DETAILED ACTION
	Claims 1-20 are presented on 05/07/2020 for examination on merits.  Claims 1, 8, and 15 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Set #1.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted as for examination on merits are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. US 10,693,892 B2 (hereinafter “PAT 892”). 
Although the claims at issue are not identical, they are not patentably distinct from each other because they claim the same subject matter of using injected packets for detecting and tracking network attacks.


A method, comprising: 
monitoring, by a network device, data packets destined for a target to detect a malicious request directed toward the target (PAT 892, CLM. 1: monitoring, by a network device, data packets destined for a target for a malicious request); and 
responsive to detecting a malicious request  (PAT 892, CLM. 1: responsive to detecting the malicious request): 
creating by the network device a forensic token having information pertaining to the malicious request (PAT 892, CLM. 1: creating by the network device a payload; formatting the payload to correspond to a protocol of the request; digitally signing the payload.  It is noted that the formatted payload corresponding to a protocol of the request when digitally signed is a functional equivalent forensic token having information pertaining to the malicious request), the forensic token configured to be stored by a source of the malicious request and discoverable regarding involvement of the source in the malicious request (PAT 892, CLM. 4: forming the payload to include an Internet Protocol (IP) address of the source of the malicious request, such that the payload is discoverable regarding involvement of the source in the malicious request); 
injecting the forensic token into a response message (PAT 892, CLM. 1: injecting the digitally signed payload into a response message); and 
transmitting the response message to the source of the request as a response to the request (PAT 892, CLM. 1: transmitting the response message to a source of the request as a response to the request).

Independent claims 8 and 15 are rejected for the same reason as claim 1, because they each recite the same limitations in similar language as those in claim 1.



Examiner’s Note
	The Examiner notes that claims 15-20 are drawn to “a computer program product for network attack tainting and tracking, the computer program product comprising a computer readable storage medium having program instructions embodied therewith”  wherein the  computer readable storage medium is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media; see par. 0014 of the Specification.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-5, 7-12, and 14-19 are rejected under 35 U.S.C. 103 as being unpatentable over Galloway (US 20080127319 A1; hereinafter “Gallo”) in view of Gummaraju (US 20180034858 A1; hereinafter “Gum”).

As per claim 1, Gallo teaches a method (Gallo, par. 0007-0010: server-based anti-fraud token method for monitoring and tracking; par. 0052-0053), comprising: 
monitoring, by a network device, data packets destined for a target to detect a malicious request directed toward the target (Gallo, par. 0050-0051: monitoring where the user has been.  For example, the system remembers where the token was placed the last time a particular site was visited, then if the token appears at another place next time the user visits the site); and 
While Gallo teaches identifying the response to a request… and obtain the trusted webpage from the response for monitoring (Gallo, par. 0040-0041), Gallo does not explicitly disclose the step for a forensic token having information pertaining to the malicious request in response to detecting a malicious request and the subsequent step for injecting the forensic token into a response message.  This aspect of the claim is identified as a difference.
In a related art, Gum teaches:
responsive to detecting a malicious request: 
creating by the network device a forensic token having information pertaining to the malicious request, the forensic token configured to be stored by a source of the malicious request and discoverable regarding involvement of the source in the malicious request (Gum, 
injecting the forensic token into a response message (Gum, par. 0086-0087 and 0090: error response; when a networked service requests or accepts new connections, e.g., by intercepting process calls…, and injects tokens on appropriate calls); and 
transmitting the response message to the source of the request as a response to the request (Gum, par. 0037: Tokens 222 may be transmitted, for example, in response to a token request including one or more service credentials 146).
Gallo and Gum are analogous art, because they are in a similar field of endeavor in improving techniques for malware detection and analysis.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Gum to modify Gallo to include token generating and injecting steps in response to detecting a malicious request.  For this combination, the motivation would have been to improve the tractability of malware in the code analysis.

As per claim 2, the references as combined above teach the method of Claim 1, further comprising digitally signing the forensic token (Gum, par. 0022: cryptographically ‐signed tokens).

As per claim 3, the references as combined above teach the method of Claim 1, further comprising: digitally signing the forensic token (Gum, par. 0022: cryptographically ‐signed tokens); and encrypting the digitally signed token (Gum, par. 0050: the tokens 222 may be cryptographically encrypted).

As per claim 4, the references as combined above teach the method of Claim 1, wherein creating the forensic token includes forming the forensic token to include a detection rule triggered by the malicious request (Gum, par. 0005-0006 and 0032: one or more security policies for issuing tokens).

As per claim 5, the references as combined above teach the method of Claim 1, wherein creating the forensic token includes forming the forensic token to include an Internet Protocol (IP) address of the source of the malicious request (Gum, par. 0048-0049 and0084: The security policies 142 associated with the destination resource 124 may be identified using an access token 226 … with a characteristic (e.g., IP address, MAC address).

As per claim 7, the references as combined above teach the method of Claim 1, wherein creating the forensic token includes forming the forensic token to include an IP address of the target (Gum, par. 0048-0049 and0084: The security policies 142 associated with the destination resource 124 may be identified using an access token 226 … with a characteristic (e.g., IP address, MAC address) of the client host 132).

As per claims 8 and 15, they are similarly rejected for the same reasons as found in claim 1, because they each recite the same limitations as claim 1.

As per claims 9-12 and 14, they are directed to the system of Claim 8 reciting the same limitations as claims 2-5 and 7, respectively.  For the same reasons as for claims 2-5 and 7, they are rejected.

.

Claims 6, 13, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gallo and Gum, as applied to claim1, and further in view of Mowshowitz (US RE48382 E; hereinafter “Mow”).

As per claim 6, the references as combined above teach the method of Claim 1, wherein injecting the forensic token into the response message includes injecting the forensic token into a cookie (Mow, col. 4, lines12-18: This encrypted state token may be stored in a HTTP cookie or injected into the HTTP response using a variety of mechanisms).

As per claim 13, it is directed to the system of Claim 8, reciting the same limitations as claim 6.  Therefore, claim 13 is rejected for the same reason as that for claim 6.

As per claim 13, it is directed to the system of Claim 8, reciting the same limitations as claim 6.  Therefore, claim 13 is rejected for the same reason as that for claim 6.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        06/04/2021