DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see remarks, filed 4/6/2021, with respect to allowable subject matter and claims over prior art have been fully considered and are persuasive.  The 35 U.S.C. 103 rejection(s) of claims 2-4 and 19-20 has been withdrawn. Applicant has also amended claim 23 to clarify the acronym and thus overcame examiner’s previous claim objection as well. 
Allowable Subject Matter
Claims 1, 3-30 and 33 are allowed. Claim 2 and 31-32 have been canceled. 
The following is an examiner’s statement of reasons for allowance:
The prior art, Jung (US 10,628,586), discloses techniques for detecting malware via scanning for dynamically generated function pointers in memory. The system detects malware via scanning for dynamically generated function pointers in memory includes monitoring changes in memory during execution of a malware sample in a computing environment; detecting a dynamically generated function pointer in memory based on an analysis of the monitored changes in memory during execution of the malware sample in the computing environment; and generating a signature based on detection of the dynamically generated function pointer in memory, wherein the malware sample was determined to be malicious.
The prior art, Boubez (US 2015/0341246), discloses an anomaly detection system to detect spatial and temporal environment anomalies and spatial and temporal behavior 
The prior art, Stiansen et al (US 2016/0044054) discloses a system to identify risky network activities using intelligent algorithms. The appliances, systems, media, and methods enable rapid detection of risky activities. 
The prior art, Nguyen et al (US 2016/0065597) discloses a system for domain name scoring. The system receives a request to provide a reputation score of a domain name, receives input data associated with the domain name, extracting a plurality of features from the input data and the domain name, generates a feature vector based on the plurality of features, and calculates the reputation score of the domain name by a machine-learning classifier based on a graph database, which includes feature vectors associated with at least a plurality of reference domain names, a plurality of servers, a plurality of domain name owners, and so forth. The system can also calculate the reputation score by finding a similarity between the feature vector and one of domain name clusters in the graph database. The reputation score represents a probability that the domain name is associated with malicious activity. 
The prior art, Zhang et al (US 2016/0381070), discloses a system to identify suspicious network traffic indicative of a Botnet and/or an Advanced Persistent Threat (APT) based on network protocol of such traffic. The system receives a traffic file at a network security device that is protecting a private network. The traffic file contains therein network traffic associated with the private network that has been captured and stored. The received traffic file is 
The prior art, Cammarota et al (US 2018/0091526) discloses a system for mitigating an Internet of things (IoT) worm. A processor of a router device may randomly selects a plurality of Internet Protocol (IP) addresses. The processor may expose one or more emulated services at the plurality of randomly selected IP addresses. The processor may determine whether IoT worm communication activity is detected at one of the randomly selected IP addresses. The processor may grant to, or otherwise enable, an IoT worm access to one of the emulated services in response to detecting IoT worm communication activity at one of the selected IP addresses.
The prior art, Chen et al (US 9,104,873), discloses a method for determining whether GPUs are executing potentially malicious processes may include identifying at least one GPU associated with a computing device, analyzing the behavior of the GPU associated with the computing device, determining that the analyzed behavior of the GPU indicates that the GPU is executing at least one potentially malicious process, and then performing at least one security action on the GPU in response to determining that the analyzed behavior indicates that the GPU is executing the potentially malicious process. 
The prior art, Salsamendi et al (US 9,542,554), discloses a system for detecting duplicate malware samples is. A first guest clock is set to a first value in a first virtual machine instance. A first malware sample is executed in the first virtual machine instance. A second guest clock 
The prior art, either alone or in combination do not expressly disclose a method or system for monitoring network activity of an end user device such that the correlation and/or analysis is performed as disclosed in the methods of claims 1, 3, 4, 19 or the system of claim 33. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Ester Ben Noon Levy on 4/12/2021.
PLEASE AMEND CLAIM 33 AS FOLLOWS: 
33. (CURRENTLY AMENDED) A system comprising: 
storing instructions;
wherein the one or more processors are configured to execute the instructions: 
to monitor communication network activity of an end-user device that communicates with one or more servers over a communication network; 
to perform analysis of packets of data that are transported via said communication network; and based on said analyzing, to perform at least one of:
(I) to determine that a particular server is a malicious infecting web-server that infects multiple accessing devices with a cryptocurrency mining malware; 
(II) to determine that a specific server is a malicious Command and Control (C&C) server that commands and controls a distributed bot-net of cryptocurrency mining bots; wherein said analysis comprises: 
(a) an analysis of network communications from and to said end-user device, which determines that said end-user device began at a particular time-point to engage in cryptocurrency mining activity; 
(b) a backward analysis of prior network communications from and to said end-user device, that occurred prior to said particular time-point of beginning said cryptocurrency mining activity at said end-user device; wherein said backward analysis correlates between (i) said prior network communications from and to said end-user device, and (ii) other network communications exchanged between other end-user devices and a remote server.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENDALL DOLLY whose telephone number is (571)270-1948.  The examiner can normally be reached on Monday-Thursday 7am-4pm(EST) and Friday 7am-11am(EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/KENDALL DOLLY/Primary Examiner, Art Unit 2436