Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 2, 10, 16 and 18 have been amended. Claims 7 and 14 have been canceled. Claims 2-6, 8-13 and 15-21 have been examined.

2.	Applicant's arguments filed 02/08/2021 have been fully considered but they are not persuasive.

Claim Interpretation
3.	For claims 3-4, 6, 11, 13 and 19-21, the phrase “at least one of” has been given the broadest, reasonable interpretation of only requiring a single element from the list that follows in order to satisfy the requirements of the limitation.

Claim Objections
4.	Claims 8 and 15 are objected to because of the following informalities:
Claims 8 and 15 depend on claims 7 and 14 respectively. However, claims 7 and 14 have been canceled. Examiner believes claims 8 and 15 should depend on claims 1 and 10 and will treat the claims as such for the remainder of the office action.
Appropriate correction is required.

5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any 

6.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.


Claim Rejections - 35 USC § 103
7.	Claims 2-6, 9-13, 16-17 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Bunker, V et al. (U.S. Patent Application Publication 2003/0056116; hereafter “Bunker”), and further in view of Gerritz et al. (U.S. Patent Application Publication 2016/0099960; hereafter “Gerritz”).
	For claims 2, 10 and 16, Bunker teaches a system, method and computer-readable media comprising at a server device (note paragraph [0086], command engine):
	a processor (note paragraph [0384], CPU); and
	memory coupled to the processor, the memory comprising computer executable instructions that, when executed by the processor, performs a method for providing real-time scanning of client devices (note paragraph [0384], memory), the method comprising:
	receiving input from a client device via a user interface (note paragraphs [0143]-[0144], interface provides configuration including account information and IP range);

	generating a work order request based on the request details  (note paragraphs [0069] and [0088], job scheduling module and check schedule module combine to create a test based on customer profile);
	processing the work order request (note paragraph [0090], test logic module determines which tests need to be launched), the processing including:
		determining device-identifying information for the work order request (note paragraphs [0069], [0088], [0184] and [0351], test is performed across range of IP address supplied by customer in customer profile);
		identifying a computing device using the device-identifying information (note paragraphs [0071] and [0115]-[0130], test tools identify devices based on IP address in customer profile);
		communicating with the computing device (note paragraphs [0111]-[0112], testers use tools that collect information from the customer system);
	receiving device information from the computing device, the device information including a device indicator associated with the computing device (note paragraphs [0112]-[0117] and [0329], testers collect port information);
	selecting a payload for the computing device, wherein selection of the payload is predefined based on the device indicator (note paragraphs [0330] and [0338], based on open ports the next wave of tools are selected; tools selection is predefined based on the results of previous wave), wherein the payload is selected based on an identified type of the computing device (note Fig. 14, paragraphs [0330] and [0338], second and third waves of tools are selected based on type of computing device found in the first wave; e.g. ftp tools for ftp servers, e-mail tools for e-mail servers, http tools for http servers), the payload comprising data configured for the identified type of device to solicit an expected response from the identified type of device (note paragraphs [0094], [0100], [0262] and [0338], tools determine if a device is positive or negative for a vulnerability based on the expected response to the tool; e.g. HTTP test suite is used to determine if web server has vulnerability);
	providing the selected payload to the computing device (note paragraphs [0330] and [0338], the next wave of tools are sent);
	receiving a payload response from the computing device (note paragraphs [0330] and [0338], responses from each wave of tools are received); 

	Bunker differs from the claimed invention in that they fail to teach:
	detecting an unauthorized computing device based on the payload response.

	Gerritz teaches:
	detecting an unauthorized computing device based on the payload response (note paragraphs [0053], [0055], [0058]-[0060]; type of scan requested by customer determines payloads which include commands to determine malicious content).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the device scanning of Bunker and the 


	For claims 3 and 20, the combination of Bunker and Gerritz teaches claims 2 and 16, wherein the request details comprise information associated with the client device, including at least one of its IP address, ports, services and protocols (note paragraphs [0071] and [0351] of Bunker, customer profile includes services the client purchased and IP addresses to be tested).

	For claims 4, 11 and 21, the combination of Bunker and Gerritz teaches claims 3, 10 and 20, wherein the device-identifying information includes at least one of a port, a service, and a protocol (note paragraphs [0329]-[0330], [0338], [0345] and [0354]-[0355] of Bunker, ports, services and protocols running identify devices for subsequent test waves).

	For claims 5, 12 and 17, the combination of Bunker and Gerritz teaches claims 2, 10 and 16, wherein communicating with the computing device further comprises transmitting a ping request to the computing device to determine whether the computing 

	For claims 6, 13 and 19, the combination of Bunker and Gerritz teaches claims 2, 10 and 16, wherein communicating with the computing device further comprises transmitting a data request for information to the computing device (note paragraphs [0111]-[0112] of Bunker, testers use tools that request information from the customer devices), wherein the data request for information includes a request for at least one of user information, device information, and network information (note paragraphs [0112]-[0126] and [0329] of Bunker, testers collect what services are running, what ports are open – i.e. device information; paragraphs [0127]-[0130] of Bunker, testers collect subnet of a computer – i.e. network information).

	For claim 9, the combination of Bunker and Gerritz teaches claim 2, wherein the device indicator is selected from the list including an IP address, a port, a service, and a protocol (note paragraph [0184] of Bunker, scan determines which IP addresses are active, which is used to select payloads for full assessment; paragraphs [0329]-[0330], [0338], [0345] and [0354]-[0355] of Bunker, ports, services and protocols running identify devices for subsequent test waves).


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 


8.	Claims 2-4, 6-11, 13-16 and 18-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,567,396. Although the claims at issue are not identical, they are not patentably distinct from each other because:
Claims 1-20 of U.S. Patent No. 10,567,396 contain every element of claims 2-4, 6-11, 13-16 and 18-21of the instant application and as such anticipate claim of the instant application.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species within that genus). “  ELI LILLY AND . 

9.	Claims 5, 12 and 17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,567,396 in view of Bunker. 
	For claims 5, 12 and 17, 10,567,396 differs from the claimed invention in that they fail to teach:
	wherein communicating with the computing device further comprises transmitting a ping request to the computing device to determine whether the computing device is active

	Bunker teaches:
	wherein communicating with the computing device further comprises transmitting a ping request to the computing device to determine whether the computing device is active (note paragraphs [0112] and [0143], testing tool includes ping).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the scanning of 10,567,396 and the device scanning of Bunker. It would have been obvious because combining prior art elements according to known methods would yield the predictable results of scanning client devices using a ping request.

Allowable Subject Matter
10.	Claims 8, 15 and 18 are objected to as being dependent upon a rejected base claim, but would be allowable with:
if rewritten in independent form including all of the limitations of the base claim and any intervening claims; and
a timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d).


Response to Arguments
11.	For claim 2, Applicant argues the combination of Bunker and Gerritz fails to teach one or more of the limitations of the claims (note Remarks, page 7).
	Applicant asserts, “While, as pointed out by the Examiner in the January 26 interview, the payloads disclosed by Bunker are predefined in that the selected tools in the payload are pre-written, the selection of these tools is not predefined, particularly based on the device indicator” (note Remarks, page 7).
	Examiner disagrees. As noted by Applicant, in paragraphs [0329]-[0330], Bunker discloses a first “wave” of basic tests that returns a mapping of the services running on the target network.
	The results of the first “wave” or used to select tools for the next wave (note Fig. 14 and paragraph [0330]). In other words, the selection of tools for subsequent waves is based on the types of services and software that are running and have been discovered by the first wave. Bunker gives the examples (note paragraphs [0330] and [0338]):

	an unauthorized mail relaying tool for e-mail servers;
	various sample script tools for web servers;
	a HTTP test suite for servers using the HTTP protocol;

	FTP, e-mail and HTTP serves are all different types of devices and the selection of tools used to test them is predefined based on that type of device (e.g. FTP tools for FTP servers and HTTP tools for HTTP servers). Furthermore, Bunker discloses selecting tools based on specific vendors and specific version numbers (note Fig. 14 and paragraph [0330]). Clearly, these selections are “predefined” based on “an identified type of the computing device” (e.g. tools for testing Microsoft web servers; tools for testing Version 2.4.5 of an FTP server)


	Applicant argues, “the second and third waves of tools are selected based on information from previous waves of tools which is collected and analyzed, rather than being predefined based on a device indicator” (note Remarks, page 7).
	Examiner agrees that in Bunker “the second and third waves of tools are selected based on information from previous waves of tools which is collected and analyzed”. However, Applicant is missing the fact that the “information from previous waves of tools” that is collected and analyzed is information that includes a “device indicator” and the “identified type” of computing device. As noted above, the initial wave(s) of Bunker identify if the device is, for example: a FTP server, a HTTP server or an e-mail 
	Therefore, Bunker teaches “selecting a payload for the computing device, wherein selection of the payload is predefined based on the device indicator, wherein the payload is selected based on an identified type of the computing device” as required by the claims.

	Applicant argues, “Bunker's disclosure that the information collected from the first wave of tools is collected and analyzed to prepare and execute a subsequent wave of tools indicates that the payload is not configured to solicit an expected response from the identified type of device, as recited in the amended claim” (note Remarks, page 7).
	Examiner disagrees. As noted in the rejection above, “the first wave of tools” of Bunker was mapped to the “communicating with the computing device; receiving device information from the computing device” limitations of the claims.
	The second and third waves of tools of Bunker are “the payload is selected based on an identified type of the computing device, the payload comprising data configured for the identified type of device to solicit an expected response from the identified type of device”. The tools that test whether a vulnerability exists are configured to solicit an expected response that will either return a positive or negative result for that vulnerability (note paragraph [0338]).



	Examiner disagrees. As noted in the rejection above, Bunker discloses a system where a Tester server sends tools, i.e. payloads, to devices that solicit a response that is used to determine if a vulnerability exists in the program on device.
	Gerritz discloses that a payload can be sent where the output of the payload can be used to determine if the device has been infected with malware, i.e. is unauthorized.
	Therefore, the combination of Bunker and Gerritz teaches scanning client devices to determine device information (Bunker) and executing a second wave (Bunker) of tests which include a payload to determine if the client has been infected with malicious content (Gerritz).

	Applicant argues, “Gerritz does not teach that the host provides any response to the computing device”. However, the combination of Bunker and Gerritz teaches the host, i.e. device being tested, provides a response to the computing device, i.e. server since Bunker discloses test results being sent to the Testing server (note paragraph [0338]). 

	Gerritz further discloses the computing device analyzes the output file for expected responses of malware (note paragraph [0067]). As noted by paragraph [0032], Applicant’s Specification, devices that produce outputs that are identified as malicious are unauthorized devices.
	Thus, the combination of Bunker and Gerritz teaches “detecting an unauthorized computing device based on the payload response” as required by the claims.

Conclusion
12.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Davis et al. (U.S. Patent Application Publication 2011/0138470) teaches a tester device soliciting responses from test devices to see if they are appropriate responses or inappropriate responses (note paragraph [0019]).

13.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711.  The examiner can normally be reached on 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/David J Pearson/Primary Examiner, Art Unit 2438