Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

          DETAILED ACTION

1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 29 March 2021 has been entered.
2.	Claims 1-20 have been cancelled.
3.	Claims 21-40 are newly added.
4.	Claims 21-40 are currently pending and rejected. 

Claim Rejections - 35 USC § 103
	
5.	The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained through the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459  (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.


Claims 21-40 are rejected under 35 U.S.C §103(a) as being unpatentable over Shah et al. (US Publication No. 20050039104), hereinafter Shah and in view of Applicant’s admitted prior art David Heilig (US Publication No. 20160021131), hereinafter Heilig.  

In regard to claim 21: 
first capturing, at a computing device, first data associated with a first packet flow originating from the computing device (Shah,  ¶42).
second capturing, downstream from the computing device, second data associated with a second packet flow originating from the computing device (Shah,  ¶42).
in response to a difference between the first and second data exceeding a threshold value (Shah,  ¶42).
Shah does not explicitly suggest, determining a portion of the second data includes hidden network traffic transmitted by bypassing an operating stack of the computing device or a packet capture agent of the computing device; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶41-42).
Shah does not explicitly suggest, and performing a corrective action to reduce future flow of hidden traffic from the computer device; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶51).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of determining and comparing second packet with first packet flowing from the same source/device of Shah with the detecting 

In regard to claim 22: 
the corrective action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator (Shah,  ¶42).

In regard to claim 23: 
wherein the corrective action includes requiring all packets to and from the computing device to flow through an operating stack of the computing device (Shah,  ¶108).  

In regard to claim 24: 
wherein the corrective action includes isolating a virtual machine and/or a container (Shah, ¶7).

In regard to claim 25: 
wherein the corrective action includes the computing device (Shah, ¶8).

In regard to claim 26: 
wherein the corrective action includes shutting down the computing device (Shah, ¶8).  

In regard to claim 27: 
Shah does not explicitly suggest, further comprising predicting a presence of a malicious entity in the computing device based on the hidden network traffic; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶5).  
Same motivation for combining the respective features of Shah and Heilig applies herein, as discussed in the rejection of claim 21.

In regard to claim 28: 
first capturing, at a computing device, first data associated with a first packet flow originating from the computing device (Shah,  ¶42) 
second capturing, downstream from the computing device, second data associated with a second packet flow originating from the computing device (Shah,  ¶42).
in response to a difference between the first and second data exceeding a threshold value (Shah,  ¶42).
Shah does not explicitly suggest, determining a portion of the second data includes hidden network traffic transmitted by bypassing an operating stack of the computing device or a packet capture agent of the computing device ; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶41-42).
Shah does not explicitly suggest, and performing a corrective action to reduce future flow of hidden traffic from the computer device; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶41-42).


In regard to claim 29: 
the corrective action comprising one or more of isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator (Shah,  ¶42).

In regard to claim 30: 
wherein the corrective action includes requiring all packets to and from the computing device to flow through an operating stack of the computing device (Shah,  ¶108). 

In regard to claim 31: 
wherein the corrective action includes isolating a virtual machine and/or a container (Shah, ¶7).

In regard to claim 32: 
wherein the corrective action includes isolating the computing device (Shah, ¶8).
  
In regard to claim 33: 

  
In regard to claim 34: 
Shah does not explicitly suggest, further comprising predicting a presence of a malicious entity in the computing device based on the hidden network traffic; however in a same field of endeavor Paul Heilig discloses this limitation (Heilig, ¶5).  
Same motivation for combining the respective features of Shah and Heilig applies herein, as discussed in the rejection of claim 28.

In regard to claim 35: 
a non-transitory computer-readable memory storing instructions; a processor programmed to cooperate with the instructions in memory to perform operations comprising (Shah, ¶127).
first capturing, at a computing device, first data associated with a first packet flow originating from the computing device (Shah,  ¶42).
second capturing, downstream from the computing device, second data associated with a second packet flow originating from the computing device (Shah,  ¶42). 
in response to a difference between the first and second data exceeding a threshold value (Shah,  ¶42).
Shah does not explicitly suggest, determining a portion of the second data includes hidden network traffic transmitted by bypassing an operating stack of the computing device or a packet capture agent of the computing device however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶41-42).
Shah does not explicitly suggest, and performing a corrective action to reduce future flow of hidden traffic from the computer device; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶51).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to include the method of determining and comparing second packet with first packet flowing from the same source/device of Shah with the detecting hidden/stealth packet data disclosed in Heilig in order to prevent and protect device from tampering by malware, stated by Heilig at para.43.

In regard to claim 36: 
the corrective action comprising one or more of: isolating a virtual machine, isolating a container, limiting packets to and from the first host, requiring all packets to and from the first host to flow through the operating stack of the first host, isolating the first host, shutting down the first host, or notifying an administrator (Shah,  ¶42).
  
In regard to claim 37: 
wherein the corrective action includes requiring all packets to and from the computing device to flow through an operating stack of the computing device (Shah,  ¶7).
 
In regard to claim 38: 
wherein the corrective action includes isolating a virtual machine and/or a container (Shah,  ¶8).  

In regard to claim 39: 
wherein the corrective action includes isolating and/or shutting down the computing device (Shah,  ¶8).

In regard to claim 40: 
Shah does not explicitly suggest, further comprising predicting a presence of a malicious entity in the computing device based on the hidden network traffic; however in a same field of endeavor Heilig discloses this limitation (Heilig, ¶5).  
Same motivation for combining the respective features of Shah and Heilig applies herein, as discussed in the rejection of claim 35.

Conclusion

6.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Monjour Rahim whose telephone number is (571)270-3890. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (in USA or CANANDA) or 571-272-1000.

/Monjur Rahim/
Patent Examiner
United States Patent and Trademark Office
Art Unit: 2436; Phone: 571.270.3890
E-mail: monjur.rahim@uspto.gov
Fax: 571.270.4890