Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This office action is in response to amendment/reconsideration filed 4/8/2021, the amendment/reconsideration has been considered.  Claims 1-2 and 8-19 are pending for examination.  Claims 3-7 were previously withdrawn from consideration.
Response to Arguments
Applicant's arguments are moot in light of the new ground of rejections set forth below.
Claim Rejections - 35 USC § 112
3.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


4.	The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

5.	Claims 1-2 and 8-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Claim 1 recites 
a) “determine the number of Address Resolution Protocol (ARP) request messages that are sent during normal network communication to an Internet Protocol (IP) address that is not in use on the network, based on the communications on the network during normal network communication;
 	b) receive a plurality of ARP request messages from a second information processing system connected to the network, wherein second information processing system addressed the request message to a request IP address, wherein the request IP address is not in use on the network;
	c) transmit a plurality of ARP messages to the second information processing system, wherein the reply messages comprise a reply IP address and a Media Access Control (MAC) address, 
d) determine that the second information processing system is compromised based on the number of ARP request messages in the plurality of ARP request messages and the number of ARP request messages that are sent during normal network communication to an IP address that is not in use on the network.”
1a) First of all, regarding a), “the number of Address Resolution Protocol (ARP) request messages that are sent during normal network communication to an Internet Protocol (IP) address” lacks sufficient antecedent basis.  For the sake of the examination, Examiner assumes any number of Address Resolution Protocol (ARP) request messages that are sent during normal network communication to an Internet Protocol (IP) address”;
1b) in addition, since the software is claimed to reside on the first information processing system which performs the steps including “determine the number of Address Resolution Protocol (ARP) request messages that are sent during normal network communication to an Internet Protocol (IP) address that is not in use on the network”, without being the sender of the message, unless there is no possibility of packet loss, it is unclear how the first information processing system can determine the number of message “SENT” by the sender.  Applicant is required to clarify.
2) Secondly, regarding b), the recited “the request message to a request IP address” lacks sufficient antecedent basis.  It is unclear which request message this refers.  For the sake of the examination, Examiner assumes any request message.  
the reply messages” lacks sufficient antecedent basis.  For the sake of the examination, Examiner assumes any messages.
3b) additionally, the scope of “a reply IP address” cannot be definitely determined, because it is unclear whether the reply IP address is the IP address of the replier of the IP address provided to the sender for further response.  Applicant is required to clarify.  For the sake of the examination, Examiner assumes any IP address.
4a) Fourthly, regarding d), the recited “the number of ARP request messages in the plurality of ARP request messages” lacks sufficient antecedent basis. It is unclear what is considered “the number of ARP request messages in the plurality of ARP request messages”, e.g., whether it refers to “the number of the plurality of ARP request message”, or “the number of a subset of the plurality of ARP request messages”, or other possibilities.  For the sake of the examination, Examiner assumes any number of any ARP request messages.
4b) further regarding d), it is unclear regarding the scope of “the number of ARP request messages that are sent during normal network communication to an IP address that is not in use on the network” since the preceding limitations recite two instances of ARP request messages that are sent during normal network communication to an IP address that is not in use on the network.  For the sake of the examination, Examiner assumes any number of ARP request messages.
Claims 2 and 8-19 are similarly rejected.
Claim Rejections - 35 USC § 103
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

8.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
9.	Claims 1-2, 9-14 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Liston (US 20040103314) in view of Kwan (US 7562390).
As to claim 1, Liston discloses a system to detect and prevent network tampering comprising: 	
a first information processing system ([0030], “a method and system for preventing unauthorized intrusions into local computers networks…”; [0035], “the Ethernet Protocol. The claimed invention monitors ARP packet activity to discover unused IP addresses within computer networks 2 and use connection attempts against those addresses to build a list of unauthorized violators”. Here the entity that performs said functions is equivalent to a first information processing system),
a network interface connecting the first information processing system to the network (figure 1, “corporate network”; [0030], “local computer networks…”; [0034], “a network interface card”; [0035], “Ethernet Protocol”), and 

monitor communications on the network during normal network communication (see citation above, “monitors ARPO packet activity…”);
determine the number of Address Resolution Protocol (ARP) request messages that are sent during normal network communication to an Internet Protocol (IP) address that is not in use on the network, based on the communications on the network during normal network communication (see 112 rejection and Examiner’s interpretation above.  See [0034], “The improved LaBrea.TM. software program is loaded onto the personal computer… to monitor all data packets…”; [0035], “monitors ARP packet activity to discover unused IP addresses within computer network 2”);
 	receive a plurality of ARP request messages from a second information processing system connected to the network, wherein second information processing system addressed the request message to a request IP address, wherein the request IP address is not in use on the network (see 112 rejection and Examiner’s interpretation above.  See figure 3, step 90, “Source IP on Bad Guy List” indicates previously also received such type of message(s) from this source which is equivalent to a second information processing system);
	 transmit a plurality of ARP messages to the second information processing system, wherein the reply messages comprise a reply IP address (see 112 rejection and Examiner’s interpretation above.  See [0037], “sends a forged ARP response 60, which
creates the appearance that a real machine is associated with the previously unused IP address”; See figure 3, if already on “bad guy list” then a previous reply message was sent based on the same functionality), 
determine that the second information processing system is compromised based on the number of ARP request messages in the plurality of ARP request messages and the number of ARP request messages that are sent during normal network communication to an IP address that is not in use on the network (see 112 rejection and Examiner’s interpretation above.  See [0037]; figures 2-3, wherein the number is at least two if the source is already on the bad-guy list); and 
take one or more detection and prevention actions against the compromised second information processing system (figure 4, step 280).
However, Liston does not expressly disclose that the reply message also includes a Media Access Control (MAC) address.  Kwan discloses a concept for an ARP reply message to include both an IP address and a MAC address (col. 2, paragraphs 2-3).
Before the effective filing date of the invention, it would have been obvious for an ordinary skilled in the art to combine Liston with Kwan.  The suggestion/motivation of the combination would have been to direct the ARP response to the correct entity (col. 2, paragraphs 2-3).
As to claim 13, see similar rejection to claim 1.
As to claim 2, Liston discloses the system of claim 1, wherein the information processing system is a general purpose computer ([0034], “a personal computer having a network interface card connected to the computer network”).
As to claim 14, see similar rejection to claim 2.
As to claim 9, Liston-Kwan disclose the system of claim 1, wherein the reply IP address is the request IP address (see 112 rejection and Examiner’s interpretation.  See Kwan, cited in rejection to claim 1).
As to claim 16, see similar rejection to claim 9.
As to claim 10, Lipton-Kwan discloses the system of claim 1, wherein the MAC address is the MAC address of the first information processing system, a MAC address of the device on the network 
As to claim 17, see similar rejection to claim 10.
As to claim 11, Liston-Kwan discloses the system of claim 1, wherein the one or more detection and prevention actions comprise:
removing the second information processing system from the network ([0020]);
disabling the second information processing system's ability to communicate with selected other information processing systems on the network (Liston, [0020], “breaks the connection between an Internet protocol address attempting to connect to the network by sending a first reset packet …”); or 
sending a communication including the IP or MAC address of the second information processing system to one or more third parties (Liston, [0045]).
As to claim 18, see similar rejection to claim 11.
As to claim 12, Lipton-Kwan discloses the system of claim 1, wherein the software program is further configured to flag the IP address of, MAC address of, or network activity of the second information processing system as compromised (Lipton, figures 2-3, bad guy list).
As to claim 19, see similar rejection to claim 12.
10.	Claims 8 and 15 are rejected under 35 U.S.Cc. 103 as being unpatentable over Liston-Kwan, as applied to claim 1 above, and further in view of Caldwell et al (US 6195688).
	As to claim 8, Liston-Kwan discloses the claimed invention substantially as discussed in claim 1, including wherein the first information processing system is a general purpose computer (Liston, see citation in rejection to claim 2) but does not expressly disclose that the software program is a network device driver.  Caldwell discloses a concept that a software for receiving and responding to ARP messages is a device driver (claim 11).

As to claim 15, see similar rejection to claim 8.
Conclusion
11.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUA FAN whose telephone number is (571)270-5311.  The examiner can normally be reached on 9-6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on (571)272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/HUA FAN/, J.D., Ph.D.               Primary Examiner, Art Unit 2449