Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 08/17/2021 has been entered.
 
Response to Arguments
Applicant’s arguments with respect to claim(s) 1-2, 4-10, 12-17, 19-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claim(s) 1-2, 4-5, 9-10, 12-13, 17, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schneider (US 7,685,271) in view of Singla (US 2015/0135263) in further view of Call (US 2014/0283068)



Regarding Claim 1,

Schneider (US 7,685,271) teaches a non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor to perform the steps of: 
obtaining data from a log system storing historical transactions monitored by a security system (Col. 6, lines 19-25, “network traffic can be buffered (e.g. recorded) and provided to the traffic receiving module in a delayed and/or offline manner); creating one or more mock transactions based on the data (Col. 6, lines 25-30, teaches particular corpora can be generated to test different aspects of the rules).; and analyzing the one or more mock transactions with a signature pattern matching engine having updates provided therein subsequent to a time of the historical transactions (Col. 6, lines 35-37, rule testing includes pattern matching for comparing signatures)(Col. 6, lines 50-55, rules can be added or removed from the test and active sets in real time in response to instructions from the control point)

Schneider does not explicitly teach creating one or more mock transactions based on the data utilizing fields stored in the logs of the historical transactions
Singla (US 2015/0135263) teaches creating one or more mock transactions based on the data utilizing fields stored in the logs of the historical transactions (Paragraph [0011] teaches field data in historical transaction)(Paragraph [0016-0017] teaches using fields for pattern discovery to analyze event data to detect a malicious attack)

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the mock transactions from historical data of Schneider with creating mock transactions utilizing fields stored in the logs of transactions

The motivation is to detect a malicious attack using patterns of fields (Paragraph [0017] of Singla)

Schneider and SIngla do not explicitly teach wherein the one or more mock transactions have a header based on the data from the fields and a data portion that includes any of random data and predetermined fixed data with this data being different from data in the corresponding historical transactions

wherein the transactions have a header based on the data from the fields and a data portion that includes any of random data and predetermined fixed data with this data being different from data in the corresponding historical transactions (Paragraph [0059-0061] teaches generating a pseudo-random value to replace one or more attributes for a field)(Paragraphs [0064, 0125-127] teaches transaction have a header based on a field)

Regarding Claim 2,

Schneider, Singla and Call teaches the non-transitory computer-readable storage medium of claim 1, Call teaches wherein the one or more mock transactions have a header based on the data from corresponding historical transactions  (Paragraphs [0064, 0125] teaches transaction have a header)

Regarding Claim 4,

Schneider, Singla and Call teaches the non-transitory computer-readable storage medium of claim 1. Schneider teaches wherein the security system analyzed corresponding historical transactions of the one or more mock transactions with the signature pattern matching engine available at a time of the corresponding historical transactions (Col. 6, lines 25-30, teaches particular corpora can be generated to test different aspects of the rules).


Regarding Claim 5,

Schneider, Singla and Call teaches the non-transitory computer-readable storage medium of claim 1. Schneider teaches wherein the computer readable code stored further programs the processor to perform the steps of: performing a content scan in the one or more mock transactions based on the signature pattern matching engine having the updates (Col. 6, lines 31-38, tests signatures against network traffic)

Regarding Claims 9-10, 12-13

Claims 9-10, 12-13 are similar in scope to Claims 1-2, 4-5 and are rejected for a similar rationale.

Regarding Claims 17 and 19,

Claim 17 and 19 are similar in scope to Claim 1 and 5 and are rejected for a similar rationale.


Claims 6, 8, 14, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schneider (US 7,685,271) and Singla and Call in view of Khalid (US 10,581,874)




Regarding Claim 6,


Schneider and Singla and Call teaches the non-transitory computer-readable storage medium of claim 5 but does not explicitly teach a header includes fields for one or more of Hypertext Transfer Protocol (HTTP) method, Uniform Resource Locator (URL), referrer URL, and User Agent
Khalid teaches wherein the header includes fields for one or more of Hypertext Transfer Protocol (HTTP) method, Uniform Resource Locator (URL), referrer URL, and User Agent (Col. 3, lines 42-53, teaches header based on data from transactions using IP headers).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the mock transactions of Schneider to include header data as taught by Khalid and the results would be predictable (i.e. mock transaction data would have a header)

Regarding Claim 8,

Schneider and Singla and Call teaches the non-transitory computer-readable storage medium of claim 5 but does not explicitly teach wherein the one or more mock transactions have a header based on the data from corresponding historical transactions, and wherein the header includes fields for one or more of Uniform Resource Locator (URL), hostname, and Server Internet Protocol (IP) address.
Khalid teaches a header that includes fields for one or more of Uniform Resource Locator (URL), hostname, and Server Internet Protocol (IP) address.
(Col. 3, lines 42-53, teaches header based on data from transactions using IP headers).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the mock transactions of Schneider to include header data as taught by Khalid and the results would be predictable (i.e. mock transaction data would have a header)

Regarding Claims 10-11, 14,

Claims 10-11, 14 are similar in scope to Claims 2-3 and 6 and are rejected for a similar rationale.


Claims 7, 15, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schneider (US 7,685,271) and Singla and Call in view of Yu (US 2016/0277431)


Regarding Claim 7,

Schneider and Singla and Call teaches the non-transitory computer-readable storage medium of claim 1 but does not explicitly teach wherein the computer readable code stored further programs the processor to perform the steps of. determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions.
Yu (US 2016/0277431) teaches determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions (Paragraph [0007] teaches scanning transactions to determined missed threats)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Schneider and Khalid with the retrospective scanning method of Yu
The motivation is to perform remedial action for a missed threat (Yu, Paragraph [0007])

Regarding Claim 15, 20

Claim 15, 20 is similar in scope to Claim 7 and is rejected for a similar rationale.

Claims 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Schneider (US 7,685,271) and Singla and Call in view of Yu (US 2016/0277431) further in view of Khalid

Regarding Claim 16,

Schneider and Singla and Call and Yu teaches the apparatus of claim 15 but does not explicitly teach wherein the one or more mock transactions have a header based on the data from corresponding historical transactions, and wherein the header includes fields for one or more of Uniform Resource Locator (URL), hostname, and Server Internet Protocol (IP) address.
Khalid teaches a header that includes fields for one or more of Uniform Resource Locator (URL), hostname, and Server Internet Protocol (IP) address.
(Col. 3, lines 42-53, teaches header based on data from transactions using IP headers).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the mock transactions of Schneider to include header

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARRIS C WANG whose telephone number is (571)270-1462.  The examiner can normally be reached on M-F 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HARRIS C WANG/Primary Examiner, Art Unit 2439