DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Status
Claims 1—14 are pending.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1—12  and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Huang” et al. [US 9734332 B2] in view of “Langton” et al. [US 9740853 B2].

REGARDING CLAIMS 1 & 14. Huang disclose A computer-implemented method and A data processing system for testing device security, comprising executing on one or more processors: receiving a [“configuration”] file; 

Huang may not expressly disclose; but, Langton, analogues art, disclose receiving configuration information [see Abstract; FIG.1, steps 410,420 of FIG.4]. 
Therefore, It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the system of Huang y incorporating the configuration information of Langton for the benefit of configuring a sandbox environment for malware testing.

Huang in view of Langton further disclose,
executing a plurality of security tests on a device based on the configuration file received [Huang disclose Applying a domain language to a target (605, FIG.6); see also configure sandbox based on configuration info 430 (FIG.4 of Langton)]; 
identifying a suspected application on the device from the security tests [Huang disclose Applying a domain specific language to a target (605, FIG.6)]; simulating a test condition to trigger an attack on the device by the suspected application [Huang disclose Tracking a set of temporal sequences and events of the target (610, FIG.6; Huang disclose execute/monitor evets in sandbox environment: see Abstract, 130 of FIG.1); see also Analyze file in the sandbox… 440 (FIG.4 of Langton)]; 
monitoring a behavior of the device (see Malware Detection System 110, FIG.1 of Huang) under the simulated test condition [Huang disclose “observing temporal events and sequences” (Abstract); Determine presence markers … indicative of malware (615, FIG.6) ; see also Analyze file in the sandbox… 440 (FIG.4 of Langton)]; and performing a forensic data analysis (see Forensic Analysis 145A-N, FIG.1 of Huang) on the behavior of the device under Huang disclose Determine presence markers … indicative of malware, and identifying malware based on the markers (615 & 620, FIG.6) ; see also Does file include malware 450 (FIG.4 of Langton)]. 

Huang in view of Langton further disclose claims 2, 3. The computer-implemented method for testing device security according to claim 1, wherein the test condition comprises one or more environmental conditions, wherein the one or more environmental conditions comprise one or more of a network environment, a location, a trajectory, time, a movement, a lighting level, a sound environment, an image and pressure [see FIG.1 of Huang, where Behavioral Sandbox Environment 130, etc. is disclosed]. 

Huang in view of Langton further disclose claim 4. The computer-implemented method for testing device security according to claim 1, wherein simulating the test condition comprises sending crafted data to the device [Huang disclose Tracking a set of temporal sequences and events of the target (610, FIG.6)]. 

Huang in view of Langton further disclose claim 5. The computer-implemented method for testing device security according to claim 1, wherein simulating the test condition comprises injecting code into the suspected application [Huang disclose process of injected-scripts… (col.8, lines 19—63)]. 

claim 6. The computer-implemented method for testing device security according to claim 1, wherein the security tests comprise one or more of a scanning test, a fingerprinting test, a process enumeration test, a data leakage test, a side-channel attack test, a data collection test, a management access test, a breaking encrypted traffic test, a spoofing attack test, a communication delay attack test, a communication tampering test, a known vulnerabilities enumeration test and a vulnerability scan test [Huang discloses plurality of security tests; see Malware Detection System 110 of FIG.1, where Huang disclose plurality of tests (such as Forensic, Protocol, Static Analysis)]. 

Huang in view of Langton further disclose claim 7. The computer-implemented method for testing device security according to claim 1, wherein identifying the suspected application on the device comprises identifying an irregular activity of the device during the security tests [see Forensic Analysis 145A-N, FIG.1 of Huang; where Huang disclose Determine presence markers … indicative of malware, and identifying malware based on the markers (615 & 620, FIG.6) ; see also Does file include malware 450 (FIG.4 of Langton)]. 

Huang in view of Langton further disclose claim 8. The computer-implemented method for testing device security according to claim 1, wherein identifying the suspected application on the device comprises comparing each of a plurality of applications installed on the device against an application whitelist and an application blacklist [Huang disclose process of url blacklist … (col.6, lines 10—21)]. 

claims 9, 10. The computer-implemented method for testing device security according to claim 1, wherein monitoring the behavior of the device comprises: monitoring an internal status of the device, and monitoring communications with the device [see Forensic Analysis 145A-N, FIG.1 of Huang; where Huang disclose Determine presence markers … indicative of malware, and identifying malware based on the markers (615 & 620, FIG.6); see also Does file include malware 450 (FIG.4 of Langton)]. 

Huang in view of Langton further disclose claim 11. The computer-implemented method for testing device security according to claim 1, further comprising: evaluating a result of the forensic data analysis performed according to a success criterion [Huang disclose . 

Huang in view of Langton further disclose claim 12. The computer-implemented method for testing device security according to claim 11, wherein evaluating the result of the forensic data analysis performed comprises calculating a probability of the attack [Huang disclose process of injected-scripts… (col.6, lines 10—21)]. 

Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Huang” et al. [US 9734332 B2] in view of “Langton” et al. [US 9740853 B2], and further in view of “Duffield” et al. [US 7587761 B2].

Huang in view of Langton fail; but Duffield, analogues art, disclose claim 13. The computer-implemented method for testing device security according to claim 12, wherein evaluating the result of the forensic data analysis performed further comprises calculating a see Abstract; and FIG.2, where Duffield disclose Attack Estimation 24, etc.]. 
Therefore, It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains to modify the system of Huang and Langton by incorporating the attack severity estimation teaching of Duffield for the benefit of automatic adjustment of the sensitivity in network attack detection systems under dynamic traffic conditions.

Response to Arguments
Amendments made to claim 14 overcomes the objection to the claim; and therefore, the objection is withdrawn.
Applicant's arguments (REMARKS) filed 04/27/2021 have been fully considered but they are not persuasive.
Applicant argues that, 
(1) the cited arts (specifically Huang) fails to teach “executing a plurality of security tests on a device based on the configuration file received, as recited in each of independent claims 1 and 14…”; (2) It is further argued, “… providing a target with malware detection rules as disclosed in Huang does not teach or suggest identifying a suspected application on the device from security tests, …”; and finally, (3) It is also argued, “… tracking 610 a set of temporal sequences and events of the target as disclosed by Huang does not teach or suggest simulating a test condition to trigger an attack on the device by the suspected application…”

combined teach the above limitations. First up, Huang it is no dispute Huang disclose running or executing security tests to identify suspected application (ex, steps 605, 610: FIG.6). As far as a simulated a test condition … is concerned, Huang determines if target is infected with malware based on the presence (or absence) of one or more markers within the set of temporal sequences and events … (steps 615, 620); such that steps of FIG.6 are executed and monitored in behavioral sandbox environment (see Abstract and 130, FIG.1).
It is further noted that except mentioning Langton being applied for disclosing “configuration file”, applicant’s arguments are entirely constructed on the primary reference; i. e., Huang. However, Langton disclose not only the “configuration file” as mentioned; but Langton further disclose analyzing a sandbox environment that is configured based on a determined configuration information (or testing) (ex, Abstract and steps 410—440: FIG.4). 
In other words, with broadest but reasonable interpretation: both Huang and Langton disclose the limitation “simulating a test condition…” because they disclose executing/monitoring suspected filed in a sandboxed environment.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMARE F TABOR whose telephone number is (571) 270-3155.  The examiner can normally be reached on Mon.—Fri.: 8:00 AM to 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/AMARE F TABOR/             Primary Examiner, Art Unit 2434