Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Continued Examination Under 37 CFR 1.114

1.       A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Applicant's submission filed on 3-31-2021 has been entered.

2.        Claims 1 - 20 are pending.  Claims 1, 9, 17 have been amended.  Claims 1, 9, 17 are independent.  This application was filed on 5-30-2018.  

Response to Arguments

3.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 9-10-2020, with respect to the rejection(s) under Borders in view of Ma and further in view of Agaian have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Borders in view of Chitre and further in view of Agaian.

A.  Applicant argues on page 11 of Remarks:    ...   “determining a size of the file, based retrieving size data from a plurality of sections within the file; [and] retrieving, from the file system from a source other than the plurality of sections within the file, a stored filesize value of the file by accessing a filesize value of the file from the file system.”. 

    The Examiner respectfully disagrees.  Chitre discloses determining the size of a file from a calculation of a set of sections comprising the file. (see Chitre col 5, lines 43-51: append data to file, update size field in file header; event generation logic adds size of newly appended data to current size of data in file and writes sum to size field in file header; (i.e. size of file determined from sections of data: appended section of file and current or previous section of file))  And, Chitre discloses the retrieval of a stored value for size of a file. (see Chitre col 6, lines 12-14: actual size of file is compared to size as indicated by size file in file header (i.e. file size acquired from stored file size in size field in file header); col 6, lines 28-32: data successfully appended to file (i.e. file data stored); then the size of file including newly appended data (i.e. sections of file) is calculated and the calculated file size is written to size field of file header; (i.e. stored file size updated))

B.  Applicant argues on page 11 of Remarks: Accordingly, claims 1, 9, and 17 are patentable, as are the remaining claims at least by virtue of their dependencies on claims 1, 9, or 17.

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.     

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Borders et al. (US PGPUB No. 20090158430) in view of Chitre et al. (US Patent No. 7,441,153) and further in view of Agaian et al. (US PGPUB No. 20160381054).       	

Regarding Claims 1, 9, 17, Borders discloses a method for real-time detection of and protection from steganography in a kernel mode and a non-transitory computer readable medium storing instructions that when executed by at least one processor cause the at least one processor to perform operations and a computer system, comprising:
a)  detecting transmission of a file via a firewall, an operating system, or an e-mail system; (see Borders paragraph [0068], lines 3-8: receiving a data stream (i.e. a file) representing outbound application layer messages from a first computer process to at least one second computing process implemented upon one or more computer systems; (selected: transmission of a file by an operating system)) and   
f)   executing, responsive to the determined size of the file being smaller than the stored filesize value of the file, steganography detection analytics on the file; (see 
wherein responsive to the steganography detection analytics indicating presence of steganography in the file:
h)  transmitting information describing the steganography to a client device. (see Borders paragraph [0249], lines 1-11: generate a file alert, if required; paragraph [0068], lines 11-12: generating a signal if a security threat is detected)    

    Furthermore, Borders discloses for c): determining a size of a file. (see Borders paragraph [0249], lines 1-11: separate file bandwidth from other bandwidth, post-processor identifies file transfers; (i.e. determines size of transferred file))   
    And, Borders discloses for d): retrieving a stored filesize value of the file. (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents; (determine size of baseline or stored  file)) 
    And, Borders discloses for e): comparing the size of the file. (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents and generate a file alert (i.e. based upon file comparison), if required)   

Borders does not specifically disclose for b) storing a file in a file system, and for c) determining a size of a file based on retrieving size data, and for d) retrieving a stored filesize value of a file by accessing a filesize value, and for e) comparison 
However, Chitre discloses:  
b)  storing the file in a file system residing on physical storage media; (see Chitre col 2, lines 11-12: data storage system appends the data to file (i.e. storing new updated data to previous contents of file); col 6, lines 28-32: data successfully appended to file (i.e. file data stored), then the size of file including newly appended data is calculated and the calculated file size is written to size field of file header; (i.e. stored file size updated))    
c)  determining a size of a file, based on retrieving size data from a plurality of sections within the file; (see Chitre col 5, lines 43-51: append data to file, update size field in file header; event generation logic adds size(s) of newly appended data to current size of data in file and writes newly calculated sum to size field in header; (i.e. size of file determined from sections of data: appended section(s) of file and current or previous section of file))           
d)  retrieving, from the file system from a source other than the plurality of sections within the file, a stored filesize value of the file by accessing a filesize value of the file from the file system; (see Chitre col 6, lines 12-14: actual size of file is compared to size as indicated by size file in file header (i.e. file size acquired or read) from stored file size in size field in file header))           
e)  comparison operation using a size value of the file determined based on the stored filesize value of the file retrieved by accessing the filesize value from the file system. (see Chitre col 2, lines 7-12: compare actual size of file to size of file 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders for b) storing a file in a file system, and for c) determining a size of a file based on retrieving size data, and for d) retrieving a stored filesize of a file by accessing a filesize value, and for e) comparison operation using the size of a file determined based on a stored filesize value of a file as taught by Chitre.  One of ordinary skill in the art would have been motivated to employ the teachings of Chitre for the benefits achieved from a system that ensures the integrity of file data by ensuring that file data is complete, accurate, and verifiable. (see Chitre col 1, lines 32-34)

Borders-Chitre does not specifically disclose executing a steganography remediation action. 
However, Agaian discloses: 
g)  executing a steganography remediation action. (see Agaian paragraph [0023]-[0027], [0083], lines 1-5: system malware defense model based on techniques such as active file containment (i.e. isolating file, termination of access to file), digital sandboxing techniques, etc.)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre for executing a steganography remediation action as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are 

Regarding Claims 2, 10, 18, Borders-Chitre-Agaian discloses the method of claim 1 and the non-transitory computer readable medium of claim 9 and the computer system of claim 17, wherein the determining of the size of the file comprises: 
a)  obtaining a pointer to a section header of the file, the section header associated with a plurality of sections of the file; (see Borders paragraph [0235], lines 4-7: identifies a resource by URL; comprised of server host name (stored in header (section) field), resource path) 
Ma discloses a header (i.e. section header) of a file as stated in Claim 1 above.    
b)  for each section of the plurality of sections of the file, determining a size of the section; (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field(s); counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s)) and
c)  summing the size of each section of the plurality of sections of the file to determine the size of the file. (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))   
Chitre discloses header information (i.e. file section(s) information) of a file as stated in Claim 1 above.  

Regarding Claims 3, 11, 19, Borders-Chitre-Agaian discloses the method of claim 2 and the non-transitory computer readable medium of claim 10 and the computer system of claim 18, wherein the obtaining of the pointer to the section header of the file comprises:
a)  opening the file using a filename of the file or a path of the file; (see Borders paragraph [0235], lines 4-7: identifies a resource by URL; comprised of server host name (stored in header field), resource path) and  
b)  reading a header of the file. (see Borders paragraph [0232], lines 1-7: algorithm encounters (reads) a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))    

Borders-Chitre does not specifically disclose for c) magic number associated with file, and for d) verifying magic number to obtain pointer to section of file.
However, Agaian discloses: 
c)  retrieving a magic number from the header; (see Agaian paragraph [0059], lines 14-18: file reference lookup that correlates a first set of bits of a data field (i.e. within header) with a standard set of reference objects known as the file format magic number; paragraph [0079], lines 9-11: object identifier such as a file descriptor or magic number) and
d)  verifying the magic number to obtain a pointer to the section header of the file. (see Agaian paragraph [0059], lines 14-18: file reference lookup that correlates a first set of bits of a data field (i.e. within header) with a standard set of reference objects known as the file format magic number and values is recorded as a 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre for c) magic number associated with file, and for d) verifying magic number to obtain pointer to section of file as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are intercepted, algorithmically analyzed, and selectively modified during information transfers between systems.  (see Agaian paragraph [0043], lines 5-9)  

Regarding Claims 4, 12, 20, Borders-Chitre-Agaian discloses the method of claim 1 and the non-transitory computer readable medium of claim 9 and the computer system of claim 17, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload))   
b)  analyzing the appended payload to determine a file format of the appended payload; (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all 
c)  executing the steganography detection analytics based on the file format of the appended payload. (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))     

Regarding Claims 5, 13, Borders-Chitre-Agaian discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload)) and
b)  performing one or more of Monte Carlo approximation, entropy determination, serial coefficient analysis, arithmetic mean determination, Chi-Square determination, and standard deviation determination to determine whether data within the appended payload is encrypted. (see Borders paragraph [0239], lines 3-4: a probabilistic profile of request parameters and detecting deviation from this profile; paragraph [0144], lines 1-5: calculating coefficient of variation; coefficient of variation is the standard deviation divided by the mean bandwidth usage; (selected: standard deviation determination))    

Regarding Claims 6, 14, Borders-Chitre-Agaian discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file. (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload)) 

Borders-Chitre does not specifically disclose identifying presence of unauthorized data. 
However, Agaian discloses:
b)  identifying presence of unauthorized data within the appended payload. (see Agaian paragraph [0111], lines 4-8: information is protected from users not authorized to access individual accounts and mail message exchanges; (i.e. only authorized user can access certain data))    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre for identifying presence of unauthorized data as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are intercepted, algorithmically analyzed, and selectively modified during information transfers between systems.  (see Agaian paragraph [0043], lines 5-9)    

Regarding Claims 7, 15, Borders-Chitre-Agaian discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. such as header and payload)) and
b)  identifying presence of assembly level or machine level instructions within the appended payload. (see Borders paragraph [0060], lines 5-8: traffic including command and control information such as instructions (i.e. within request) to download other programs or attack other computers)    	

Regarding Claims 8, 16, Borders-Chitre-Agaian discloses the method of claim 1 and the non-transitory computer readable medium of claim 9. 
Borders-Chitre does not specifically disclose implementation of steganography remediation actions.
However, Agaian discloses wherein the executing of the steganography remediation action comprises: terminating processing and transmission of the file; and isolating the file. (see Agaian paragraph [0083], lines 1-5: system malware defense model is based on techniques such as active file containment (i.e. isolating file, termination of access to file for processing and/or transmission), digital sandboxing techniques)    


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/CJ/
August 30, 2021

                                                                                                                                                                                                    
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436