DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Terminal Disclaimer
The terminal disclaimer filed on 03/10/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of US. Patent No. 10,061,922 has been reviewed and is accepted.  The terminal disclaimer has been recorded. Accordingly the double patenting rejection has been withdrawn.

Response to Amendment
This office action is in response to the amendment filed on 03/10/2021.
Claims 1, 3-5, 7-13, 15-17, and 19-23 are pending for examination. Applicant amends claims 1, 7, 13, 19, and 22. The amendments have been fully considered and entered.
Amendment to claim 22 regarding the 35 U.S.C. § 112(b) rejection has been accepted and the 35 U.S.C. § 112(b) rejection has been withdrawn.

Response to Arguments
For convenience, the newly introduced limitations, as made by amendments, are marked as underlined.


Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claim 1, 3, 4, 7-10, 13, 15, 16, 19, 20, and 23 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Balupari et al. (US 20130097699 A1; hereinafter “Balupari”) in view of Aziz et al. (US 8204984 B1; hereinafter “Aziz”) and further in view of Wang et al. (US 8555388 B1; hereinafter “Wang”) and Kohler, Jr. et al. (US 7743134 B2; hereinafter “Kohler”).
As per claim 1, Balupari discloses: a method, comprising: 
monitoring, with a network probe, request-response transactions that are exchanged in a computer system (Balupari, [0036], “connection monitor 215 may monitor and inspect packets”);
extracting subsets of the request-response transactions, wherein the subsets comprise request-response transactions that are exchanged between one or more clients and a given host and between one or more hosts and a given client (Balupari, 
evaluating at least one feature of the request-response transactions in the subsets over request-response transactions known to be associated with first malicious software and request-response transactions known to be not associated with the first malicious software, wherein the at least one feature comprises a characteristic of one or more underlying protocols used for transmitting the subsets of request-response transactions, wherein evaluating the at least one feature comprises estimating an aggregated statistical property of the at least one feature over the request-response transaction in the subsets (Balupari, [0045], contents of all packets from a source in a gray list are evaluated to determine indicative bot behavior. The referrer field of the packets are evaluated to check if they are missing and if the referrer field in a packet is 
based on the evaluated at least one feature, identifying whether the request-response transactions in the subsets are exchanged with the first malicious software runs in the given client (Balupari, [0045], if the referrer field in packets are frequently missing, the score increases, [0047], [0022] and Fig. 5, malicious command and control channels are detected based on the score being greater than a threshold in which appropriate action would be taken; Fig. 1, host 110b is compromised by bot 140, [0047], “blocking new connections from the source or to the destination”. If connections/requests are blocked from a particular source (i.e., client), that means the system has determined that the malicious software runs in that particular source.).
While Balupari suggests implementing the botnet detection module on other network devices external to the sensor which may result in monitoring request-response transactions exchanged in the computer system without the request-response transactions passing through the network probe (Balupari, [0031]), Balupari does not explicitly teach monitoring the request-response transactions of the computer system 
It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of Balupari to include monitoring request-response transactions in a computer system without the transmission of request-response transactions passing through the network probe as taught by Aziz for the benefit of not declining the performance of the communication network 110 or the devices coupled to the communication network 110 as opposed to having all communications passing through the network probe (Aziz, col. 4 lines 63-65). Furthermore, it would have been obvious to try choosing from a finite number of identified, predictable solutions (e.g., having the network probe situated directly in line 
While the combination of Balupari and Aziz teaches identifying whether the request-response transactions in the subsets are exchanged with the first malicious software that runs in the given client (Balupari, [0045]), the combination of Balupari and Aziz does not explicitly teach, however, Wang teaches or suggests: identifying whether the request-response transactions in the subsets are exchanged with a second malicious software that runs in the given client (Wang, col. 5 lines 8-11, 29-45, identifying specific/known botnets (i.e., first malicious software) using a specific traffic pattern analysis and identifying new or unknown botnets (i.e., second malicious software) using a generic traffic pattern analysis, col. 6 lines 8-21, identifying the new botnet and correlating its behavior with a client which is infected with the new botnet).
It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of the combination of Balupari and Aziz to include new heuristic botnet detection techniques for identifying whether the request-response transactions in the subsets are exchanged with a second/new malicious software that runs in the given client as taught by Wang for the benefit of identifying new botnets and providing for improved accuracy and lower false positives (Wang, col. 5 lines 6-11).
While the modified Balupari discloses: estimating an aggregated statistical property of the at least one feature over the request-response transaction in the subsets (Balupari, [0045]), Balupari does not disclose, however, Kohler teaches or suggests: over each of a plurality of time periods (Kohler, col. 10 lines 15-28, “Time periods for statistical aggregation may range from minutes to weeks”).
It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of the modified Balupari to include evaluating an aggregate statistical property over a plurality of different time periods as taught by Kohler to enable administrators to administrators to quickly identify the important properties of the attack (Kohler, col. 10 lines 33-35).

As per claim 13, Balupari discloses: an apparatus comprising: 
a network probe, which is configured to monitor request-response transactions exchanged in a computer network (Balupari, Fig. 1 and [0036], botnet detection module of sensor 120 monitors http packets); and 
a processor, which is connected to the network probe and configured to execute software (Balupari, Fig. 2 and [0026], processor 205 executes botnet detection module functions) to: 
evaluate at least one feature of the monitored request-response transactions over request-response transactions known to be associated with first malicious software and request-response transactions known to be not associated with the first malicious software by estimating an aggregated statistical property of the at least one feature over the request-response transaction in the subsets (Balupari, [0045] and Fig. 5, contents of packets are evaluated to determine indicative bot behavior. The referrer field of the packets are evaluated to check if they are missing and if the referrer field in a packet is 
wherein the at least one request-response transaction is one of the request-response transactions exchanged between one or more clients and a given host and between one or more hosts and a given client (Balupari, [0044]-[0047], [0035], analyzing the HTTP request and response activities between a single source (i.e., client) from the grey list and a plurality of nodes (see [0011]-[0012] and Fig. 1), e.g., host 110b communicating with hosts 110a, c-d or web server 125 or host 135, or activities between a single source (i.e., command and control server 145) and a plurality of nodes (i.e., hosts 110a-110d). Another scenario is extracting communications between the host 110b and the command and control server 145, which reads on “transactions that are exchanged between one or more clients and a given host and between one or more hosts and a given client”),
wherein the at least one feature comprises a characteristic of one or more underlying protocols used for transmitting the subsets of request-response transactions, and further wherein the processor is further configured with the software to extract the at least one request-response transaction and to identify whether the request-response the first malicious software that runs in the given client (Balupari, [0023], “a sensor…may look for repetitive HTTP connections”; [0044], [0035], [0023], the activities of each source (e.g., host/client) in a gray list are identified and analyzed by the botnet detection module 122 (i.e., network probe) of sensor 120; the activities being HTTP requests and responses (see [0045] and [0033]). Identifying and analyzing activities of specific sources in the grey list reads on “acquiring subsets of request-response transactions”, [0045], if the referrer field in packets are frequently missing, the score increases, [0047], [0022] and Fig. 5, malicious command and control channels are detected based on the score being greater than a threshold).
While Balupari suggests implementing the botnet detection module on other network devices external to the sensor which could possibly result in not requiring all the transmission of all the request-response transactions through the network probe (Balupari, [0031]), Balupari does not explicitly teach monitoring the request-response transactions of the computer system without the request-response transactions passing through the network probe. However, Aziz teaches or suggests: monitoring request-response transactions of the computer system without the request-response transactions passing through the network probe (Aziz, Fig. 1, Controller 125 is coupled to the communication line between Bot Server 105 and Network Device 115 via Tap 120, col. 4 lines 47-58, the controller receives copies of data flows from Tap 120, the data flows being communications between Bot Server 105 and Network Device 115, col. 5 lines 26-32, wherein the controller analyzes the data flows, col. 7 lines 54-60, controller takes corrective action based on analysis. Examiner takes the position that because the Controller 125 receives copies of data flows from Tap 120, the 
It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of Balupari to include monitoring request-response transactions in a computer system without the transmission of request-response transactions passing through the network probe as taught by Aziz for the benefit of not declining the performance of the communication network 110 or the devices coupled to the communication network 110 as opposed to having all communications passing through the network probe (Aziz, col. 4 lines 63-65). Furthermore, it would have been obvious to try choosing from a finite number of identified, predictable solutions (e.g., having the network probe situated directly in line between a server and a client or not directly in line between the server and the client, with a reasonably expectation of success for monitoring communications (KSR). 
The combination of Balupari and Aziz does not explicitly teach, however, Wang teaches or suggests: based on the evaluation of the at least one feature, filter from the monitored request-response transactions at least one request-response transaction having the at least one feature indicating a presence of second malicious software in the request-response transaction (Wang, col. 5 lines, 22-28 and col. 6 lines 4-5, all traffic is evaluated and traffic with malware URLs and unclassified URLs are filtered so that traffic analysis can be focused on malware download URLs and unclassified URLs), and 

It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of the combination of Balupari and Aziz to include new heuristic botnet detection techniques for identifying whether the request-response transactions in the subsets are exchanged with a second/new malicious software that runs in the given client and filtering the request-response transactions having malware URLs as taught by Wang for the benefit of identifying new botnets and providing for improved accuracy and lower false positives (Wang, col. 5 lines 6-11).
While the modified Balupari discloses: estimating an aggregated statistical property of the at least one feature over the request-response transaction in the subsets (Balupari, [0045]), Balupari does not disclose, however, Kohler teaches or suggests: evaluating the aggregate statistical property over each of a plurality of time periods (Kohler, col. 10 lines 15-28, “Time periods for statistical aggregation may range from minutes to weeks”).
It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of the modified Balupari to include evaluating an aggregate statistical property over a plurality of different time periods as 

As per claims 3 and 15, claims 1 and 13 are incorporated, respectively, and the modified Balupari discloses: wherein extracting the subsets comprises extracting the request-response transactions that are exchanged between one or more clients and a given host, and wherein identifying whether the request-response transactions in the subsets are exchanged with the first malicious software comprises detecting that the given host controls the first malicious software (Balupari, [0011]-[0012] and Fig. 1, activities being between the single source (i.e., command and control server 145) and a plurality of nodes (i.e., hosts 110a-110d), [0047], “blocking new connections from the source or to the destination”, e.g., in the case where the source is the compromised host 110b and the destination is the command and control server 145 which controls the malicious software, new connections/communications to the command and control server 145 are blocked because it is detected that command and control server 145 controls the malicious software).  
While the modified Balupari teaches detecting the given host controls the first malicious software (Balupari, [0047]), the modified Balupari does not explicitly teach, however, Wang teaches or suggests: the second malicious software (Wang, col. 5 lines 8-11, 29-45, identifying specific/known botnets (i.e., first malicious software) using a specific traffic pattern analysis and identifying new or unknown botnets (i.e., second malicious software) using a generic traffic pattern analysis, col. 6 lines 8-21, identifying 
It would have been obvious to a person having ordinary skill in the art at the time the invention was made to modify the teachings of the modified Balupari to include new heuristic botnet detection techniques for identifying whether the request-response transactions in the subsets are exchanged with a second/new malicious software that runs in the given client as taught by Wang for the benefit of identifying new botnets and providing for improved accuracy and lower false positives (Wang, col. 5 lines 6-11).

As per claims 4 and 16, claims 1 and 13 are incorporated, respectively, and the modified Balupari discloses: wherein evaluating the at least one feature comprises determining the feature over header fields of the request-response transactions (Balupari, [0045], the header field of HTTP requests and responses are analyzed).

As per claims 7 and 19, claims 1 and 13 are incorporated, respectively, and the modified Balupari discloses: wherein evaluating the feature comprises estimating an aggregated statistical property of the at least one feature over the request-response transactions in the subsets, and wherein identifying whether the request-response transactions are exchanged with the malicious software comprises checking whether the aggregated statistical property meets a malware detection criterion (Balupari, [0045] and Fig. 5, determining the referrer field in packets are frequently missing if the referrer field in packets are frequently missing, the score increases, Examiner submits that the term “frequently” indicate an estimated “aggregated statistical property”, [0047], if the 

As per claims 8 and 20, claims 7 and 19 are incorporated, respectively, and the modified Balupari discloses: wherein the at least one feature comprises multiple different features, and wherein estimating the aggregated statistical property comprises evaluating the aggregated statistical property over the multiple different features (Balupari, [0045] and Fig. 5, features evaluated comprise the following: determining the referrer field in packets are frequently missing, determining the average body size of responses is smaller than a configurable threshold value Z, determining the user-agent field in packets are frequently missing or unknown, and determining the average number of request header lines (fields) is less than or equal to a threshold value Y. The score is determined based on each feature evaluated).  

As per claim 9, claim 7 is incorporated and the modified Balupari discloses: wherein the malware detection criterion distinguishes between a first statistical distribution in values of the at least one feature, which is indicative of the first malicious software, and a second statistical distribution that is indicative of innocent traffic (Balupari, [0045]-[0047] and Fig. 5, if the score exceeds a threshold, then malware is present in the HTTP requests and responses between source on the grey list and the nodes, if the score doesn’t exceed a threshold, then the traffic from and to the source is innocent traffic).

As per claim 10, claim 7 is incorporated and the modified Balupari discloses: and comprising adaptively adjusting the malware detection criterion (Balupari, [0048], “Scores for each heuristic and threshold levels are highly configurable, as is the scoring scale”). 

As per claim 23, claim 1 is incorporated and the modified Balupari discloses: wherein identifying whether the request-response transactions in the subset are exchanged with the first malicious software comprises detecting that the first malicious software runs in the given client (Balupari, Fig. 1, host 110b is compromised by bot 140, [0047], “blocking new connections from the source or to the destination”. If connections/requests are blocked from a particular source (i.e., client), that means the system has determined that the malicious software runs in that particular source.).

Claims 11 and 12 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Balupari in view of Aziz, Wang, and Kohler and further in view of Powers (US 20130174256 A1), claiming priority to the provisional application filed on 12/29/2011.
As per claim 11, claim 1 is incorporated and the modified Balupari does not disclose, however, Powers teaches or suggests: wherein monitoring of the transactions and extraction of the subsets are performed by a first processor, and wherein evaluation of the at least one feature and identification of the malicious software are performed by a second processor separate from the first processor (Powers, [0019] and Fig. 1, sensor 12 (i.e., first processor) monitors and extracts subsets of network data and cyber 
It would have been obvious to someone of ordinary skill in the art at the time the invention was made to modify the method of the modified Balupari with the monitoring and extracting of the transactions done by a first processor, and the evaluation and identification done by a second processor as taught by Powers to enhance performance and efficiency which one of ordinary skill would implement. Dividing the workload between two processors decreases the workload between the two processors.

As per claim 12, claim 7 is incorporated and the modified Balupari does not disclose, however, Powers teaches or suggests: and comprising indicating by the second processor to the first processor traffic that is to be discarded from evaluation (Powers, [0036] and Fig. 1, cyber security framework 20 (i.e., second processor) generates security policy decisions (e.g., traffic filters) to block network traffic from individual hosts and sends the policies to sensor 12 (i.e. sensor 12)).  
It would have been obvious to someone of ordinary skill in the art at the time the invention was made to modify the method of the modified Balupari with the monitoring and extracting of the transactions done by a first processor, and the evaluation and identification done by a second processor as taught by Powers to enhance performance and efficiency which one of ordinary skill would implement. Dividing the workload between two processors decreases the workload between the two processors.

Claims 5 and 17 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Balupari in view of Aziz, Wang, and Kohler and further in view of Strayer et al. (US 20030097439 A1; hereinafter “Strayer”) as cited in the IDS filed on 03/11/2019.
As per claims 5 and 17, claims 1 and 13 are incorporated and the modified Balupari does not disclose, however, Strayer teaches or suggests: wherein evaluating the at least one feature comprises determining the feature over a predefined number of first content bytes at a beginning of the request-response transactions (Strayer, [0111], signature tap computes packet signature over first several bytes of the packet payload).
It would have been obvious to someone of ordinary skill in the art at the time the invention was made to modify the method of the modified Balupari with computing signatures over the first several bytes of the packet payload as taught by Strayer to detect anomalous or suspicious flows in a network (Strayer, [0008]).

Claim 21 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Balupari in view of Aziz, Wang, and Kohler and further in view of McCabe et al. (US 8595843 B1; hereinafter “McCabe”).
As per claim 21, claim 1 is incorporated and the modified Balupari does not disclose, however, McCabe teaches or suggests: discarding transactions from the monitored request-response transactions that access a predetermined number of most-frequently-accessed-hosts (McCabe, col. 7 lines 27-35, communications with sites that are identified as being popular are deleted by software agent).  
.

Claim 22 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Balupari in view of Aziz, Wang, and Kohler and further in view of Carothers (US 20130232574 A1).
As per claim 22, claim 20 is incorporated and the modified Balupari discloses: wherein the multiple different features comprises each of: repetitions of a Uniform Resource Identifier (URI) in given requests a given response not indicating a referrer, a content length in a given response being shorter than a certain threshold value, a user agent in a given request being shorter than a certain threshold value, and a number of fields in a given request being smaller than a certain threshold value (Balupari, [0046], repetitive HTTP connection to a bad address (URI), [0045] and Fig. 5, referrer field in a packet is frequently missing, average body size of responses is smaller than a configurable threshold value Z, user-agent field is missing or unknown, the average number of request header lines (fields) is less than or equal to a threshold value Y).
The modified Balupari does not disclose, however, Wang teaches or suggests: a returned content in a given response being an executable (Wang, col. 13 lines 46-50, monitoring behavior indicated in the network traffic for downloading executable files).

While the modified Balupari discloses evaluating repetitions of a URI in given requests, the modified Balupari does not disclose, however, Carothers teaches or suggests: in which the URI is a random string (Carothers, [0028], botnet domain is normally just a long string of random characters).
It would have been obvious to someone of ordinary skill in the art at the time the invention was made to modify the method of the modified Balupari with evaluating URI’s comprising a random string as taught by Carothers for the benefit of reducing the number of false positives and improve the process of detecting botnets (Carothers, [0028]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Ranjan et al. (US 8402543 B1) discloses determining aggregated communication activity statistics over a pre-configured time interval (col. 11 lines 34-52).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 


ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437