Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.
This action is in response to the communication filed on 7/30/21.
All objections and rejections not set forth below have been withdrawn.

Specification

The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required: 
The specification fails to provide adequate description for the recitation “determining that the first device is threatened when the connection mode between the first device and the second device is the reverse connection (e.g. claim 1; and similarly claim 11).  Specifically, the examiner notes that the applicant’s original disclosure does not clearly disclose the difference between the step of determining that a device is a .   

Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1 – 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint 
See above objection to the specification.

	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1 – 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

	Regarding claims 1 and 11, the recitation of “determining that the first device is threatened when the connection mode between the first device and the second device is the reverse connection” renders the scope of the claims indefinite.  Specifically, the examiner notes that it is unclear as to why it is necessary and how is determined that device is “threatened” after having already determined that a device comprises a “reverse connection”.  
The examiner notes that the applicant’s originally file disclosure teaches, and one of ordinary skill in the art would readily understand, that a “reverse connection” is a malware threat to a computing device (e.g. Specification, par. 4, 9, 57, 76 -79).  Thus, it 
	Additionally, the examiner notes that the applicant’s originally filed disclosure explicitly states that the determination that a device is “threatened” is accomplished by identifying when the “activation rate”, “response rate”, and “quantity of interactions” exceed respective thresholds (e.g. see original claim 1, 11; Abstract).   It is unclear to one of ordinary skill in the art as to the difference between the claimed steps of determining a reverse connection and determining that a device is threatened when each of the claimed step apparently depend upon the same identification of when  “activation rate”, “response rate”, and “quantity of interactions” exceed respective thresholds.

	Regarding claims 2, 3, 12, and 13, the recitations “level-1 threat”, “level-2 threat”, and “level-3 threat” render the scope of the claims indefinite.  Specifically, these terms are not defined within the claims and they do not possess a standard meaning within the art.  
	The applicant’s claim amendments appear to be an attempt at defining the recited “level-2” threat only in the form of an indefinite value relative to another indefinite value (such as “represents a greater threat …than a level-1 threat” (e.g. claim 2).  However, as the term “level-1” threat is itself undefined, then the recitation “level-2” threat is also indefinite due to its interpretation depending upon terminology which is indefinite in scope.  

The examiner notes that the applicant’s claim amendments appear to be an attempt at defining the scope of the claimed “level-1 threat”, “level-2 threat”, and “level-3 threat” solely in terms of indefinite and relative values or degrees threat.  Furthermore, the applicant’s Remarks of record offer no statement or explanation as to the scope of subject matter which the applicant attempts to claim by the terminology “level-1 threat”, “level-2 threat”, and “level-3 threat”. 
Thus, in light of the above and for the purpose of examination, the examiner presumes that the recited “level-1 threat”, “level-2 threat”, and “level-3 threat” are to be interpreted as indefinite values or degrees of threat relative to one another.   

	Depending claims are rejected by virtue of dependency.

Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 10, 11, 12, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Xue et al. (Xue), “Design and implementation of a malware detection system based on network behavior”.

	Regarding claim 1, as best determined in view of the above noted deficiencies of clarity, Xue discloses:
	A threat detection method implemented by a threat detection apparatus (e.g. Xue, sect. 5; fig. 6), wherein the method comprises: 
obtaining (e.g. Xue, fig. 1:switch and data capture host; sect. 2.4, par. 3; fig. 6; sect. 5.2), packets in a Transmission Control Protocol (TCP) session between a first device and a second device (e.g. Xue, sect. 3, par. 2, 3), wherein an initiating-end device of the TCP session is the first device, wherein the first device is located in a protected network (e.g. Xue, fig. 1: malware client behind LAN gateway), and wherein the second device is located in another network (e.g. Xue, fig. 1: remotely located spyware control host); 
obtaining a first data flow and a second data flow in the TCP session (e.g. Xue, sect. 3, par. 2, 3), wherein the first data flow comprises data transmitted from the first device to the second device, and wherein the second data flow comprises data transmitted from the second device to the first device (e.g. Xue, sect. 3.2 – upstream and downstream data between control host and malware client); 
obtaining time information of each of a plurality of first packets and time information of each of a plurality of second packets, wherein the plurality of first packets are packets in the first data flow, and wherein the plurality of second packets are packets in the second data flow (e.g. fig. 6, fig. 7 - time; table II – flow captures comprising time information); 
calculating an activation rate, a response rate, and a quantity of interactions based on the time information of each first packet and the time information of each second packet (e.g. Xue, sect. 3.1, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.1 -   TrojanFProbtc, TrojanFProbudd, TrojanFProbpl, TrojanFProbic, TrojanFProbdur, TrojanFProbct , TrojanFProbhp, - the examiner notes that each of the applicant’s recited “activation rate”, “response rate” and “quantity” are broadly characterized within the claims, and one or more of the prior art TrojanF probabilities may be said to anticipate each), 
wherein the activation rate is a probability that data sent by the first device to the second device in the TCP session is triggered by the second device (e.g. Xue, 3.1 - TrojanFProbtc, i.e. probability that control host is triggering connections with the malware client; and/or Xue, sect. 3.2.1, TrojanFProbudd  , i.e. probability of sending commands “triggering” large uploads by malware client; and/or Xue, sect. 3.2.3, TrojanFProbic, i.e. and/or Xue, sect. 3.3.1, TrojanFProbhp, i.e. probability the control host is sending heartbeat packets  “triggering” a response by malware client),
wherein the response rate is a probability that data sent by the second device to the first device in the TCP session is responded to by the first device in time (e.g. Xue, 3.1 - TrojanFProbtc, i.e. probability that the malware client responds to connection requests from the control host within a time period; and/or Xue, sect. 3.2.4, TrojanFProbdur  , i.e. probability of the malware client sending data to a control host over a long period of time; and/or Xue, sect. 3.3.1, TrojanFProbhp, i.e. probability the malware client is sending heartbeat packets to the control host within a particular time distribution);
and wherein the quantity of interactions is a quantity of interactions between the first device and the second device in the TCP session (e.g. Xue, 3.1 - TrojanFProbtc, i.e. measures the amount (i.e. “quantity”) of connection establishment packets between malware client and control host within a time period; and/or Xue, sect. 3.2.1, TrojanFProbudd, measures the quantity of upstream and downstream data flow; i.e. and/or Xue, sect. 3.2.2, TrojanFProbpl, measures the size, i.e. “quantity”, of bytes within the data flow); 
determining that a connection mode between the first device and the second device is a reverse connection (e.g. Xue, sect. 1; sect. 3, par. 1: “command and control channel”, i.e. “reverse connection”; sect. 3.4, par. 1) when the activation rate is greater than or equal to a first threshold, the response rate is greater than or equal to a second threshold, and the quantity of interactions is greater than or equal to a third threshold tc, TrojanFProbudd, TrojanFProbpl, TrojanFProbic, TrojanFProbdur, TrojanFProbct , TrojanFProbhp  - each of these values, shown above as corresponding to one or more of the recited rates or quantity [i.e. “activation rate”, “response rate”, “quantity of interactions”], are abnormal data flow features compared to a threshold, and if the abnormal features are greater than the thresholds, the abnormal features are combined to identify a “joint suspicious probability” (e.g. Xue, sect. 3.4, par. 1, 2) so as to identify a connection between client and server indicative of a command and control connection [i.e. “reverse connection”]).
and determining that the first device is threatened when the connection mode between the first device and the second device is the reverse connection (e.g. Xue, sect. 3.4, par. 2; sect. 3.4.2 – the threat of an abnormal port, TrojanPort value [i.e. “threatened”] is determined using the magnitude of the joint suspicious probability).

Regarding claim 2, Xue discloses:
obtaining, size information of each first packet (e.g. Xue, sect. 3.3.1, par. 1; fig. 5 – data length of packet – e.g. 273 or 108 bytes); 
determining, based on the time information of each first packet and the size information of each first packet, whether the plurality of first packets comprise a heartbeat message (e.g. Xue, sect. 3.3.1, par. 1, 2; fig. 5 – “time” – amount and size of packets during t heartbeat cycle); 
determining, that a level-1 threat is posed to the first device when the plurality of first packets comprise no heartbeat message and the connection mode between the first device and the second device is the reverse connection (e.g. Xue, sect. 3.4, par. 1, 2; sect. 3.4.1, par. 1, 2; sect. 3.4.2).  A relative (i.e. “level 1”) Trojan port value (i.e. “threat”) is determined from the identification of abnormal features indicative of a reverse connection).
and determining that a level-2 threat is posed to the first device when the plurality of first packets comprise a heartbeat message and the connection mode between the first device and the second device is the reverse connection, wherein a level-2 threat represents a greater threat to the first device than a level-1 threat (e.g. Xue, sect. 3.4, par. 1, 2; sect. 3.4.1, par. 1, 2; sect. 3.4.2).  As more abnormal features are identified, such as by the additional identification of heartbeat messages, then the relative threat value (i.e. Trojan port value) becomes greater (i.e. “level-2 threat).  

Regarding claim 10, Xue discloses:
wherein after determining that the first device is threatened, the method further comprises: restricting, by the threat detection apparatus, a connection from the first device to the other network; or outputting, by the threat detection apparatus, a determination result that indicates the first device is threatened (e.g. Xue, fig. 6 – detection results to management device). 

	Regarding claims 11, 12, and 20, they are apparatus claims essentially corresponding to the above method claims, and they are rejected, at least, for the same reasons.  Furthermore, because:
Regarding claim 11, Xue discloses:
	a communications interface configured to obtain packets in a Transmission Control Protocol (TCP) session between a first device and a second device, … at least one processor coupled to the communications interface; and a memory coupled to the at least one processor, wherein the memory stores the packets and comprises instructions that, when executed by the at least one processor, cause … (e.g. Xue, fig. 1 and fig. 6 – switch and host comprising detection module and memory for storing flow data).  
Response to Arguments

Applicant's arguments filed 7/28/21 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
Claims 2-3, 5-9, 12-13, and 15-19 are rejected under 35 U.S.C. § 112(b) as being indefinitefor failing to particularly point out and distinctly claim the subject matter which the inventor or ajoint inventor regards as the invention. Specifically, the Examiner asserted that ‘level-1’, level-2’,and ‘level-3’ are indefinite. Claims 2 and 12 are amended to describe ‘level-1’, level-2’, and ‘level-3’.
…
(Remarks, pg. 22)

Examiner respectfully responds:


Applicant argues or alleges essentially that:
…
As shown above, claim 1 describes 1) the response rate is a probability that data going from the second device to the first device in the TCP session is responded to by the first device in time; … Regarding feature 1, Xue
describes monitoring the times of transmissions from malware to a control, not whether data going from the second device to the first device responded to in time …
…
As shown above, Xue monitors malware sending packets to a controlside. … Xue counts packets from the malware to the control side. Xue does not monitor whether thereis a response from the control side to the malware in time. Hence, Xue fails to disclose the claimedresponse rate is a probability that data going from the second device to the first device in the TCPsession is responded to by the first device in time.
…
(Remarks, pg. 24 )

Examiner respectfully responds:
	The examiner respectfully disagrees, at least, for the reason that the applicant appears to misconstrue the scope of the claim language.  Namely, the applicant argues that Xue does not read upon the claimed invention because “…Xue does not monitor whether there is a response from the control side to the malware in time …”.  However, the claims do not recite the “response rate” to be a probability of whether there is a response from the control side to the malware in time.  Rather, the claimed first device responds in time to the data from the second device.  
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., Xue does not monitor whether there is a response from the control side to the malware in time) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
directed towards  hat as claimed, the recited “response rate” namely so as to in to mean that the 

Applicant argues or alleges essentially that:
…
As shown above, claim 1 describes … and 2) determining that a connection mode between the first device and the second device is a reverse connection when the activation rate is greater than or equal to a first threshold, the response rate is greater than or equal to a second threshold, and the quantity of interactions is greater than or equal to a third threshold. Claim 11 includes similar features. …
…
… Regarding feature 2, Xue is silent regarding determining connection modes and fails to disclose determining the connection mode is a reverse connection. Thus, Xue fails to disclose an element of claiml and 11 and consequently fails to anticipate claims 1, 10, 11, and 20.

…
(Remarks, pg. 23 - 25)

Examiner respectfully responds:


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495