Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Objections
Claim 6 is objected to because of the following informalities: 
In claim 6, line 4, the claimed “the baseline” lack of antecedent basis.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-2,16,18,20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Yaqub (US 10949821 B1).
As per claim 1, Yaqub teaches a method comprising: acquiring a to-be-processed access request (col.4, lines 41-47 : FAST ATM 20A sends one or more data packets (request) toward bank server 22 requesting the user-initiated financial transaction”; col.9, lines 54-60; col.16. lines 62 to col.17, lines 1-4: transaction request is intercepted); generating a communication traffic feature ((Col.4, lines 61-65; col.5, lines 1-5 : “The data packet traffic between ATMs and associated bank servers carries much of the data that may assist in evaluating ATM performance and assessing future trends with respect to potential security threats”; col.10, lines 33-34) and a content 

As per claim 2, Yaqub teaches performing the anomaly identification on the suspicious access request by using a machine learning model (col.16, lines 1-5).

As per claim 16, Yaqub teaches forbidding the suspicious access request from being sent to a corresponding data responding device (col.7, lines 60-col.8, lines 1-4).  


As per claim 18, 20, refer to claim 1 above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3-5 are rejected under 35 U.S.C. 103 as being unpatentable over Yaqub (US 10949821 B1) in view of Yu (US 2015/0180829 A1).
As per claim 3, Yaqub teaches generating the communication traffic feature and the content structure feature of the to-be-processed access request according to the information carried in the to-be-processed access request comprises: extracting one or more features from the information to form a baseline feature corresponding to the to-be-processed access request as the communication traffic feature (col.15, lines 23-29: baseline feature including network parameter; col.13, lines 41-43: extracting communication traffic feature such as ID of ATM 42) ; and generating, according to a keyword in the information and a matching result between the information carried in the to-be-processed access request and an abnormal communication rule, a signature corresponding to the to-be-processed access request as the content structure feature (col.16, lines 34-54: identifying data patterns that might match the intrusion and/or attack signatures (generating a signature according to matching results between the 
Yaqub does not explicitly teach the to-be-access request carries information corresponding to the communication traffic feature, the keyword.  However, Yaqub teaches the request data packets including transaction data, location data (Yaqub col.17, lines 5-17), and Yu teaches the request packets includes communication traffic features such as IP address, and keywords (Yu [0034] scanning request data packets,  and [0043] scanning data packets (requests) for IP address, keywords). It would have been obvious to one of ordinary skilled the art, before the effective filing date of the claimed invention, to  include the communication traffic feature such as IP address and the keyword indicating requested action in the to-be-access request taught by Yu to the request packet taught by Yaqub in order to facilitate detecting anomaly requests using the information supplied in the to-be-access request.

As per claim 4, Yaqub teaches the one or more features include a device ID (col.5, lines 65-66: user ID; col.13, lines 41-43: device ID).

As per claim 5, Yaqub teaches wherein the matching result between the information carried in the to-be-processed access request and the abnormal communication rule includes a matching result between the information carried in the to-be-processed access request and one or more regular expression in the abnormal communication rule (col.10, lines 52-60).  Yaqub does not explicitly teach the .

Claims 6-14, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yaqub (US 10949821 B1) in view of Zhou et al (CN 107360118) (see attached translation).
As per claim 6, Yaqub teaches matching the signature of the to-be-processed access request an abnormal traffic signature library ; determining that the signature of the to-be-processed access request matches an abnormal traffic signature (col.14, lines 21-23, lines 4-15 (matching with abnormal signature library), and lines 29-34 (abnormal signature ibrary)) and determining that the to-be-processed access request is the suspicious access request (col.10, lines 54-60). Yaqub does not specifically teaches matching the baseline feature with a normal traffic baseline library; determining that the baseline feature of the to-be-processed access request does not match a normal traffic baseline.  However, Zhou teaches matching the baseline feature with a normal traffic baseline library; determining that the baseline feature of the to-be-processed access request does not match a normal traffic baseline (Zhou page 6, lines 15-16, lines 23-31).  It would have been obvious to one of ordinary skilled the art, before the effective filing date of the claimed invention, to  include matching the baseline features with normal baseline traffic library taught by Zhou to the method taught by Yaqub in order to improve speed in recognizing signature of anomaly by determining the signature of anomaly only after the system determine that the baseline feature is not normal.


As per claim 8, 10, refer to claim 6 above.  Zhou further teaches counting the number of access within a preset time (page 19, lines 36-44; page 10, lines 10-15 ). Zhou further teaches if the access behavior occurrence time of the same service feature code and same IP satisfy a set threshold, continuing analyzing the user access behavior (Zhou page 19, lines 20-23) and if the number of access is less than a threshold continuing with the analysis (Zhou page 19, lines 40).   It would have been obvious well known design choice  to one of ordinary skilled the art, before the effective filing date of the claimed invention, to establish a suitable number of occurrence threshold  and to determine suspicious access request status based on determining whether the number of occurrences of a particular access less than a greater than a threshold to ensure filtering out the false alarm when only rare occurrence of access behavior occurs.

As per claim 9, refer to claim 6 above.

As per claim 11,  Yaqub teaches the capability of updating the database of threat (abnormal) signatures (col.19, lines 63-col.20, lines 1-3) based on traffic analysis of an ATM or group of ATM, and the capability of identifying suspicious access request and updating the newly discovered attacks (col.10, lines 54-64; col.14, lines 29-34).  Yaqub inherently teaches the capability of identifying suspicious/non-suspicious historical access request and generating (by updating) the abnormal signature library as claimed.


As per claim 13, refer to claim 11 above.  Furthermore Yaqub teaches generating abnormal traffic signature according to a keyword (col.16, lines 34-40: the abnormal traffic signature is the physical attack).

As per claim 14, Yaqub teaches extracting a device ID, from information carried in a respective non-suspicious historical access request (Col.10, 29-36; col. 13, 4-16: metadata generation of the requests as baseline including user/transaction ID, IP address of ATM, or any single or multiple parameters to provides a basis for both rapid random lookups and efficient access of records).  Yaqub does not explicitly teaches extracting an access path, an access file ID, and a keyword; and  forming a respective normal traffic baseline corresponding to the respective non-suspicious historical access request forming the normal traffic baseline library based on normal traffic baselines 

As per claim 19, refer to claim 6 above.

Claims 15,17 are rejected under 35 U.S.C. 103 as being unpatentable over Yaqub (US 10949821 B1) in view of Official Notice.
As per claim 15,17, Yaqub teaches forbidding the suspicious access request from being sent to a corresponding data responding device (col.7, lines 60-col.8, lines 1-4). Yaqub does not explicitly disclose adding  device ID to an abnormal library to reject subsequent attack or allowing non-suspicious request to access a data responding device. The Official Notice is taken that the claimed limitation would have been well known and obvious choice solutions when non-suspicious request or suspicious request is detected.  It would have been obvious to one of ordinary skilled the art, before the effective filing date of the claimed invention to add device ID to the abnormal library of Yaqub to reject subsequent service to the same device ID or to allow access to the service when non-threat request is detected.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on (571) 272-5863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/TU T NGUYEN/Primary Examiner, Art Unit 2453                                                                                                                                                                                                        11/06/2021