein the collector device is further configured to:
retrieve information from a database of datagram lengths and times that is associated with known applications; and
compare the received sequence of datagram lengths and times to the information retrieved from the database of datagram lengths and times.

(Previously Presented)  The system of claim 10, wherein the collector device is further configured to:
determine at least one of a name, a type, or a version of the application associated with the received sequence of datagram lengths and times.

(Canceled)  

(Previously Presented)  The system of claim 10, wherein the collector device is further configured to:
generate training databased on the sequence of datagram lengths and times for the first datagram and the second datagram; and
train a machine learning-based classifier using the generated training data for detecting whether the application is malicious.

(Previously Presented)  The system of claim 15, wherein the collector device is further configured to:
in response to receiving the sequence of datagram lengths and times at the collector device, store the sequence of datagram lengths and times;
update the trained classifier with the received sequence of datagram lengths and times; and 
detect a previously unknown malware based on the updated trained classifier.

(Previously Presented)  The system of claim 10, wherein the collector device is further configured to:


(Canceled)  

(Currently Amended)  One or more non-transitory computer readable media comprising instructions which, when executed by one or more processors, cause:
receiving, at a network infrastructure device, an encrypted flow comprising a plurality of packets, the plurality of packets comprising a first set of packets and a second set of packets that is received after the first set of packets;
identifying, at the network infrastructure device, a first datagram comprising the first set of packets and a second datagram comprising the second set of packets, the first datagram being associated with a first message and the second datagram being associated with a second message, wherein each packet of the first set of packets is received within a threshold amount of time of receipt of a preceding packet of the first set of packets, and wherein a first packet of the second set of packets is received after the threshold amount of time of receipt of a last packet of the first set of packets;
determining, at the network infrastructure device, a sequence of datagram lengths and times for the first datagram and the second datagram within the encrypted flow based on an arrival time of the first sets of packets and the second set of packets; and

wherein, upon receiving the sequence of datagram lengths and times, the collector device identifies a sequence of lengths and times that is nearest to the received sequence of datagram lengths and times as an application associated with the received sequence of datagram lengths and times, determines whether the application is malicious, and upon determining that the application is malicious, sends an alert signal to an administrator, and
wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the malicious application or information regarding the flow.

(Previously Presented)  The one or more non-transitory computer readable media of claim 19, wherein the sequence of datagram lengths and times for the first datagram and the second datagram comprises a first length of the first datagram, a second length of the second datagram, and a duration value between a first arrival time of the first datagram at the network infrastructure device and a second arrival time of the second datagram at the network infrastructure device.





Examiner's Statement of reason for Allowance
Claims 1-4, 6-8, 10-13, 15-17, and 19-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The invention is directed a method/system/non-transitory computer readable media for receiving, at a network infrastructure device, a flow of packets, determining, using the network infrastructure device and for a first subset of the packets, that the first subset corresponds to a first datagram and determining a first length of the first datagram, determining, using the network infrastructure device and for a second subset of the packets, that the second subset corresponds to a second datagram that was received after the first datagram, and determining a second length of the second datagram, determining, using the network infrastructure device, a duration value between a first arrival time of the first datagram and a second arrival time of the second datagram, sending, to a collector device that is separate from the network infrastructure device, the first length, the second length, and the duration value for analysis. 
The closest prior arts are Kim et al. (“Kim,” US 2011/0149793) in view of McCorkendale et al. (“McCorkendale,” US 8,806,644), further in view of Peles (“Peles,” US 2005/0050316), and further in view of Afek et al. (“Afek,” US 2006/0212572) are generally directed to involves receiving aa flow comprising several packets at a network infrastructure device.  The first and second data-grams comprising the first and second set of packets are identified.  The first and the second data-grams are associated with first and second message.  Each packet of the first set of packets is received within a threshold amount of time from a preceding packet of several packets.  A sequence of data-gram lengths and times are 
However, none of Kim, McCorkendale, Peles, and Afek teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims 1, 10, and 19.  For examples, it failed to teach “determining, at the network infrastructure device, a sequence of datagram lengths and times for the first datagram and the second datagram within the encrypted flow based on an arrival time of the first sets of packets and the second set of packets; and sending, from the network infrastructure device, the sequence of datagram lengths and times to a collector device, wherein, upon receiving the sequence of datagram lengths and times, the collector device identifies a sequence of lengths and times that is nearest to the received sequence of datagram lengths and times as an application associated with the received sequence of datagram lengths and times, determines whether the application is malicious, and upon determining that the application is malicious, sends an alert signal to an administrator, and wherein the alert signal indicates that a suspected malware or a threat has been detected, and the alert signal comprises at least one of a name, a type, a version of the malicious application or information regarding the flow.”
This feature in light of other features, when considered as a whole, in the independent claims 1, 10, and 19 are allowable over the prior arts of record.















Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380.  The examiner can normally be reached on Monday-Friday: 6:00 AM-3:30 PM, other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Canh Le/
Examiner, Art Unit 2439
February 18th, 2021


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439