Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08-12-2019 was in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “an information security engine implemented by a processor configured to:” in claim 1. However, there is support for the information security engine in the specification pgs. 13 – 15 and fig. 1 and 3.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the 
Claims 1 – 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Gong et al (US 20160065601), hereafter Gong and Saxe (US 10635813), hereafter Sax.
Claim 1: Gong teaches an information security system comprising: a network comprising a plurality of data resources configured to store data; an emulated network comprising copies of the plurality of data resources (Fig. 1); and an information security engine implemented by a processor configured to (Fig. 4): monitor data transmissions within the network; ([0015] monitor simultaneously north-south traffic and east-west traffic);
detect a first attack by a malicious software element, wherein the first attack attempts to transmit a first portion of data from a data resource in the network to a device located outside of the network; ([0015] analyze traffic via first order indicator of compromise ([014] by a malicious software or malware) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts);
detect a second attack by the malicious software element within a predetermined time interval from the first attack, wherein: the second attack attempts to transmit a second portion of data from the data resource in the network to the device located outside of the network; ([0015] analyze traffic via second order indicator of compromise ([014] by a malicious software or malware and [031] multiple events of the same type happen within a short period of time to the same target device) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts);
transfer the malicious software element from the network to the emulated network in response to detecting the second attack; ([0035] transmit the network data to security server in response to detecting indicators of compromise and [0055] emulation module analyzes suspicious data for untrusted behavior (malware or distributed attacks));
generate an attack log comprising behavior characteristics for attacks performed by the malicious software element in the emulated network, ([0059] behavior of the suspicious data as well as the behavior of the emulation environment is monitored and logged to track the suspicious data's operations);
wherein the behavior characteristics identify: data resources affected by the software element; and an attack type indicating a technique used by the malicious software element; ([0038, 56] identifies any of a network device, an application that are compromised, and to identify a user, such as a rogue user, on an end-user device initiating suspicious activities on the network);
and train a machine learning model based on behavior characteristics from the attack log. ([0033-34] the behavior profiles are generated for each of the monitored network devices and end-user devices during a training phase using a machine-learning based classification model);
Gong is not explicit about and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource;
But analogous art Sax teaches and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource; (C2L29-31: number of fragments in the second set of fragments is less than a number of fragments in the first set of fragments).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gong to include the idea of having smaller file size than another file size as taught by Sax so that the level definitions help the inspector ML model to categorize the analyzed fragment based on the level of malicious information indicated by the analyzed fragment from the set of fragments (C8L10-13).
Claim 8: Gong teaches a threat detection method, comprising: monitoring, by an information security engine, data transmissions within a network; detecting, by the information security engine, a first attack by a malicious software element, wherein the first attack attempts to transmit a first portion of data from a data resource in the network to a device located outside of the network; detecting, by the information security engine, a second attack by the malicious software element within a predetermined time interval from the first attack, wherein: the second attack attempts to transmit a second portion of data from the data resource in the network to the device located outside of the network; transferring, by the information security engine, the malicious software element from the network to an emulated network in response to detecting the second attack, wherein the emulated network comprises copies of one or more data resources of the network; generating, by the information security engine, an attack log comprising behavior characteristics for attacks performed by the malicious software element in the emulated network, wherein the behavior characteristics identify: data resources affected by the software element; and an attack type indicating a technique used by the malicious software element; and training, by the information security engine, a machine learning model based on behavior characteristics from the attack log. ([0015] monitor simultaneously north-south traffic and east-west traffic; [0015] analyze traffic via first order indicator of compromise ([014] by a malicious software or malware) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts; [0015] analyze traffic via second order indicator of compromise ([014] by a malicious software or malware and [031] multiple events of the same type happen within a short period of time to the same target device) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts; [0035] transmit the network data to security server in response to detecting indicators of compromise and [0055] emulation module analyzes suspicious data for untrusted behavior (malware or distributed attacks); [0059] behavior of the suspicious data as well as the behavior of the emulation environment is monitored and logged to track the suspicious data's operations; [0038, 56] identifies any of a network device, an application that are compromised, and to identify a user, such as a rogue user, on an end-user device initiating suspicious activities on the network).
Gong is not explicit about and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource;
But analogous art Sax teaches and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource; (C2L29-31: number of fragments in the second set of fragments is less than a number of fragments in the first set of fragments).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gong to include the idea of having C8L10-13).
Claim 15: Gong teaches a computer program comprising executable instructions stored in a non- transitory computer readable medium that when executed by a processor causes the processor to ([025]): monitor data transmissions within a network; detect a first attack by a malicious software element, wherein the first attack attempts to transmit a first portion of data from a data resource in the network to a device located outside of the network; detect a second attack by the malicious software element within a predetermined time interval from the first attack, wherein: the second attack attempts to transmit a second portion of data from the data resource in the network to the device located outside of the network; transfer the malicious software element from the network to an emulated network in response to detecting the second attack, wherein the emulated network comprises copies of one or more data resources of the network; generate an attack log comprising behavior characteristics for attacks performed by the malicious software element in the emulated network, wherein the behavior characteristics identify: data resources affected by the software element; and an attack type indicating a technique used by the malicious software element; and train a machine learning model based on behavior characteristics from the attack log. ([0015] monitor simultaneously north-south traffic and east-west traffic; [0015] analyze traffic via first order indicator of compromise ([014] by a malicious software or malware) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts; [0015] analyze traffic via second order indicator of compromise ([014] by a malicious software or malware and [031] multiple events of the same type happen within a short period of time to the same target device) extraction and correlate and detect threats, if the threat is an external attack, if the threat is the lateral movement of an infiltration, [31] includes lateral movement and data exfiltration incident alerts; [0035] transmit the network data to security server in response to detecting indicators of compromise and [0055] emulation module analyzes suspicious data for untrusted behavior (malware or distributed attacks); [0059] behavior of the suspicious data as well as the behavior of the emulation environment is monitored and logged to track the suspicious data's operations; [0038, 56] identifies any of a network device, an application that are compromised, and to identify a user, such as a rogue user, on an end-user device initiating suspicious activities on the network).
Gong is not explicit about and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource;
But analogous art Sax teaches and the second portion of data from the data resource has a smaller file size than the first portion of data from the data resource; (C2L29-31: number of fragments in the second set of fragments is less than a number of fragments in the first set of fragments).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gong to include the idea of having smaller file size than another file size as taught by Sax so that the level definitions help the inspector ML model to categorize the analyzed fragment based on the level of malicious information indicated by the analyzed fragment from the set of fragments (C8L10-13).
Claim 2: the combination of Gong and Sax teaches the system of claim 1, wherein: the machine learning model is configured to: receive behavior characteristics of the malicious software (Gong: [0016] network environment detects threat activity, malicious activity, identify malware, identify exploits, take preventive action, determine malicious behavior, determine targeted information, recommend steps to prevent attack, and/or provide recommendations to improve security and [0028] second order indicators of compromise include behavior patterns of a network device observed from the network device and behavior patterns of an end-user device. Suspicious conditions are detected by continuous monitoring and building typical pattern profiles and is configured to generate an alert when the observed behavior patterns deviate from the typical profiles, [0060] suspicious data receives the expected response within the new virtualization environment).
Claim 3: the combination of Gong and Sax teaches the system of claim 1, wherein: the machine learning model is configured to: receive behavior characteristics for the malicious software element; and output a threat signature for the malicious software element; and the information security engine is configured to: identify behavior characteristics for a second software element; input the behavior characteristics for the second software element into the machine learning model; obtain a threat signature for the second software element; determine the threat signature for the second software element matches a threat signature for the malicious software element; and terminate the second software element in response to the determination. (Gong: [0016] network environment detects threat activity, malicious activity, identify malware, identify exploits, take preventive action, generate signatures determine malicious behavior. [28] second order indicators of compromise include behavior patterns of a network device observed from the network device and behavior patterns of an end-user device.[54] new signatures are generated by one or more security servers, [67-68] a signature module is configured to store signature files are used to identify malware and/or traffic patterns,  if network traffic/data matches the signature of known malware/suspicious, then the network data is classified as malware/suspicious data. The malware and/or the suspicious data is processed within a virtualization environment for proper response such as [19] help the data collectors recognize sufficiently trustworthy data and to take corrective action (quarantine and alert an administrator)).
Claim 4: the combination of Gong and Sax teaches the system of claim 1, wherein generating the attack log comprises: collecting behavior characteristics for the malicious software element over a predetermined time period; and terminating the software element after the predetermined time period has elapsed. (Gong: [0015] system configured with multiple collectors for monitoring north-south traffic and east-west traffic, [29] the security posture is increased for the devices or users for the given period of time).
Claim 5: the combination of Gong and Sax teaches the system of claim 1, wherein the security engine is configured to: block the transmission of the first portion of data to the device located outside of the network; and block the transmission of the second portion of data to the device located outside of the network. (Sax: C20L14-18: if a particular process executing on the endpoint is compromised or otherwise under suspicion, access by that process is blocked in order to prevent data leakage or other malicious activity).
C8L10-13).
Claim 6: the combination of Gong and Sax teaches the system of claim 1, wherein the behavior characteristics in the attack log identifies file sizes for data transmission attempts by the malicious software element. (Gong: [0033] a behavior profile for an end-user device includes a total amount of data exchanged, a breakdown of the amount of data in each direction over a period of time).
Claim 7: the combination of Gong and Sax teaches the system of claim 1, wherein the behavior characteristics in the attack log identifies ports used by the malicious software element. (Gong: [0026] the data collector configured to detect and determine traffic patterns for IP traffic between IP and port number pairs and patterns between application clients and servers).
Claim 9: the combination of Gong and Sax teaches the method of claim 8, further comprising: identifying, by the information security engine, behavior characteristics for a second software element; inputting, by the information security engine, the behavior characteristics for the second software element into the machine learning model; obtaining, by the information engine, a threat response from the machine learning model, wherein the threat response indicates an action to perform on the second software element; and performing, by the information engine, the action indicated by the threat response on the second software element. (Gong: [0016] network environment detects threat activity, malicious activity, identify malware, identify exploits, take preventive action, determine malicious behavior, determine targeted information, recommend steps to prevent attack, and/or provide recommendations to improve security and [0028] second order indicators of compromise include behavior patterns of a network device observed from the network device and behavior patterns of an end-user device. Suspicious conditions are detected by continuous monitoring and building typical pattern profiles and is configured to generate an alert when the observed behavior patterns deviate from the typical profiles, [0060] suspicious data receives the expected response within the new virtualization environment).
Claim 10: the combination of Gong and Sax teaches the method of claim 8, further comprising: identifying, by the information security engine, behavior characteristics for a second software element; inputting, by the information security engine, the behavior characteristics for the second software element into the machine learning model; obtaining, by the information security engine, a threat signature for the second software element; determining, by the information security engine, the threat signature for the second software element matches a threat signature for the malicious software element; and terminating, by the information security engine, the second software element in response to the determination. (Gong: [0016] network environment detects threat activity, malicious activity, identify malware, identify exploits, take preventive action, generate signatures determine malicious behavior. [28] second order indicators of compromise include behavior patterns of a network device observed from the network device and behavior patterns of an end-user device.[54] new signatures are generated by one or more security servers, [67-68] a signature module is configured to store signature files are used to identify malware and/or traffic patterns,  if network traffic/data matches the signature of known malware/suspicious, then the network data is classified as malware/suspicious data. The malware and/or the suspicious data is processed within a virtualization environment for proper response such as [19] help the data collectors recognize sufficiently trustworthy data and to take corrective action (quarantine and alert an administrator)).
Claim 11: the combination of Gong and Sax teaches the method of claim 8, wherein generating the attack log comprises: collecting behavior characteristics for the malicious software element over a predetermined time period; and terminating the software element after the predetermined time period has elapsed. (Gong: [0015] system configured with multiple collectors for monitoring north-south traffic and east-west traffic, [29] the security posture is increased for the devices or users for the given period of time).
Claim 12: the combination of Gong and Sax teaches the method of claim 8, further comprising: blocking, by the information security engine, the transmission of the first portion of data to the device located outside of the network; and blocking, by the information security engine, the transmission of the second portion of data to the device located outside of the network. (Sax: C20L14-18: if a particular process executing on the endpoint is compromised or otherwise under suspicion, access by that process is blocked in order to prevent data leakage or other malicious activity).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gong to include the idea of blocking transmission of data as taught by Sax so that the level definitions help the inspector ML model to categorize the analyzed fragment based on the level of malicious information indicated by the analyzed fragment from the set of fragments (C8L10-13).
Claim 13: the combination of Gong and Sax teaches the method of claim 8, wherein the behavior characteristics in the attack log identifies file sizes for data transmission attempts by the Gong: [0033] a behavior profile for an end-user device includes a total amount of data exchanged, a breakdown of the amount of data in each direction over a period of time).
Claim 14: the combination of Gong and Sax teaches the method of claim 8, wherein the behavior characteristics in the attack log identifies ports used by the malicious software element. (Gong: [0026] the data collector configured to detect and determine traffic patterns for IP traffic between IP and port number pairs and patterns between application clients and servers).
Claim 16: the combination of Gong and Sax teaches the computer program of claim 15, further comprising instructions that when executed by the processor causes the processor to: identify behavior characteristics for a second software element; input the behavior characteristics for the second software element into the machine learning model; obtain a threat response from the machine learning model, wherein the threat response indicates an action to perform on the second software element; and perform the action indicated by the threat response on the second software element. (Gong: [0016] network environment detects threat activity, malicious activity, identify malware, identify exploits, take preventive action, determine malicious behavior, determine targeted information, recommend steps to prevent attack, and/or provide recommendations to improve security and [0028] second order indicators of compromise include behavior patterns of a network device observed from the network device and behavior patterns of an end-user device. Suspicious conditions are detected by continuous monitoring and building typical pattern profiles and is configured to generate an alert when the observed behavior patterns deviate from the typical profiles, [0060] suspicious data receives the expected response within the new virtualization environment).
Claim 17: the combination of Gong and Sax teaches the computer program of claim 15, further comprising instructions that when executed by the processor causes the processor to: identify behavior characteristics for a second software element; input the behavior characteristics for the second software element into the machine learning model; obtain a threat signature for the second software element; determine the threat signature for the second software element matches a threat signature for the malicious software element; and terminate the second software element in response to the determination. (Gong: [0016] network environment detects threat activity, malicious activity, identify malware, identify exploits, take preventive action, generate signatures determine malicious behavior. [28] second order indicators of compromise include behavior patterns of a network device observed from the network device and behavior patterns of an end-user device.[54] new signatures are generated by one or more security servers, [67-68] a signature module is configured to store signature files are used to identify malware and/or traffic patterns,  if network traffic/data matches the signature of known malware/suspicious, then the network data is classified as malware/suspicious data. The malware and/or the suspicious data is processed within a virtualization environment for proper response such as [19] help the data collectors recognize sufficiently trustworthy data and to take corrective action (quarantine and alert an administrator)).
Claim 18: the combination of Gong and Sax teaches the computer program of claim 15, wherein generating the attack log comprises: collecting behavior characteristics for the malicious software element over a predetermined time period; and terminating the software element after the predetermined time period has elapsed. (Gong: [0015] system configured with multiple collectors for monitoring north-south traffic and east-west traffic, [29] the security posture is increased for the devices or users for the given period of time).
Claim 19: the combination of Gong and Sax teaches the computer program of claim 15, further comprising instructions that when executed by the processor causes the processor to: block the transmission of the first portion of data to the device located outside of the network; and block the transmission of the second portion of data to the device located outside of the network. (Sax: C20L14-18: if a particular process executing on the endpoint is compromised or otherwise under suspicion, access by that process is blocked in order to prevent data leakage or other malicious activity).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Gong to include the idea of blocking transmission of data as taught by Sax so that the level definitions help the inspector ML model to categorize the analyzed fragment based on the level of malicious information indicated by the analyzed fragment from the set of fragments (C8L10-13).
Claim 20: the combination of Gong and Sax teaches the computer program of claim 15, wherein the behavior characteristics in the attack log identifies file sizes for data transmission attempts by the malicious software element. (Gong: [0033] a behavior profile for an end-user device includes a total amount of data exchanged, a breakdown of the amount of data in each direction over a period of time).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892 Notice of References Cited.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2496.