DETAILED ACTION

1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-18 are presented for examination.  Claims 16-18 have been canceled.

3.	After restriction, claims 16-18 have been canceled via a preliminary amendment.

4.	This Office Action is in response to application 16417367 filed on May 20, 2019.

Claim Objections

5.	Claims 1-15 are objected to 37 C.F.R. 1.75 because of the following informalities:
	
6.	Claim 1 recites “for each request” that refers back to “each request” previously recited in claim 1.  The feature/limitation is viewed as - for the each request – for further examination.  The same is true in claims 6 and 11.  Applicant to resolve claims 1, 6 and 11.

	Claims 2-5, 7-9 and 12-15 incorporate the deficiencies of claims 1, 6 and 11, through dependency, and are also objected.

7.	Claim 5 recites “wherein request attributes for subsequent requests” where “subsequent requests” has no antecedent basis.  Also, “request attributes” are not clearly associated with “subsequent requests.”  The feature/limitation is viewed as – wherein request attributes of the subsequent requests – for further examination.  The same is true in claims 10 and 15.  Applicant to resolve claims 5, 10 and 15.

8.	Claim 5 recites “prevent subsequent requests having similar request attributes” refers back to “subsequent requests” previous recited in claim 5 and refers back to “one or more request attributes” previously recited in claim 1.   The feature/limitation is viewed as – prevent the subsequent requests having similar the request attributes – for further examination.  The same is true in claims 10 and 15.  Applicant to resolve claims 5, 10 and 15.

Claim Rejections - 35 USC § 102

9.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

10.	Claims 1, 2, 4-7, 9-12, 14 and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Eyada, US Pub 20150372980.

11.	Regarding claims 1, 6 and 11, Eyada teach a method, comprising:
receiving a plurality of requests (“related objects (e.g., messages)”, “packets”) from a client network application (“installed malware (‘callback malware’)”), each request in the plurality of requests (“packets”) for an action (“allow the callback process to continue”) to be performed on a resource (“callback process”) that is hosted at an origin server (“network device (host)”, “CnC server”) (“callbacks may be construed as outbound communications initiated by malware, which has already gained access to an installed itself within a network device (host)” [0017], “a callback from an installed malware (‘callback malware’)” [0018], “communication session between the compromised endpoint device and the CnC server as long as the CnC server credentials are available” [0033], “detecting that the object under analysis is associated with a callback process [] action logic 250 may be configured to (i) allow the callback process to continue or (ii) drop packets associated with the object under analysis” [0063], “related objects (e.g., messages), communicated during a session communication session between a source network device (e.g., endpoint device) and a destination network device (e.g., server)”,  first flow (e.g., HTTP request messages such as a HTTP GET message or a HTTP POST message) may be user initiated” [0038], “action logic 250 allows the data packets to flow to cryptographic logic” [0082]);
for each request in the plurality of requests (“HTTP packets”), determining one or more request attributes (“signatures”) of the request and associating the one or more request attributes of the request with a session (“callback session”) that identifies the client network application (“compromised endpoint device”) (“detecting a malicious callback session with a compromised endpoint device” [0016], “a protocol decoder logic 245 analyzes the HTTP headers associated with these HTTP packets [] saves information associated with the HTTP headers”, “saved information associated with the HTTP headers may undergo normalization, such as format conversion, to generate results that are compatible in format with the callback rules and/or signatures” [0080], “a comparison of the normalized results with the callback rules (and/or signatures) to determine if malicious callback-based attack has occurred” [0081]);
computing one or more session metrics of the session (“parameters for a subsequent communication session” [0019]);
generating a confidence value (“level of confidence”) for the client network application (“callback malware”) based at least on the determined request attributes (“pattern matches”, “score exceeds a prescribed value”) of the plurality of requests and the computed session metrics (“score value”, “static analysis score and/or other results”) of the session (“communication session”) (“a callback from an installed malware (‘callback malware’)” [0018], “during a session communication session” [0038], “generate a score value that represents a probability (or level of confidence) that the object under analysis is associated with a malicious attack”, “the ‘static score value’ may be based [] on (i) pattern matches by the IPC logic”, “(iii) analyzed deviation in messaging practices set forth in application communication protocols (e.g., HTTP, TCP, etc.) through the presence of a callback message”, “where the score exceeds a prescribed value [] the object under analysis is deemed ‘suspicious’ “, “static analysis score and/or other results from the static analysis [] may be provided to classification logic”  [0064]);
determining that the confidence value indicates that the client network application is malicious (“suspicious”, “malicious attack”) (“where the score exceeds a prescribed value [] the object under analysis is deemed ‘suspicious’ “, “static analysis score and/or other results from the static analysis [] may be provided to classification logic” [0064],”suspicious object is part of a malicious attack” [0067] );
in response to determining that the confidence value indicates (“detects callback malware directed to”) that the client network application (“endpoint device”) is malicious, performing one or more mitigation actions (“reduces [] mitigates”) (“detects callback malware directed to a particular endpoint device”, “neutralized malware software is generated, where the software appears to be upgrade but is code that reduces (e.g., eliminate or mitigates) attack capabilities of the callback malware” [0085]).

12.	Regarding claims 2, 7 and 12, Eyada teaches wherein generating the confidence value for the client network application comprises:
retrieving historical request data from a data structure (“security network device”), the historical request data (“signatures”, “pre-configured and predetermined”) including previous request attributes (“signatures”) of previous requests from the client network application (“callback malware”) (“installed malware (‘callback malware’)” [0018], “security network device”, “callback malware”, “signatures (e.g., pre-configured and predetermined attack patterns)” [0024] [0025], “analysis against one or more pre-stored callback signatures (e.g., pre-configured and predetermined callback-based attack patterns) stored within a rule/signature database” [0060], “pattern matches” [0064]); and
analyzing the previous request attributes (“signatures”, “predetermined”) of the previous requests to identify patterns (“attack patterns”) between the previous requests and the plurality of requests (“security network device”, “detect the presence of malware”, “signatures (e.g., pre-configured and predetermined attack patterns)” [0024] [0025], “analysis against one or more pre-stored callback signatures (e.g., pre-configured and predetermined callback-based attack patterns) stored within a rule/signature database” [0060], “pattern matches” [0064]).

13.	Regarding claims 4, 9 and 14, Eyada teaches wherein performing the one or more mitigation actions comprises:
blocking the request from transmittal to the origin server (“CnC server”)  (“CnC recovery logic is activated on the next communication session between the compromised endpoint device and the CnC server as long as the CnC server credentials are available” [0033], “reduces (e.g., eliminate or mitigates) attack capabilities of the callback malware” [0085]).

14.	Regarding claims 5, 10 and 15, Eyada teaches further comprising:
storing (“pre-stored”) the one or more request attributes of the request and the session metrics (“signatures”, “patterns”) in a data structure (“database”) (“analysis against one or more pre-stored callback signatures (e.g., pre-configured and predetermined callback-based attack patterns” [0060]), 
wherein request attributes (“IP address(es)”) for subsequent requests (“information directed to a previously detected”, “IP address(es)”, “detecting subsequent callback messages”) are compared to the request attributes in the data structure to prevent subsequent requests having similar request attributes from being sent to the origin server (“some signature checks include callback signature checks and perhaps exploit (or vulnerability) signature checks”, “callback signature check is a process that compares an object under analysis against one or more pre-stored callback signatures”, “each exploit callback signature may include information directed to a previously detected or known attack pattern such as IP address(es) or host name(s)” [0060] [0061], “callback rules (and/or signatures) that may be used in detecting subsequent callback messages produced by the callback malware” [0026] [0027]).


Claim Rejections - 35 USC § 103
15.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

16.	Claims 3, 8 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Eyada, as applied to claims 1, 6 and 11 above, and further in view of Kursun, US Pub 20200169483.

17.	Regarding claims 3, 8 and 13, Eyada do not teach modifying a reputation score and initiating a challenge process features, but in a similar field of endeavor Kursun teaches wherein performing the one or more mitigation actions comprises:
modifying a reputation score associated with the client network application (“respective node”, “an application”) (“establish mitigation actions in response to a detection of a potential malfeasance action” [0041] [0131] [0168], “entity information”, “a high probability of malfeasance”, “modifying the custom reputation values of account”, “of each respective node” [0190], “an application (e.g., the transaction application 421, the web browser application 422, and/or the SMS application 423 of fig. 4) to cause a user interface” [0227]); and
initiating a challenge process (“challenging”) in response to a subsequent request from the client network application (“an application”, “transaction application”, “web browser application”) (“the remediation action may comprise challenging a payee of the subsequent transaction request with additional authentication before permitting execution of the transaction request” [0196], “manage a common transaction application for customers”, “information about how long each account” [0198], “an application (e.g., the transaction application 421, the web browser application 422, and/or the SMS application 423 of fig. 4) to cause a user interface” [0227]).

Thus, it would have been obvious before the effective filing date of the claimed invention to a person of ordinary skill in the art to readily recognize the advantage of modifying Eyada’s system that provides the user “efforts have been made to counter malicious attacks over web traffic” (Eyada [0003]) and “most enterprise networks focus security efforts on intrusion detection for unauthorized inbound traffic” (Eyada [0020]) with the features of Kursun’s system to provide “pattern-based examination and detection of malfeasance through dynamic directed graph network flow analysis” (Kursun [0003]), “interpret information from a dynamic directed graph to identify and/or establish mitigation actions in response to a detection of a potential malfeasance action” (Kursun [0041]), “identify and initiate procedures to mitigate potential malfeasance issues” (Kursun [0131]), and “the system will prevent and mitigate future malfeasance dealings as soon as the potential malfeasance has been detected” (Kursun [0168]).

The motivation being “an improvement to an existing technological process of network-based malware detection” (Eyada [0016]) and “allow the callback process to continue” (Eyada [0063]) which includes “analyze and detect particular anomalous trends, patterns, and characteristics across such complex networks can improve the identification success rate and provide an opportunity to address potentially malfeasant interactions in real time” (Kursun [0001]) and “the system may modify the custom reputation values” (Kursun [0190]) and “if a transaction is associated with a financial institution that is located in a different country, the recoverability value may be very less, thereby improving the risk factor.  As such, the system may assign a low custom reputation value to all the accounts associated with such financial institution” (Kursun [0191]). 

Conclusion
18.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objection made.  Applicant must show how the amendments avoid such references and objections.  See 37 CFR 1.111(c).

19.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992 (via email:  Ondrej.Vostal@uspto.gov  “without a written authorization by applicant in place, the USPTO will not respond via internet e-mail to an Internet correspondence” MPEP 502.02 II and https://www.uspto.gov/sites/default/files/documents/sb0439.pdf ).  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-270-4992.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	July 14, 2021