DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Election/Restrictions
NO restrictions warranted at applicant’s initial time of filing for patent. 
Priority
Applicant claim[s] domestic priority under 35 USC 371 to PCT/CN2017075349, filed on 03/01/2017. 
Information Disclosure Statement
The information disclosure statements (IDS’) were submitted on 08/30/2019, 08/18/2020, the submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
The drawings shown in Figures #1 and #2 are objected to under 37 CFR 1.83(a) because they fail to show what components: 100, 300, 500, 700 are as described in the specification.  
Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing 
	Appropriate action required.
Specification
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 
	Appropriate action required. 
***The following title is suggested: “Network Security Monitoring of network traffic.”
Claim Objections
NO objections warranted at applicant’s initial time of filing for patent. 
Claim Interpretation – 35 USC 112th F
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  
Such claim limitation(s) is/are: 
As per claim 1.  A data processing device, comprising:
a data collector, configured “to collect data transmitted in a network, and divide the data collected, according to a feature, into known attack data and unknown attack data;” and
a data converter, configured “to replace, according to a mapping database, at least a portion of content included in the unknown attack data with corresponding identification codes.”
As per claim 2.  The data processing device of claim 1, further comprising:
a data identifier, configured “to identify content included in the unknown attack data;” and
a data classifier, configured “to classify, according to identification results of the data identifier, the content identified by the data identifier in the unknown attack data.”
As per claim 3.  The data processing device of claim 1, wherein the data converter comprises:
a data matcher, configured “to determine whether the content in the unknown attack data is identical to historical data previously transmitted in the network and included in the mapping database;” and
a data replacer, configured “to replace identical content with identification codes As per claim corresponding to the historical data in the mapping database upon the data matcher determining that the content in the unknown attack data is identical to the historical data.”
As per claim 4. The data processing device of claim, 3, wherein the mapping database stores identification codes corresponding to the historical data and information related to the historical data, and the data matcher is configured “to determine whether the content in the unknown attack data is identical to the historical data according to the information related to the historical data in the mapping database.”
As per claim 5. The data processing device of claim 4, wherein the information related to the historical data includes a message digest of the historical data, and the data matcher is configured “to obtain a message digest of the content in the unknown attack data” and is configured “to, according to whether the message digest of the content in the unknown attack data is identical to the message digest of the historical data, determine whether the content in the unknown attack data is identical to the historical data.”
As per claim 6. The data processing device of claim 5, wherein the information related to the historical data includes initial position and length of the historical data, and the data matcher is configured “to select, according to the initial position and length of the historical data, content in the unknown attack data for performing a judgment as to whether it is identical.”

a mapping database generator, configured “to generate a mapping database according to the historical data previously transmitted in the network”.
As per claim 8. The data processing device of claim 7, wherein the mapping database generator is configured “to generate a mapping database according to, among the historical data previously transmitted in the network, pieces having a frequency of occurrence relatively greater than a threshold value.”
As per claim 9. The data processing device of claim 1, further comprising:
a communicator, configured “to send data converted by the data converter outside the data processing device.”
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.  ***Please see the indefiniteness rejection below regarding applicant’s invoking of means for or step plus functional claim language as identified by the examiner above. 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 
	Appropriate action required. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim[s] 8,17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. In for example, claim # 8, line 4, it is clear as to what the claim limitation of “…….frequency of occurrence relatively greater……,” means. Does the frequency of occurrence at or below the threshold or is the frequency of occurrence at or over the threshold. 
	Appropriate action required. 
***The examiner notes that for examination purposes, the examiner will assume that the frequency of the occurrence is greater than the threshold. 

Claim[s] 1 – 9 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. It is unclear where in the specification as filed the recited hardware and functionality is located for the following elements: data collector, data converter, data identifier, data classifier, data matcher, data replacer, mapping database generator, and communicator; as required by the appropriate statute; that invokes means for or step plus functional claim language as identified in the claim interpretation above.  
Appropriate action required.

Double Patenting
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 101
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 102
NO rejections warranted at applicant’s initial time of filing for patent. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.
Claim[s] 1 – 4, 7, 9 – 13, 16, 18 - 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Green et al. [US PAT # 8321936] in view of N [US PAT # 8935784]
As per claim 1. Green does teach a data processing device [col. 1, lines 60 – 66, The present invention overcomes the limitations of the conventional art by providing a system and method for detecting viruses and other malicious content, such as blended threats, mass variant attacks, targeted threats and zero-day attacks, associated with an electronic message by executing the content associated with the electronic message and monitoring the execution for or more malicious actions.], comprising:
a data collector, configured to collect data transmitted in a network [col. 4, lines 9 – 18, FIG. 1 shows a block diagram of a system 100 for detecting malicious content associated with an electronic message according to an embodiment of the present invention. The system 100 includes one or more devices 102A-N which exchange electronic messages, such as electronic mail (e-mail), text messages, short message service (SMS) messages, Multimedia Messaging Service (MMS) messages, Instant Message.TM. data, commands, hypertext transport protocol (HTTP) requests, HTTP responses, transmission control protocol/Internet protocol (TCP/IP) packets, User Datagram Protocol (UDP) packets, simple mail transfer protocol (SMTP) messages, file transfer protocol (FTP) requests or other electronic information from a first device 102A to a second device 102B, between or among themselves using the network 110. Additionally, the network 110 allows one or more devices 102A-N to communicate with user devices 170A-N included in an enterprise system 180], and divide the data collected, according to a feature [Col. 1, lines 67 and col. 2, lines  a simulation system receives an electronic message, such as an e-mail, command, hypertext transport protocol (HTTP) requests, HTTP responses or text message, and parses the electronic message into components such as hyperlinks, embedded executable code, text associated with uniform resource locators or internet protocol (IP) addresses and attached files.], into known attack data and unknown attack data [col. 7, lines 26 – 41, Electronic messages associated with content that is not already known to be malicious are transmitted by the agent 215 to the simulation system 140B for evaluation of the content associated with the electronic message [i.e. applicant’s unknown attack data]. In one embodiment, electronic messages that are not associated with content, such as an e-mail including only plain text, are delivered to the destination user device 170A-N by the SMTP gateway 210. In one embodiment, the agent 215 determines whether received electronic messages are associated with a conventional or known virus or malicious content [i.e. applicant’s known attack data] and quarantines or discards electronic message associated with a conventional or known virus or other malicious content. If the agent 215 is unable to determine that an electronic message is 
Green does not teach clearly and a data converter configured to replace, according to a mapping database, at least a portion of content included in the unknown attack data with corresponding identification codes.
However, N does teach and a data converter configured to replace, according to a mapping database, at least a portion of content included in the unknown attack data with corresponding identification codes [Figure #3, and col. 5, lines 53 – 67 and col. 6 lines 1 – 11, replacement identifier 313, can take the form of a numeric identifier, and replace the link identifier of a website 309 that potentially contains malware in the user’s web feed activity. Where at col. 8, lines 22 – 27, a replacement identifier generating module 503 generates replacement identifiers 313 to be used by clients 103 to safely access web feeds 303 through server-side web feed protection manager 101].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Green and N in order for the monitoring of electronic messages for malware signatures/patterns of Green to include using a web feed protection manager of N. This would allow for the monitoring of web links: URL or URI or web feeds present in the electronic message[s] and prevention of malware attack before the user clicks on such links in the message. See col. 5, lines 3 – 10 of N. 
As per claim 2. Green does teach the data processing device of claim 1, further comprising:
a data identifier, configured to identify content included in the unknown attack data [Green, col. 7, lines 26 – 41, Electronic messages associated with content that is not already known to be malicious are transmitted by the agent 215 to the simulation system 140B for evaluation of the content associated with the electronic message [i.e. applicant’s unknown attack data]]; and
a data classifier, configured to classify, according to identification results of the data identifier, the content identified by the data identifier  in the unknown attack data [Green, col. 8, lines 1 – 8, The simulation system 140A receives electronic messages and associated content from the SMTP gateway 130 or the network security device 120 via signal line 142 and generates a classification result and/or control signal responsive to classification of content associated with the received electronic message. The classification result and/or control signal is then transmitted to the message server 150 via signal line 144. Where at col. 7, lines 56 – 58, Based on the execution monitoring, the simulation system 140B classifies an electronic message as malicious or non-malicious and notifies the agent 210. Where at col. 7, lines 26 – 41, Electronic messages associated with content that is not already known to be malicious are transmitted by the agent 215 to the simulation system 140B for evaluation of the content associated with the electronic message].
As per claim 3. Green as modified does teach the data processing device of claim 1, wherein the data converter comprises:
a data matcher, configured to determine whether the content in the unknown attack data is identical to historical data previously transmitted in the network and included in the mapping database [Green, col.  col. 7, lines 26 – 41, Electronic messages associated with content that is not already known to be malicious are transmitted by the agent 215 to the simulation system 140B for evaluation of the content associated with the electronic message [i.e. applicant’s unknown attack data]. Where at col. 7, lines 59 – 64, In one embodiment, the simulation system 140B also generates and stores a database for classifying electronic messages. This generated database is used to determine whether subsequently received messages are malicious, simplifying electronic message classification by using stored classification data rather than execution of electronic messages.]; and
a data  replacer, configured to replace identical content with identification codes corresponding to the historical data in the mapping database  upon the data matcher determining that the content in the unknown attack data is identical to the historical data [N, col. 5, lines 59 – 63, The web feed protection manager 101 on the server 105, receives identifiers of 313 of user subscribed we feeds 303 [i.e. the examiner points out here that the identifiers 313 are not yet known to be malicious or not –  i.e. applicant’s unknown attack data]. The server-side web feed protection manager 101 processes each identifier 313 to check for links 301 to sites 309 containing malware [i.e. applicant’s is identical to the historical data]].
As per claim 4. Green at modified does teach the data processing device of claim 3, wherein the mapping database stores identification codes corresponding to the historical data and information related to the historical data, and the data matcher is configured to determine whether the content in the unknown attack data is identical to the historical data according to the information related to the historical data in the mapping database [N, col. 5, lines 59 – 63, The web feed protection manager 101 on the server 105, receives identifiers of 313 of user subscribed we feeds 303 [i.e. the examiner points out here that the identifiers 313 are not yet known to be malicious or not –  i.e. applicant’s unknown attack data]. The server-side web feed protection manager 101 processes each identifier 313 to check for links 301 to sites 309 containing malware [i.e. applicant’s is identical to the historical data]].
As per claim 7. Green does teach the data processing device of claim 3, further comprising:
a mapping database generator configured to generate a mapping database according to the historical data previously transmitted in the network  [Green, col. 7, lines 59 – 64, In one embodiment, the simulation system 140B also generates and stores a database for classifying electronic messages. This generated database is used to determine whether subsequently received messages are malicious, simplifying electronic message classification by using stored classification data rather than execution of electronic messages].
As per claim 9. Green does teach the data processing device of claim 1, further comprising:
a communicator, configured to send data converted by the data converter outside the data processing device [Green, col. 7, lines 30 – 33, In one embodiment, 
As per method claim 10 that includes the same or similar claim limitations as data processing claim 1, and is similarly rejected. 

As per method claim 11 that includes the same or similar claim limitations as data processing claim 2, and is similarly rejected. 

As per method claim 12 that includes the same or similar claim limitations of that data processing device claim 3, and is similarly rejected. 

As per method claim 13 that includes the same or similar claim limitations of that data processing device claim 4, and is similarly rejected.
 
As per method claim 16 that includes the same or similar claim limitations of that data processing device claim 7, and is similarly rejected. 

As per claim 18. Green does teach the method of claim 10 comprising: 
	sending converted data outside the network
As per claim 19. Green does teach the data processing device of claim 1, further comprising:
a communicator, configured to send data converted by the data converter, within the network [Green, col. 7, lines 48 – 52,  The simulation system 140B is physically remote from the agent 215. In one embodiment, the simulation system 140B and the agent 215 communicate using a wide area network (WAN) or using an Internet connection, such as signal line 146.].
As per claim 20. Green does teach the method of claim 10, further comprising: 
sending converted data within the network [Green, col. 7, lines 48 – 52,  The simulation system 140B is physically remote from the agent 215. In one embodiment, the simulation system 140B and the agent 215 communicate using a wide area network (WAN) or using an Internet connection, such as signal line 146.].
Claim[s] 5, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Green et al. [US PAT # 8321936] in view of N [US PAT # 8935784] as applied to claim[s] 4 above, and further in view of Turbin [US PAT # 8621634].
As per claim 5. Green and N do teach what is taught in the rejection of claim # 4 above. 
Green and N do not clearly teach the data processing device  of claim 4, wherein the information related to the historical data includes a message digest of the historical data, and the data matcher is configured to obtain a message digest of the content in the unknown attack data and is configured to, according to whether the message digest of the content in the unknown attack data is identical to the message digest of the historical data, determine whether the content in the unknown attack data is identical to the historical data.
However, Turbin does teach the data processing device  of claim 4, wherein the information related to the historical data includes a message digest of the historical data, and the data matcher is configured to obtain a message digest of the content in the unknown attack data and is configured to, according to whether the message digest of the content in the unknown attack data is identical to the message digest of the historical data, determine whether the content in the unknown attack data is identical to the historical data [col. 7, lines 15 – 25, In more detail, at step S20 a hash is generated from the file to be checked. The hash that is generated is suitable for determining whether data of the file is identical to previously processed data. At step S21 the hash is processed together with stored data associated with previously processed data that was determined to not contain malware. For example, the stored data associated with previously processed data may be a further hash generated from the previously processed data, and the processing of step S21 may comprise comparing the hash generated from the file to be checked and the further hash.].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Green as modified and Turbin in order for the monitoring of electronic messages for malware 
As per method claim 14 that includes all the same or similar claim limitations as data processing device claim 5, and is similarly rejected. 

Claim[s] 6, 8, 15, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Green et al. [US PAT # 8321936] in view of N [US PAT # 8935784]  and Turbin [US PAT # 8621634]  as applied to claim[s] 5 above, and further in view of Valsesia et al. [US PGPUB # 2018/0157680] 
As per claim 6. Green and N and Turbin do teach what is taught in the rejection of claim # 5 above. 
Green and N and Turbin do not clearly teach the data processing device of claim 5, wherein the information related to the historical data includes initial position and length of the historical data, and the data matcher is configured to select, according to the initial position and length of the historical data, content in the unknown attack data for performing a judgment as to whether it is identical.
	However, Valsesia does teach the data processing device of claim 5, wherein the information related to the historical data includes initial position and length of the historical data, and the data matcher is configured to select, according to the initial position and length of the historical data, content in the unknown attack data for performing a judgment as to whether it is identical [ paragraph: 0071, lines 1 – 10, According to a first variant of the above-described embodiment, the device 1 is configured in such a way as to generate, instead of the above -described static index (which allows obtaining a smaller fingerprint starting from the bigger compressed fingerprint), an index on the basis of the position of characteristic points of the compressed search sensor fingerprint, i.e., points of said fingerprint which have values greater than a given threshold value or than the mean of the values of the points of said fingerprint; such points are also known as "outliers".
Where at paragraph: 0064, lines 1 – 3, It must be pointed out that the Hamming distance (d.sub.H) between two fingerprints (a,b) having the same length (L) can be computed].
It would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to combine the teachings of Green as modified and Valsesia in order for the monitoring of electronic messages for malware signatures/patterns of Green as modified to include a data digital fingerprinting system of Valsesia. This would allow for the monitoring system to convert and compare the electronic message into a binary fingerprints, thereby increasing the speed of the detection of malware process. See paragraph: 0015 of Valsesia.  
As per claim 8. Green as modified does teach the data processing device of claim 7, wherein the mapping database generator is configured to generate a mapping database according to, among the historical data previously transmitted in the network, pieces having a frequency of occurrence relatively greater than a threshold value [Valsesia, paragraph: 0071, lines 10 – 15, Therefore, the smaller fingerprints can only be generated when the device 1 has generated the compressed version of the search sensor fingerprint contained in the request message, because only at that moment it will be possible to know the position of the outliers in said search sensor fingerprint].
As per method claim 15 that includes all the same or similar claim limitations as data processing device claim 6, and is similarly rejected. 

As per method claim 17 that includes all the same or similar claim limitations as data processing device claim 8, and is similarly rejected. 



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANT B SHAIFER HARRIMAN whose telephone number is (571)272-7910.  The examiner can normally be reached on M - F: 8am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571- 272- 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 
/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434