Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Claims 1 – 20 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.
This action is in response to the communication filed on 12/15/21.
All objections and rejections not set forth below have been withdrawn.

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/15/21 has been entered.
 

Specification

The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required: 
The specification fails to provide adequate description for the recitation “…wherein the activation rate is a probability that at least one packet of the plurality of first packets … is triggered by at least one packet of the plurality of second packets …” (e.g. claim 1; and similarly claim 11) and “…wherein the response rate is a probability that the first device responds with a first packet of the plurality of first packets within a time threshold  to a second packet of the plurality of second packets…” (e.g. claim 1; and similarly claim 11).  Specifically, the examiner notes that the applicant’s original disclosure describes the “activation rate” and “response rates” as probabilities describing the triggering of or the response to “data”, in general.  However, there does not appear to be any disclosure of the “activation rate” being a probability that any individual or specific packet within such data as being triggered by any other individual or specific packet.  Also, there does not appear to be any disclosure of the “response rate” being a probability that any individual or specific packet is determined to be a response within a time threshold to any other individual or specific packet of data.  Furthermore, the examiner points out that the present manner in which the applicant characterizes the claimed “activation” and “response” rates does not appear to coincide with the actual manner in which such probabilities are calculated (e.g. see dependent claims).

 
Claim Rejections - 35 USC § 112

The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1 – 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
See above objection to the specification.









Claim Rejections - 35 USC § 102

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 2, 10, 11, 12, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Xue et al. (Xue), “Design and implementation of a malware detection system based on network behavior”.

	Regarding claim 1, Xue discloses:
	A threat detection method implemented by a threat detection apparatus (e.g. Xue, sect. 5; fig. 6), wherein the method comprises: 
obtaining (e.g. Xue, fig. 1:switch and data capture host; sect. 2.4, par. 3; fig. 6; sect. 5.2), packets in a Transmission Control Protocol (TCP) session between a first device and a second device (e.g. Xue, sect. 3, par. 2, 3), wherein an initiating-end device of the TCP session is the first device, wherein the first device is located in a protected network (e.g. Xue, fig. 1: malware client behind LAN gateway), and wherein the second device is located in another network (e.g. Xue, fig. 1: remotely located spyware control host); 
obtaining a first data flow and a second data flow in the TCP session (e.g. Xue, sect. 3, par. 2, 3), wherein the first data flow comprises data transmitted from the first device to the second device, and wherein the second data flow comprises data transmitted from the second device to the first device (e.g. Xue, sect. 3.2 – upstream and downstream data between control host and malware client); 
obtaining time information of each of a plurality of first packets and time information of each of a plurality of second packets, wherein the plurality of first packets are packets in the first data flow, and wherein the plurality of second packets are packets in the second data flow (e.g. fig. 6, fig. 7 - time; table II – flow captures comprising time information); 
calculating an activation rate, a response rate, and a quantity of interactions based on the time information of the plurality of first packets and the time information of the plurality of second packets (e.g. Xue, sect. 3.1, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.1 -   TrojanFProbtc, TrojanFProbudd, TrojanFProbpl, TrojanFProbic, TrojanFProbdur, TrojanFProbct , TrojanFProbhp, - the examiner notes that each of the applicant’s recited “activation rate”, “response rate” and “quantity” are broadly characterized within the claims, and one or more of the prior art TrojanF probabilities may be said to anticipate each), 

wherein the activation rate is a probability that at least one packet of the plurality of first packets going from the first device to the second device in the TCP session is triggered by at least one packet of the plurality of second packets that is received by the second device (e.g. Xue, 3.1 - TrojanFProbtc, i.e. probability that control host is triggering connections with the malware client; and/or Xue, sect. 3.2.1, TrojanFProbudd  , i.e. probability of sending commands “triggering” large uploads by malware client; and/or Xue, sect. 3.2.3, TrojanFProbic, i.e. probability the control host is sending commands “triggering” an interactive response by malware client;  and/or Xue, sect. 3.3.1, TrojanFProbhp, i.e. probability the control host is sending heartbeat packets  “triggering” a response by malware client),
wherein the response rate is a probability the first device responds with a first packet of the plurality of first packets within a time threshold to a second packet of the plurality of second packets that is received from the second device in the TCP session (e.g. Xue, 3.2.3 – TrojanFProbic, i.e. probability that the malware client sends packets, within a specific time interval, in response to receiving commands from the control host; and/or Xue, sect. 3.3.1, TrojanFProbhp, i.e. probability the malware client is sending heartbeat packets to the control host, in response to heartbeat packets from the control host, within a particular time distribution);
and wherein the quantity of interactions is a quantity of interactions between the first device and the second device in the TCP session (e.g. Xue, 3.1 - TrojanFProbtc, i.e. measures the amount (i.e. “quantity”) of connection establishment packets between malware client and control host within a time period; and/or Xue, sect. 3.2.1, TrojanFProbudd, measures the quantity of upstream and downstream data flow; i.e. and/or Xue, sect. 3.2.2, TrojanFProbpl, measures the size, i.e. “quantity”, of bytes within the data flow); 
and determining that a connection mode between the first device and the second device is a reverse connection (e.g. Xue, sect. 1; sect. 3, par. 1: “command and control channel”, i.e. “reverse connection”; sect. 3.4, par. 1) indicating a threat of a malicious program to the first device that is an attacked host (e.g. Xue, sect. 3.4, par. 2; sect. 3.4.2 – the threat of an abnormal port, TrojanPort value [i.e. “threatened”] is determined using the magnitude of the joint suspicious probability that the client is infected with a Trojan [i.e. is an “attacked host”]) when the activation rate is greater than or equal to a first threshold, the response rate is greater than or equal to a second threshold, and the quantity of interactions is greater than or equal to a third threshold (e.g. Xue, sect. 3.1, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.1 - TrojanFProbtc, TrojanFProbudd, TrojanFProbpl, TrojanFProbic, TrojanFProbdur, TrojanFProbct , TrojanFProbhp  - each of these values, shown above as corresponding to one or more of the recited rates or quantity [i.e. “activation rate”, “response rate”, “quantity of interactions”], are abnormal data flow features compared to a threshold, and if the abnormal features are greater than the thresholds, the abnormal features are combined to identify a “joint suspicious probability” (e.g. Xue, sect. 3.4, par. 1, 2) so as to identify a connection between client and server indicative of a command and control connection [i.e. “reverse connection”]).

Regarding claim 2, Xue discloses:
obtaining, size information of each first packet of the plurality of first packets (e.g. Xue, sect. 3.3.1, par. 1; fig. 5 – data length of packet – e.g. 273 or 108 bytes); 
determining, based on the time information of the each first packet and the size information of the each first packet, whether the plurality of first packets comprise a heartbeat message (e.g. Xue, sect. 3.3.1, par. 1, 2; fig. 5 – “time” – amount and size of packets during t heartbeat cycle); 
determining, from a plurality of threat levels, that a level-1 threat is posed to the first device when the plurality of first packets comprise no heartbeat message and the connection mode between the first device and the second device is the reverse connection, wherein the level-1 threat indicates a lowest level of damage to the first device from among the plurality of threat levels when the connection mode is the reverse connection (e.g. Xue, sect. 3.4, par. 1, 2; sect. 3.4.1, par. 1, 2; sect. 3.4.2).  A relative (i.e. “level 1”) Trojan port value (i.e. “threat”) is determined from the identification of abnormal features indicative of a reverse connection).
and determining, from the threat levels, that a level-2 threat is posed to the first device when the plurality of first packets comprise a heartbeat message and the connection mode between the first device and the second device is the reverse connection, wherein a level-2 threat represents a greater level of damage to the first device than the level-1 threat (e.g. Xue, sect. 3.4, par. 1, 2; sect. 3.4.1, par. 1, 2; sect. 3.4.2).  As more abnormal features are identified, such as by the additional identification of heartbeat messages, then the relative threat value (i.e. Trojan port value) becomes a greater threat of damage (i.e. “level-2 threat).  

Regarding claim 10, Xue discloses:
wherein after determining that the first device is threatened, the method further comprises: restricting, by the threat detection apparatus, a connection from the first device to the other network; or outputting, by the threat detection apparatus, a determination result that indicates the first device is threatened (e.g. Xue, fig. 6 – detection results to management device). 

	Regarding claims 11, 12, and 20, they are apparatus claims essentially corresponding to the above method claims, and they are rejected, at least, for the same reasons.  Furthermore, because:
Regarding claim 11, Xue discloses:
	a communications interface configured to obtain packets in a Transmission Control Protocol (TCP) session between a first device and a second device, … at least one processor coupled to the communications interface; and a memory coupled to the at least one processor, wherein the memory stores the packets and comprises instructions that, when executed by the at least one processor, cause … (e.g. Xue, fig. 1 and fig. 6 – switch and host comprising detection module and memory for storing flow data).  

Response to Arguments

Applicant's arguments filed 11/17/21 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
…While Xue describes monitoring the times of transmissions from malware to a control, Xue does not determine a response rate as a probability whether the first device responds within a time threshold to the data going from the second device to the first device in the TCP session.
 …
(Remarks, pg. 20 – 22)

Examiner respectfully responds:
The examiner respectfully disagrees.  Xue anticipates the claimed “response rate” in any one of the following reasons.  First, Xue teaches measuring the probability that the malware client sends packets, within a specific time interval – i.e. time threshold - in response to receiving commands from the control host (e.g. Xue, 3.2.3 – TrojanFProbic,).  Second, Xue teaches measuring the probability that the malware client  sends heartbeat packets to the control host, in response to heartbeat packets from the control host, within a particular time distribution – i.e. time threshold (Xue, sect. 3.3.1, TrojanFProbhp,).  Furthermore, Xue teaches that these probability measurements are taken from command and control packet flows within a TCP session between a C&C host and infected client host (e.g. Xue, section 3, par. 3, 5).

Applicant argues or alleges essentially that:
…
Second, claim 1 requires determining that a connection mode between the first device and the second device is a reverse connection indicating a threat of a malicious program to the first device that is an host when the activation rate is greater than or equal to a first threshold, the response rate is greater than or equal to a second threshold, and the quantity of interactions is greater than or equal to a third threshold. … While Xue discloses determining a joint suspicious probability that looks at data flows at different times, Xue’s joint suspicious probability does not determine whether the first device is an attacked host based on the activation rate, the response rate, and the quantity of interactions:
…
Further, Xue does not disclose determining that a connection mode between the first device and the second device is a reverse connection indicating a threat of a malicious program to the first device that is an attacked host when the activation rate is greater than or equal to a first threshold, the response rate is greater than or equal to a second threshold, and the quantity of interactions is greater than or equal to a third threshold.
…
(Remarks, pg. 22-24)

Examiner respectfully responds:
	The examiner respectfully disagrees.  A client that is infected with malware, such as a Trojan, is indeed an attacked “host” of the malware.  Furthermore, Xue explicitly references such clients by the term “host” (e.g. Xue, fig. 1; sect. 3, par. 5).  

Applicant argues or alleges essentially that:
…
However, Xue ’s joint suspicious probability method merely looks at data flows at different times, but does not determine an activation rate, a response rate, and a quantity of interactions to determine attacks, as required in claim 1. …
…
(Remarks, pg. 24)

Examiner respectfully responds:
	The examiner respectfully disagrees.  Specifically, Xue discloses that each of the previously discussed behavioral features (i.e. TrojanFProb) are used to calculate the joint suspicious probability (e.g. Xue, sect. 3.4, par. 1; equation 6).  The joint suspicious probability is then used to determine the likelihood of an attack, i.e. that a Trojan exists (e.g. Xue, sect. 3.4; equation 7).

Applicant argues or alleges essentially that:
…
Also, Xue fails to anticipate claims 2 and 12 because Xue fails to determine that a level-2 threat is posed to the first device when the plurality of first packets comprise a heartbeat message and the connection mode between the first device and the second device 1s the reverse connection, wherein a level-2 threat represents a greater level of damage to the first device than the level-1 threat. …
…
(Remarks, pg. 24-6)

Examiner respectfully responds:
The examiner respectfully disagrees.  Specifically, as previously shown, Xue discloses determining a “connection mode”, or reverse connection, by identifying an accumulation one or more abnormal features – it is not necessary for every abnormal feature, e.g. the presence of heartbeat packets, to appear within every data flow over a period of detection times (e.g. Xue, sect. 3.4; 3.4.1; 3.4.2).  As a result of obtaining the abnormal features observed during one or more particular detections time, a relative TrojanPort value, i.e. “level-1 threat”, is obtained (e.g. Xue, sect. 3.4.2).  However, Xue teaches (e.g. Xue, equation 8) that any additional observed abnormal features, e.g. the 

Applicant argues or alleges essentially that:
…
While Xue discloses that the 7rojanPort value is a relative value that is mapped to the level-2 threat of clam 2, however, the TrojanPort value indicates a normal port from an abnormal port, and is not a degree of a malware threat. …
…
(Remarks, pg. 25)

Examiner respectfully responds:
	The examiner respectfully disagrees.  Xue explicitly states that the larger the  TrojanPort value, the greater the possibility of the existence of an abnormal port (i.e. reverse connection Trojan) (Xue, 3.4.2).  Thus, the TrojanPort value does indeed represent a degree of malware threat.  

 

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	


If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495