Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.        This action is in response to application amendments filed on 12-8-2021. 
2.        Claims 1 - 20 are pending.  Claims 1, 9, 17 have been amended.  Claims 1, 9, 17 are independent.  This application was filed on 5-30-2018.  

Response to Arguments

3.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 9-10-2020, with respect to the rejection(s) under Borders in view of Chitre and further in view of Agaian have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Borders in view of Chitre and further in view of Hanner.

A.  Applicant argues on page 11 of Remarks:    ...   Chitre’s event data by definition is not transmitted data over a network,   ...   . 

    The Examiner respectfully disagrees and points out that Hanner discloses a network-transmitted file utilized to determine malware associated with steganography techniques. (see Hanner paragraph [0006], lines 1-19: provide approaches to detecting potential use of steganography to hide content in computer files transmitted via electronic communications (a transmitted file); electronic communication associated 

B.  Applicant argues on page 11 of Remarks: Chitre’s system is concerned with local event log tampering to defraud regulators    ...   does not address steganography detection (e.g., malware detection,   ...   that occurs in network-transmitted files.

    The Examiner respectfully disagrees. Hanner discloses a network-transmitted file utilized to determine malware associated with steganography techniques. (see Hanner paragraph [0006], lines 1-19: provide approaches to detecting potential use of steganography to hide content in computer files transmitted via electronic communications (a transmitted file); electronic communication associated with a computer file is be identified; communication and computer file analyzed to determine whether computer file potentially includes hidden content; to determine whether computer file potentially includes hidden content, a set of steganographic criteria analyzed; if at least a portion of steganographic criteria are satisfied, then it is determined that computer file potentially includes hidden content)  

C.  Applicant argues on page 11 of Remarks:    ...   independent claims 1, 9, and 17, as well as the claims that depend therefrom, are patentable.

        Independent claims 9 and 17 has similar limitations as independent claim 1.  

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

5.        Claims 1, 2, 4 - 7, 9, 10, 12 - 15, 17, 18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Borders et al. (US PGPUB No. 20090158430) in view of Chitre et al. (US Patent No. 7,441,153) and further in view of Hanner, SR. et al. (US PGPUB No. 20150026464, referred to as “Hanner”).      	

Regarding Claims 1, 9, 17, Borders discloses a method for real-time detection of and protection from steganography in a kernel mode and a non-transitory computer readable medium storing instructions that when executed by at least one processor cause the at least one processor to perform operations and a computer system, comprising:
a)  detecting transmission of a file via a firewall, an operating system, or an e-mail system; (see Borders paragraph [0068], lines 3-8: receiving a data stream (i.e. a file) representing outbound application layer messages from a first computer 
f)   executing, responsive to the determined size of the file being smaller than the stored filesize value of the file, steganography detection analytics on the file; (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents and generate a file alert, if required (file sizes do not match; determined size “smaller” than the “other” file size)) 
wherein responsive to the steganography detection analytics indicating presence of steganography in the file:
h)  transmitting information describing the steganography to a client device. (see Borders paragraph [0249], lines 1-11: generate a file alert, if required; paragraph [0068], lines 11-12: generating a signal if a security threat is detected)    

    Furthermore, Borders discloses for c): determining a size of a file. (see Borders paragraph [0249], lines 1-11: separate file bandwidth from other bandwidth, post-processor identifies file transfers; (i.e. determines size of transferred file))   
    And, Borders discloses for d): retrieving a stored filesize value of the file. (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth measurements, extract original file contents; (determine size of baseline or stored  file)) 
    And, Borders discloses for e): comparing the size of the file. (see Borders paragraph [0249], lines 1-11: subtract file transfer size from bandwidth 

Borders does not specifically disclose for b) storing a file in a file system, and for c) determining a size of a file based on retrieving size data, and for d) retrieving a stored filesize value of a file by accessing a filesize value, and for e) comparison operation using retrieved size of a file determined based on a stored filesize value of a file. 
However, Chitre discloses:  
b)  storing the file in a file system residing on physical storage media; (see Chitre col 2, lines 11-12: data storage system appends the data to file (i.e. storing new updated data to previous contents of file); col 6, lines 28-32: data successfully appended to file (i.e. file data stored), then the size of file including newly appended data is calculated and the calculated file size is written to size field of file header; (i.e. stored file size updated))    
c)  determining a size of a file, based on retrieving size data from a plurality of sections within the file; (see Chitre col 5, lines 43-51: append data to file, update size field in file header; event generation logic adds size(s) of newly appended data to current size of data in file and writes newly calculated sum to size field in header; (i.e. size of file determined from sections of data: appended section(s) of file and current or previous section of file))           
d)  retrieving, from the file system from a source other than the plurality of sections within the file, a stored filesize value of the file by accessing a filesize value of the file from the file system; (see Chitre col 6, lines 12-14: actual size of file is 
e)  comparison operation using a size value of the file determined based on the stored filesize value of the file retrieved by accessing the filesize value from the file system. (see Chitre col 2, lines 7-12: compare actual size of file to size of file as indicated in size field in file header; if actual size of file is same as size of file as indicated in a size field in file header, then file has not been tampered with)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders for b) storing a file in a file system, and for c) determining a size of a file based on retrieving size data, and for d) retrieving a stored filesize of a file by accessing a filesize value, and for e) comparison operation using the size of a file determined based on a stored filesize value of a file as taught by Chitre.  One of ordinary skill in the art would have been motivated to employ the teachings of Chitre for the benefits achieved from a system that ensures the integrity of file data by ensuring that file data is complete, accurate, and verifiable. (see Chitre col 1, lines 32-34)

Borders-Chitre does not specifically disclose a transmitted file and executing a steganography remediation action. 
However, Hanner discloses: 
A transmitted file; (see Hanner paragraph [0006], lines 1-19: provide approaches to detecting potential use of steganography to hide content in computer files transmitted via electronic communications (a transmitted file); electronic communication associated with a computer file is be identified; communication 
g)  executing a steganography remediation action. (see Hanner paragraph [0021], lines 19-23: steganalysis techniques allow an organization to take remedial action upon detection of potential use of steganography; remedial measures include, for example, notifying an analyst or investigator, applying additional steganographic techniques to verify that content is in fact hidden in computer file, identifying hidden content to determine whether it includes confidential or sensitive information, decrypting hidden content if it is encrypted, initiating disciplinary procedures against sender of communication, and other remedial procedures)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre for a transmitted file and executing a steganography remediation action as taught by Hanner. One of ordinary skill in the art would have been motivated to employ the teachings of Hanner for the benefits achieved from a system that enables improved approaches to detecting the use of steganography. (see Hanner paragraph [0004], lines 8-10)    

Regarding Claims 2, 10, 18, Borders-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9 and the computer system of claim 17, wherein the determining of the size of the file comprises: 
a)  obtaining a pointer to a section header of the file, the section header associated with a plurality of sections of the file; (see Borders paragraph [0235], lines 4-7: identifies a resource by URL; comprised of server host name (stored in header (section) field), resource path)     
b)  for each section of the plurality of sections of the file, determining a size of the section; (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field(s); counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s)) and
c)  summing the size of each section of the plurality of sections of the file to determine the size of the file. (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))   
Chitre discloses header information (i.e. file section(s) information) of a file as stated in Claim 1 above.  
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 4, 12, 20, Borders-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9 and the computer system of claim 17, wherein the executing of the steganography detection analytics on the file comprises:

b)  analyzing the appended payload to determine a file format of the appended payload; (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside headers; (HTTP formatted request)) and 
c)  executing the steganography detection analytics based on the file format of the appended payload. (see Borders paragraph [0232], lines 1-7: algorithm encounters a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))     
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 5, 13, Borders-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], 
b)  performing one or more of Monte Carlo approximation, entropy determination, serial coefficient analysis, arithmetic mean determination, Chi-Square determination, and standard deviation determination to determine whether data within the appended payload is encrypted. (see Borders paragraph [0239], lines 3-4: a probabilistic profile of request parameters and detecting deviation from this profile; paragraph [0144], lines 1-5: calculating coefficient of variation; coefficient of variation is the standard deviation divided by the mean bandwidth usage; (selected: standard deviation determination))    
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 6, 14, Borders-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file. (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], lines 1-4: determination of UI-layer data within requests; analyze different parts of request (i.e. payload)) 

Borders-Chitre does not specifically disclose a transmitted file and identifying presence of unauthorized data. 
However, Hanner discloses:
transmitted file; and b) identifying presence of unauthorized data within the appended payload. (see Hanner paragraph [0006], lines 1-19: provide approaches to detecting potential use of steganography to hide content in computer files transmitted via electronic communications (a transmitted file); electronic communication associated with a computer file is be identified; communication and computer file analyzed to determine whether computer file potentially includes hidden content; to determine whether computer file potentially includes hidden content, a set of steganographic criteria analyzed; if at least a portion of steganographic criteria are satisfied, then it is determined that computer file potentially includes hidden content) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre for a transmitted file and identifying presence of unauthorized data as taught by Hanner. One of ordinary skill in the art would have been motivated to employ the teachings of Hanner for the benefits achieved from a system that enables improved approaches to detecting the use of steganography. (see Hanner paragraph [0004], lines 8-10)   

Regarding Claims 7, 15, Borders-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9, wherein the executing of the steganography detection analytics on the file comprises:
a)  identifying an appended payload in the file; (see Borders paragraph [0135], lines 1-6: monitoring systems for tunneling: one application layer protocols embedded within the payload of another (HTTPS tunneled over SSL); paragraph [0227], 
b)  identifying presence of assembly level or machine level instructions within the appended payload. (see Borders paragraph [0060], lines 5-8: traffic including command and control information such as instructions (i.e. within request) to download other programs or attack other computers)  
Hanner discloses a transmitted file as stated in Claim 1 above.  	

6.        Claims 3, 8, 11, 16, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Borders in view of Chitre and further in view of Hanner and Agaian et al. (US PGPUB No. 20160381054).

Regarding Claims 3, 11, 19, Borders-Chitre-Hanner discloses the method of claim 2 and the non-transitory computer readable medium of claim 10 and the computer system of claim 18, wherein the obtaining of the pointer to the section header of the file comprises:
a)  opening the file using a filename of the file or a path of the file; (see Borders paragraph [0235], lines 4-7: identifies a resource by URL; comprised of server host name (stored in header field), resource path) and  
b)  reading a header of the file. (see Borders paragraph [0232], lines 1-7: algorithm encounters (reads) a header field; counts full size of header field and its value; procedure counts all information (i.e. possibly hidden information) inside header(s))    


However, Agaian discloses: 
c)  retrieving a magic number from the header; (see Agaian paragraph [0059], lines 14-18: file reference lookup that correlates a first set of bits of a data field (i.e. within header) with a standard set of reference objects known as the file format magic number; paragraph [0079], lines 9-11: object identifier such as a file descriptor or magic number) and
d)  verifying the magic number to obtain a pointer to the section header of the file. (see Agaian paragraph [0059], lines 14-18: file reference lookup that correlates a first set of bits of a data field (i.e. within header) with a standard set of reference objects known as the file format magic number and values is recorded as a identifier; paragraph [0079], lines 9-11: object identifier such as a file descriptor or magic number)   
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre-Hanner for c) magic number associated with file, and for d) verifying magic number to obtain pointer to section of file as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are intercepted, algorithmically analyzed, and selectively modified during information transfers between systems.  (see Agaian paragraph [0043], lines 5-9)  
Hanner discloses a transmitted file as stated in Claim 1 above. 

Regarding Claims 8, 16, Borders-Chitre-Hanner discloses the method of claim 1 and the non-transitory computer readable medium of claim 9. 
Borders-Chitre-Hanner does not specifically disclose implementation of steganography remediation actions.
However, Agaian discloses wherein the executing of the steganography remediation action comprises: terminating processing and transmission of the file; and isolating the file. (see Agaian paragraph [0083], lines 1-5: system malware defense model is based on techniques such as active file containment (i.e. isolating file, termination of access to file for processing and/or transmission), digital sandboxing techniques)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Borders-Chitre-Hanner for implementation of steganography remediation actions as taught by Agaian. One of ordinary skill in the art would have been motivated to employ the teachings of Agaian for the benefits achieved from a system that enhances security for data streams which are intercepted, algorithmically analyzed, and selectively modified during information transfers between systems.  (see Agaian paragraph [0043], lines 5-9)    
Hanner discloses a transmitted file as stated in Claim 1 above. 

Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for 






/CJ/
January 18, 2022

                                                                                                                                                                                                                                                                                                                                                                                                        
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436