DETAILED ACTION
This non-final action is in response to RCE filed on 30 August 2021. In this amendment, claims 1, 3, 12, 14, 18-19 and 22 have been amended. Claims 1 and 3-22 are pending, with claims 1 and 12 being independent. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 30 August 2021 has been entered.

Priority
This application claims priority to and the benefit of U.S. Provisional Patent Application Serial No. 62/665,838, filed May 02, 2018.

Response to Arguments
Claim Interpretation

In the response filed on 30 August 2021, applicant argues in substance that:
The Applicant's claims either do not use the terms “means” or “step” along with the transition “for” which triggers the presumption that 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph does not apply to the Applicant's claims (remarks, pgs. 6-7). 
The examiner respectfully disagrees. Although the claims do not use the terms “means” or “step”; however, a generic placeholder “module” (also called a nonce term or a non-structural term having no specific structural meaning) was used in the claims for performing the claimed function.
Claim Objections
Claim objections have been withdrawn in view of amended claims.
35 U.S.C. § 101 Rejections
Claim rejections have been withdrawn in view of amended claims.
35 U.S.C. § 103 Rejections
Applicant’s arguments with respect to 103 rejections have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Objections
Claims 3 and 21-22 are objected to because of the following informalities: 

Claim 21 lines 2-3 and claim 22 lines 3, “before the initiating of the action” should read “before the performing of the action” according to amended claims 1 and 12 respectively.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3-6, 10, 12, 14-15 and 17-22 are rejected under 35 U.S.C. 103 as being unpatentable over Gu et al. (US 2016/0359870, published Oct. 16, 2016) and Banerjee (US 10,171,483, filed Aug. 23, 2013).
As per claim 1, Gu discloses a method for malware characterization (Gu abstract, method and apparatus for detecting malware infection), comprising: 
receiving data identifying a presence of at least two anomalies in respective portions of a processing function of a network captured by at least one of two different sensor payloads (Gu Fig. 2 and pars 30-32, dialog correlation 204 receiving data from rule-based detection 206 regarding inbound exploit usage (i.e., E1 and E2 transactions), binary downloading (i.e., E3 transactions), and C&C communication patterns (i.e., E4 
determining if a correlation exists between the at least two anomalies using the data captured by the at least one of the two different sensor payloads (Gu Fig. 7, Enter Dialog Warning In Network Dialog Correlation Matrix at 706, Calculate Dialog Score at 712; Gu para. [0068], Each row of the network dialog correlation matrix 800 corresponds to a summary of the ongoing dialog warnings that are being generated between an individual local host and other external entities) or the one sensor payload at the two different times; 
if a correlation exists between the at least two anomalies, determining that there is a presence of malware in the processing function of the network (Gu pg. 7, the dialog correlation engine is configured to detect a bot infection based on a correlation of alerts produced by the intrusion detection system, alerts produced by the scan anomaly detection engine, and alerts produced by the payload anomaly detection engine); and 
in response to the determination of the presence of malware, automatically identifying the malware (Gu pg. 7, dialog correlation engine configured to output a bot infection profile if a combination of generated alerts evidences a partially ordered combination of network dialog transactions associated with a type of bot infection modeled by the bot infection dialog model).
Gu does not explicitly disclose:
performing a remediation action including transmitting an electronic communication to a sensor payload to initiate a remediation action in the network.
Banerjee teaches:
performing a remediation action including transmitting an electronic communication to a sensor payload to initiate a remediation action in the network (Banerjee 4:19-22, the intrusion device 130 may automatically respond to suspicious activity by resetting a connection or by reprogramming the firewall to block network traffic from the suspected malicious source).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Gu with the teaching of Banerjee for performing a remediation action including transmitting an electronic communication to a sensor payload to initiate a remediation action in the network. One of ordinary skilled in the art would have been motivated because it offers the advantage of preventing intrusions that are detected.

As per claim 3, Gu-Banerjee teaches claim 1. Gu-Banerjee also discloses:
wherein the at least one of transmitting a request to a sensor payload to initiate a remediation action in the network comprises at least one of requesting to or re-flashing a device of the network (Banerjee 4:19-22, the intrusion device 130 may automatically respond to suspicious activity by resetting a connection or by reprogramming the firewall to block network traffic from the suspected malicious source), requesting to or isolating an infected device from the network, and requesting to or re-tasking at least one of the at least two different sensor payloads or the one sensor payload.


As per claim 4, Gu-Banerjee teaches claim 1. Gu also discloses:
generating a report including a summary of a result of the malware characterization method of claim 1 (Gu Fig. 7, Output Infection Profile at 718).  

As per claim 5, Gu-Banerjee teaches claim 4. Gu also discloses:
wherein the report comprises a human readable file (Gu par. 33, The bot infection profile 214 may be outputted for review, for example by a network administrator).   

As per claim 6, Gu-Banerjee teaches claim 1. Gu also discloses:
wherein the correlation comprises at least one of a locational-based correlation, a memory structure correlation, a device configuration data correlation, a logic setting correlation, a temporally-based correlation, a packet/data-based correlation, a behavioral-based correlation (see Gu pars. 22 and 76, a dialog score for host i at interval t is calculated based on external-to-internal (i.e., attacker-to-victim) inbound scan (E1), external-to-internal inbound exploit and/or internal (client side) exploit (e.g., for spam bots) (E2), internal-to-external (i.e., victim outward) binary (or "egg") download (E3), internal-to-external C&C communication (e.g., for traditional C&C botnets) (E4), internal-to-external outbound infection scanning (ES), internal-to-external attack preparation (e.g., for spam bots and peer-to-peer botnets) (E6), and internal-to-external peer coordination ( e.g., for peer-to-peer botnets) (E7)), and a device-based correlation.

As per claim 10, Gu-Banerjee teaches claim 1. Gu also discloses:
wherein at least one of the at least two anomalies is identified by comparing the data captured by at least one sensor payload to a normal operational baseline profile of the processing function (Gu par. 65, In step 622, the method 600 computes a deviation distance, d(x,y), of the payload from the profile of normal traffic constructed in step 604).

Claim 12 is an apparatus claim reciting similar subject matters to those recited in the method claim 1, and is rejected under similar rationale.

As per claim 14, Gu-Banerjee teaches claim 12. Gu-Banerjee also discloses:
wherein the recommendations module is configured to at least one of recommend and initiate a remediation action comprising at least one of requesting to or re-flashing a device (Banerjee 4:19-22, the intrusion device 130 may automatically respond to suspicious activity by resetting a connection or by reprogramming the firewall to block network traffic from the suspected malicious source), requesting to or isolating an infected device, and requesting to or re-tasking a sensor payload.
The same rationale as in claim 12 applies.

Claim 15 is an apparatus claim reciting similar subject matters to those recited in the method claim 4, and is rejected under similar rationale.

As per claim 17, Gu-Banerjee teaches claim 12. Gu also discloses:


As per claim 18, Gu-Banerjee teaches claim 12. Gu also discloses:
Payload Anomaly Detection determines the presence of at least one anomaly and sends it to Dialog Correlation (receiving/clustering module) (see Gu Fig. 2), but does not explicitly disclose Dialog Correlation determines the presence of at least one anomaly (the presence of at least one anomaly is determined by the receiving/clustering module). However, it would have been obvious to one skilled in the art at the time of effective filing date of the claimed invention to further modify the system of Gu to combine the Payload Anomaly Detection and Dialog Correlation because in combination, each element merely performs the same function as it does separately and the combination would yield the predictable results of determining the presence of at least one anomaly by the Dialog Correlation.

As per claim 19, Gu-Banerjee teaches claim 12. Gu also discloses:
wherein the a presence of at least one anomaly is determined by at least one sensor payload (see Gu Fig. 2, dialog correlation 204 receiving data from rule-based detection 206, scan anomaly detection 208, and payload anomaly detection 210).

Claim 20 is apparatus claim reciting similar subject matters to those recited in the method claim 10, and is rejected under similar rationale.

As per claim 21, Gu-Banerjee teaches claim 1. Gu also discloses:
initiating a capture of additional sensor payload data (see Gu Fig. 2 and pars 30-32, dialog correlation 204 receiving data from rule-based detection 206 regarding inbound exploit usage (i.e., E1 and E2 transactions), binary downloading (i.e., E3 transactions), and C&C communication patterns (i.e., E4 transactions), from scan anomaly detection 208 regarding inbound malware scans (i.e., E1 transactions) and outbound infection scans (i.e., E5 transactions), and from payload anomaly detection engine 210 regrading inbound infection or exploit transactions), before the initiating of the action for remediating the existence of the malware, to assist in determining if a correlation exists between the at least two anomalies (Gu pg. 7, the dialog correlation engine is configured to detect a bot infection based on a correlation of alerts produced by the intrusion detection system, alerts produced by the scan anomaly detection engine, and alerts produced by the payload anomaly detection engine).

Claim 22 is apparatus claim reciting similar subject matters to those recited in the method claim 21, and is rejected under similar rationale.

Claims 7-9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gu et al. (US 2016/0359870, published Oct. 16, 2016), Banerjee (US 10,171,483, filed Aug. 23, 2013) and Bardenstein (US 10,291,637, filed Jul. 5, 2016).
As per claim 7, Gu-Banerjee teaches to claim 1, but does not explicitly disclose: 
predicting an occurrence of at least one anomaly.  

predicting an occurrence of at least one anomaly (Bardenstein 5:62-6:3, attribute the anomalous activity to a particular actor … This may allow them to better identify trends in the behavior of various actors, and to take steps to predict and prevent future anomalous activity).  
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Gu with the teaching of Bardenstein for predicting an occurrence of at least one anomaly. One of ordinary skilled in the art would have been motivated because it offers the advantage of allowing user to take appropriate actions.

As per claim 8, Gu-Banerjee-Bardenstein teaches claim 7. Gu-Banerjee-Bardenstein also discloses:
wherein the predicting is based on current sensor payload data or on previously observed and stored sensor payload data (Bardenstein 5:62-6:3, attribute the anomalous activity to a particular actor … This may allow them to better identify trends in the behavior of various actors, and to take steps to predict and prevent future anomalous activity).
The same rationale as in claim 7 applies.

As per claim 9, Gu-Banerjee-Bardenstein teaches claim 7. Gu-Banerjee-Bardenstein also discloses: 

The same rationale as in claim 7 applies.

Claim 16 is apparatus claim reciting similar subject matters to those recited in the method claim 8, and is rejected under similar rationale.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Gu et al. (US 2016/0359870, published Oct. 16, 2016), Banerjee (US 10,171,483, filed Aug. 23, 2013) and Huang et al. (US 2018/0027004, published Jan. 25, 2018).
As per claim 11, Gu-Banerjee teaches to claim 10, but does not explicitly disclose: 
wherein the normal operational profile is determined using at least one of a machine learning process and an inferred specification process.
Huang teaches:
the normal operational profile is determined using at least one of a machine learning process (Huang para. [0049], a learning machine may construct a model of normal network behavior) and an inferred specification process.
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Gu with the teaching of Huang .

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Gu et al. (US 2016/0359870, published Oct. 16, 2016), Banerjee (US 10,171,483, filed Aug. 23, 2013) and Bhatt et al. (US 10,728,264, filed Feb. 15, 2017).
As per claim 13, Gu-Banerjee teaches to claim 12. Gu aslo discloses:
wherein the receiver/clustering module comprises a local state mapping/clustering module to receive at least a portion of the data identifying the presence of the at least two anomalies in the processing function from the at least one of the sensor payloads (see Gu Fig. 2, receiving data from rule-based detection 206, scan anomaly detection 208, and payload anomaly detection 210).
Gu-Banerjee does not explicitly disclose:
a global/historical analysis module to receive at least a portion of the data identifying the presence of the at least two anomalies in the processing function from the a storage device.
Bhatt teaches:
a global/historical analysis module to receive at least a portion of data identifying the presence of the at least two anomalies in the processing function from the a storage device (see Bhatt Fig. 1, Performance Evaluation Engine 150 receive behavior anomaly data 128 from a device [storage device] comprising anomaly detection engine 122).
.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20190156039 A1; Determine Malware Using Firmware
Firmware can be used to determine that an indication is present that malware is present on the computing device. The firmware can be executed to perform a security action in response to the indication that malware is present on the computing device.
US 20190260781 A1; A Cyber Security Appliance For An Operational Technology Network
A cyber security appliance has one or more modules to interact with entities in an operational technology network and potentially in an informational technology network. A comparator module cooperates with the operational technology module to compare the received data on the operational technology network to the normal pattern of life of any of the users, devices, and controllers to detect anomalies in the normal pattern of life for these entities in order to detect a cyber threat. An autonomous response module can be programmed to respond to counter the detected cyber threat.

Data can be scanned using a network managed appliance. Such appliances may be connected to an appliance management network including central management servers in communication with appliances in remote locations. The central management servers may ensure that scanning software and the definitions lists for each of the appliances are current and match an enterprise-approved configuration.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837.  The examiner can normally be reached on Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 






/KHANG DO/Primary Examiner, Art Unit 2492